From c3bd9d962023333d42c9cdd908880c041910f923 Mon Sep 17 00:00:00 2001
From: Olivier Guittonneau <o.guittonneau@fractalenergy.io>
Date: Thu, 3 Apr 2025 17:50:46 +0200
Subject: [PATCH] Simplify cert-watch example

---
 https-tls/cert-watch/Cargo.toml  |  1 -
 https-tls/cert-watch/src/main.rs | 44 ++++++++++++++------------------
 2 files changed, 19 insertions(+), 26 deletions(-)

diff --git a/https-tls/cert-watch/Cargo.toml b/https-tls/cert-watch/Cargo.toml
index dc1c6d6d..bb92d3e1 100644
--- a/https-tls/cert-watch/Cargo.toml
+++ b/https-tls/cert-watch/Cargo.toml
@@ -11,5 +11,4 @@ eyre.workspace = true
 log.workspace = true
 notify = "6"
 rustls.workspace = true
-rustls-pemfile.workspace = true
 tokio = { workspace = true, features = ["time", "rt", "macros"] }
diff --git a/https-tls/cert-watch/src/main.rs b/https-tls/cert-watch/src/main.rs
index 252886fd..6a8e9c66 100644
--- a/https-tls/cert-watch/src/main.rs
+++ b/https-tls/cert-watch/src/main.rs
@@ -1,12 +1,14 @@
-use std::{fs::File, io::BufReader, path::Path};
+use std::path::Path;
 
 use actix_web::{
     App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
 };
 use log::debug;
 use notify::{Event, RecursiveMode, Watcher as _};
-use rustls::{ServerConfig, pki_types::PrivateKeyDer};
-use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls::{
+    ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
+};
 use tokio::sync::mpsc;
 
 #[derive(Debug)]
@@ -27,6 +29,11 @@ async fn main() -> eyre::Result<()> {
     color_eyre::install()?;
     env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));
 
+    // Load default provider, to be done once for the process
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .unwrap();
+
     // signal channel used to notify main event loop of cert/key file changes
     let (reload_tx, mut reload_rx) = mpsc::channel(1);
 
@@ -100,29 +107,16 @@ async fn main() -> eyre::Result<()> {
 }
 
 fn load_rustls_config() -> eyre::Result<rustls::ServerConfig> {
-    rustls::crypto::aws_lc_rs::default_provider()
-        .install_default()
-        .unwrap();
-
-    // init server config builder with safe defaults
-    let config = ServerConfig::builder().with_no_client_auth();
-
     // load TLS key/cert files
-    let cert_file = &mut BufReader::new(File::open("cert.pem")?);
-    let key_file = &mut BufReader::new(File::open("key.pem")?);
+    let cert_chain = CertificateDer::pem_file_iter("cert.pem")
+        .unwrap()
+        .flatten()
+        .collect();
 
-    // convert files to key/cert objects
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
-        .unwrap();
+    let key_der =
+        PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
 
-    // exit if no keys could be parsed
-    if keys.is_empty() {
-        eprintln!("Could not locate PKCS 8 private keys.");
-        std::process::exit(1);
-    }
-
-    Ok(config.with_single_cert(cert_chain, keys.remove(0))?)
+    Ok(ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key_der)?)
 }