diff --git a/Cargo.lock b/Cargo.lock index 44013b27..d5d91557 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2047,7 +2047,6 @@ dependencies = [ "log", "notify 6.1.1", "rustls 0.23.25", - "rustls-pemfile 2.2.0", "tokio", ] @@ -5094,7 +5093,6 @@ dependencies = [ "futures-util", "log", "rustls 0.23.25", - "rustls-pemfile 2.2.0", ] [[package]] @@ -6995,7 +6993,6 @@ dependencies = [ "env_logger", "log", "rustls 0.23.25", - "rustls-pemfile 2.2.0", ] [[package]] @@ -7007,7 +7004,6 @@ dependencies = [ "env_logger", "log", "rustls 0.23.25", - "rustls-pemfile 2.2.0", ] [[package]] @@ -8412,7 +8408,6 @@ dependencies = [ "eyre", "log", "rustls 0.23.25", - "rustls-pemfile 2.2.0", "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index d6b22773..8eeb0c9d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -112,7 +112,6 @@ rand = "0.9" redis = { version = "0.27" } reqwest = { version = "0.12", features = ["json", "stream"] } rustls = "0.23" -rustls-pemfile = "2" serde = { version = "1", features = ["derive"] } serde_json = "1" time = "0.3" diff --git a/https-tls/acme-letsencrypt/Cargo.toml b/https-tls/acme-letsencrypt/Cargo.toml index 94c82950..cb163c30 100644 --- a/https-tls/acme-letsencrypt/Cargo.toml +++ b/https-tls/acme-letsencrypt/Cargo.toml @@ -12,5 +12,4 @@ env_logger.workspace = true eyre.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile.workspace = true tokio = { workspace = true, features = ["fs"] } diff --git a/https-tls/acme-letsencrypt/src/main.rs b/https-tls/acme-letsencrypt/src/main.rs index 0402f059..7eac1d63 100644 --- a/https-tls/acme-letsencrypt/src/main.rs +++ b/https-tls/acme-letsencrypt/src/main.rs @@ -4,7 +4,7 @@ use acme::{Certificate, Directory, DirectoryUrl, create_p256_key}; use actix_files::Files; use actix_web::{App, HttpRequest, HttpServer, Responder, rt, web}; use eyre::eyre; -use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; +use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject}; use tokio::fs; const CHALLENGE_DIR: &str = "./acme-challenges"; @@ -188,10 +188,9 @@ fn load_rustls_config(cert: Certificate) -> eyre::Result { let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.private_key_der()?)); // convert ACME-obtained certificate chain - let cert_chain = - rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes())) - .collect::, _>>() - .unwrap(); + let cert_chain = CertificateDer::pem_slice_iter(cert.certificate().as_bytes()) + .flatten() + .collect(); Ok(config.with_single_cert(cert_chain, private_key)?) } diff --git a/https-tls/cert-watch/Cargo.toml b/https-tls/cert-watch/Cargo.toml index dc1c6d6d..bb92d3e1 100644 --- a/https-tls/cert-watch/Cargo.toml +++ b/https-tls/cert-watch/Cargo.toml @@ -11,5 +11,4 @@ eyre.workspace = true log.workspace = true notify = "6" rustls.workspace = true -rustls-pemfile.workspace = true tokio = { workspace = true, features = ["time", "rt", "macros"] } diff --git a/https-tls/cert-watch/src/main.rs b/https-tls/cert-watch/src/main.rs index 252886fd..6a8e9c66 100644 --- a/https-tls/cert-watch/src/main.rs +++ b/https-tls/cert-watch/src/main.rs @@ -1,12 +1,14 @@ -use std::{fs::File, io::BufReader, path::Path}; +use std::path::Path; use actix_web::{ App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web, }; use log::debug; use notify::{Event, RecursiveMode, Watcher as _}; -use rustls::{ServerConfig, pki_types::PrivateKeyDer}; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls::{ + ServerConfig, + pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject}, +}; use tokio::sync::mpsc; #[derive(Debug)] @@ -27,6 +29,11 @@ async fn main() -> eyre::Result<()> { color_eyre::install()?; env_logger::init_from_env(env_logger::Env::default().default_filter_or("info")); + // Load default provider, to be done once for the process + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + // signal channel used to notify main event loop of cert/key file changes let (reload_tx, mut reload_rx) = mpsc::channel(1); @@ -100,29 +107,16 @@ async fn main() -> eyre::Result<()> { } fn load_rustls_config() -> eyre::Result { - rustls::crypto::aws_lc_rs::default_provider() - .install_default() - .unwrap(); - - // init server config builder with safe defaults - let config = ServerConfig::builder().with_no_client_auth(); - // load TLS key/cert files - let cert_file = &mut BufReader::new(File::open("cert.pem")?); - let key_file = &mut BufReader::new(File::open("key.pem")?); + let cert_chain = CertificateDer::pem_file_iter("cert.pem") + .unwrap() + .flatten() + .collect(); - // convert files to key/cert objects - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .map(|key| key.map(PrivateKeyDer::Pkcs8)) - .collect::, _>>() - .unwrap(); + let key_der = + PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys."); - // exit if no keys could be parsed - if keys.is_empty() { - eprintln!("Could not locate PKCS 8 private keys."); - std::process::exit(1); - } - - Ok(config.with_single_cert(cert_chain, keys.remove(0))?) + Ok(ServerConfig::builder() + .with_no_client_auth() + .with_single_cert(cert_chain, key_der)?) } diff --git a/https-tls/rustls-client-cert/Cargo.toml b/https-tls/rustls-client-cert/Cargo.toml index 9654e4b6..ea10dd2f 100644 --- a/https-tls/rustls-client-cert/Cargo.toml +++ b/https-tls/rustls-client-cert/Cargo.toml @@ -9,4 +9,3 @@ actix-web = { workspace = true, features = ["rustls-0_23"] } env_logger.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile.workspace = true diff --git a/https-tls/rustls-client-cert/src/main.rs b/https-tls/rustls-client-cert/src/main.rs index a150e887..67bd55e5 100644 --- a/https-tls/rustls-client-cert/src/main.rs +++ b/https-tls/rustls-client-cert/src/main.rs @@ -1,7 +1,7 @@ //! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates //! pass them to a handler through connection-local data. -use std::{any::Any, fs::File, io::BufReader, net::SocketAddr, sync::Arc}; +use std::{any::Any, net::SocketAddr, sync::Arc}; use actix_tls::accept::rustls_0_23::TlsStream; use actix_web::{ @@ -10,10 +10,9 @@ use actix_web::{ use log::info; use rustls::{ RootCertStore, ServerConfig, - pki_types::{CertificateDer, PrivateKeyDer}, + pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject}, server::WebPkiClientVerifier, }; -use rustls_pemfile::{certs, pkcs8_private_keys}; const CA_CERT: &str = "certs/rootCA.pem"; const SERVER_CERT: &str = "certs/server-cert.pem"; @@ -80,29 +79,27 @@ async fn main() -> std::io::Result<()> { let mut cert_store = RootCertStore::empty(); // import CA cert - let ca_cert = &mut BufReader::new(File::open(CA_CERT)?); - let ca_cert = certs(ca_cert).collect::, _>>().unwrap(); - - for cert in ca_cert { - cert_store.add(cert).expect("root CA not added to store"); - } + CertificateDer::pem_file_iter(CA_CERT) + .unwrap() + .flatten() + .for_each(|der| cert_store.add(der).unwrap()); // set up client authentication requirements let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store)) .build() .unwrap(); - let config = ServerConfig::builder().with_client_cert_verifier(client_auth); // import server cert and key - let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?); - let key_file = &mut BufReader::new(File::open(SERVER_KEY)?); + let key_der = PrivateKeyDer::from_pem_file(SERVER_KEY).unwrap(); + let cert_chain = CertificateDer::pem_file_iter(SERVER_CERT) + .unwrap() + .flatten() + .collect(); - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .map(|key| key.map(PrivateKeyDer::Pkcs8)) - .collect::, _>>() + let config = ServerConfig::builder() + .with_client_cert_verifier(client_auth) + .with_single_cert(cert_chain, key_der) .unwrap(); - let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap(); log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443"); diff --git a/https-tls/rustls/Cargo.toml b/https-tls/rustls/Cargo.toml index 577795ee..23edaabb 100644 --- a/https-tls/rustls/Cargo.toml +++ b/https-tls/rustls/Cargo.toml @@ -10,4 +10,3 @@ actix-files.workspace = true env_logger.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile.workspace = true diff --git a/https-tls/rustls/src/main.rs b/https-tls/rustls/src/main.rs index c13d92aa..55cb162f 100644 --- a/https-tls/rustls/src/main.rs +++ b/https-tls/rustls/src/main.rs @@ -1,12 +1,12 @@ -use std::{fs::File, io::BufReader}; - use actix_files::Files; use actix_web::{ App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web, }; use log::debug; -use rustls::{ServerConfig, pki_types::PrivateKeyDer}; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls::{ + ServerConfig, + pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject}, +}; /// simple handle async fn index(req: HttpRequest) -> HttpResponse { @@ -46,25 +46,17 @@ fn load_rustls_config() -> rustls::ServerConfig { .install_default() .unwrap(); - // init server config builder with safe defaults - let config = ServerConfig::builder().with_no_client_auth(); - // load TLS key/cert files - let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); - let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); + let cert_chain = CertificateDer::pem_file_iter("cert.pem") + .unwrap() + .flatten() + .collect(); - // convert files to key/cert objects - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .map(|key| key.map(PrivateKeyDer::Pkcs8)) - .collect::, _>>() - .unwrap(); + let key_der = + PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys."); - // exit if no keys could be parsed - if keys.is_empty() { - eprintln!("Could not locate PKCS 8 private keys."); - std::process::exit(1); - } - - config.with_single_cert(cert_chain, keys.remove(0)).unwrap() + ServerConfig::builder() + .with_no_client_auth() + .with_single_cert(cert_chain, key_der) + .unwrap() } diff --git a/middleware/http-to-https/Cargo.toml b/middleware/http-to-https/Cargo.toml index 47c6c75b..d1a92b8f 100644 --- a/middleware/http-to-https/Cargo.toml +++ b/middleware/http-to-https/Cargo.toml @@ -9,4 +9,3 @@ env_logger.workspace = true futures-util.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile.workspace = true diff --git a/middleware/http-to-https/src/main.rs b/middleware/http-to-https/src/main.rs index 284e1562..df182900 100644 --- a/middleware/http-to-https/src/main.rs +++ b/middleware/http-to-https/src/main.rs @@ -1,9 +1,9 @@ -use std::{fs::File, io::BufReader}; - use actix_web::{App, HttpResponse, HttpServer, dev::Service, get, http}; use futures_util::future::{self, Either, FutureExt}; -use rustls::{ServerConfig, pki_types::PrivateKeyDer}; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls::{ + ServerConfig, + pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject}, +}; #[get("/")] async fn index() -> String { @@ -18,18 +18,17 @@ async fn main() -> std::io::Result<()> { .install_default() .unwrap(); - let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); - let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); + let cert_chain = CertificateDer::pem_file_iter("cert.pem") + .unwrap() + .flatten() + .collect(); - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .map(|key| key.map(PrivateKeyDer::Pkcs8)) - .collect::, _>>() - .unwrap(); + let key_der = + PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys."); let config = ServerConfig::builder() .with_no_client_auth() - .with_single_cert(cert_chain, keys.remove(0)) + .with_single_cert(cert_chain, key_der) .unwrap(); log::info!(