From f36601babbc1afd84b3ddc020944056689db4d61 Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Sat, 25 May 2024 05:36:36 +0100 Subject: [PATCH] chore: upgrade to rustls v0.23 --- .vscode/settings.json | 1 + Cargo.lock | 262 ++++++++++++++--------- Cargo.toml | 3 +- https-tls/acme-letsencrypt/Cargo.toml | 6 +- https-tls/acme-letsencrypt/src/main.rs | 22 +- https-tls/awc-https/Cargo.toml | 4 +- https-tls/awc-https/src/main.rs | 18 +- https-tls/cert-watch/Cargo.toml | 4 +- https-tls/cert-watch/src/main.rs | 22 +- https-tls/rustls-client-cert/Cargo.toml | 6 +- https-tls/rustls-client-cert/src/main.rs | 45 ++-- https-tls/rustls/Cargo.toml | 8 +- https-tls/rustls/src/main.rs | 27 ++- middleware/http-to-https/Cargo.toml | 4 +- middleware/http-to-https/README.md | 2 +- middleware/http-to-https/src/main.rs | 28 +-- 16 files changed, 263 insertions(+), 199 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 94a2914..87c1b66 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -20,6 +20,7 @@ "sqlx", "tera", "tmpl", + "webpki", "websockets" ] } diff --git a/Cargo.lock b/Cargo.lock index 9e60d71..c0a287a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -402,14 +402,12 @@ dependencies = [ "impl-more", "openssl", "pin-project-lite 0.2.13", + "rustls-pki-types", "tokio 1.37.0", "tokio-openssl", - "tokio-rustls 0.23.4", - "tokio-rustls 0.24.1", + "tokio-rustls 0.26.0", "tokio-util 0.7.10", "tracing", - "webpki-roots 0.22.6", - "webpki-roots 0.25.4", ] [[package]] @@ -1120,9 +1118,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "awc" -version = "3.3.0" +version = "3.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b625cad34428b3b82d0bd548b26a1cd0a3d70b6109e9b4e3355d8f1802a8b1c6" +checksum = "fe6b67e44fb95d1dc9467e3930383e115f9b4ed60ca689db41409284e967a12d" dependencies = [ "actix-codec", "actix-http", @@ -1130,7 +1128,7 @@ dependencies = [ "actix-service", "actix-tls", "actix-utils", - "base64 0.21.7", + "base64 0.22.1", "bytes 1.6.0", "cfg-if 1.0.0", "cookie", @@ -1146,7 +1144,7 @@ dependencies = [ "percent-encoding", "pin-project-lite 0.2.13", "rand 0.8.5", - "rustls 0.21.12", + "rustls 0.23.8", "serde", "serde_json", "serde_urlencoded", @@ -1162,8 +1160,8 @@ dependencies = [ "env_logger", "log", "mime", - "rustls 0.21.12", - "webpki-roots 0.25.4", + "rustls 0.23.8", + "webpki-roots 0.26.1", ] [[package]] @@ -1190,7 +1188,7 @@ dependencies = [ "hex", "http 0.2.9", "hyper 0.14.27", - "ring 0.17.5", + "ring", "time", "tokio 1.37.0", "tracing", @@ -1225,6 +1223,33 @@ dependencies = [ "tracing", ] +[[package]] +name = "aws-lc-rs" +version = "1.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "474d7cec9d0a1126fad1b224b767fcbf351c23b0309bb21ec210bcfd379926a5" +dependencies = [ + "aws-lc-sys", + "mirai-annotations", + "paste", + "zeroize", +] + +[[package]] +name = "aws-lc-sys" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7505fc3cb7acbf42699a43a79dd9caa4ed9e99861dfbb837c5c0fb5a0a8d2980" +dependencies = [ + "bindgen", + "cc", + "cmake", + "dunce", + "fs_extra", + "libc", + "paste", +] + [[package]] name = "aws-runtime" version = "1.1.1" @@ -1367,7 +1392,7 @@ dependencies = [ "once_cell", "p256 0.11.1", "percent-encoding", - "ring 0.17.5", + "ring", "sha2", "subtle", "time", @@ -1674,12 +1699,15 @@ dependencies = [ "itertools 0.12.1", "lazy_static", "lazycell", + "log", + "prettyplease 0.2.17", "proc-macro2", "quote", "regex", "rustc-hash", "shlex", "syn 2.0.48", + "which", ] [[package]] @@ -1963,8 +1991,8 @@ dependencies = [ "log", "notify 6.1.1", "parking_lot 0.12.2", - "rustls 0.21.12", - "rustls-pemfile", + "rustls 0.23.8", + "rustls-pemfile 2.1.2", "tokio 1.37.0", ] @@ -2828,6 +2856,12 @@ version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dcbb2bf8e87535c23f7a8a321e364ce21462d0ff10cb6407820e8e96dfff6653" +[[package]] +name = "dunce" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56ce8c6da7551ec6c462cbaf3bfbc75131ebbfa1c944aeaa9dab51ca1c5f0c3b" + [[package]] name = "ecdsa" version = "0.14.8" @@ -3271,6 +3305,12 @@ dependencies = [ "syn 2.0.48", ] +[[package]] +name = "fs_extra" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" + [[package]] name = "fsevent-sys" version = "4.1.0" @@ -4695,8 +4735,8 @@ dependencies = [ "env_logger", "futures-util", "log", - "rustls 0.21.12", - "rustls-pemfile", + "rustls 0.23.8", + "rustls-pemfile 2.1.2", ] [[package]] @@ -4828,6 +4868,12 @@ dependencies = [ "ws2_32-sys", ] +[[package]] +name = "mirai-annotations" +version = "1.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c9be0862c1b3f26a88803c4a49de6889c10e608b3ee9344e6ef5b45fb37ad3d1" + [[package]] name = "mongodb" version = "1.0.0" @@ -4863,7 +4909,7 @@ dependencies = [ "rand 0.8.5", "rustc_version_runtime", "rustls 0.21.12", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_bytes", "serde_with", @@ -5715,6 +5761,16 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "prettyplease" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d3928fb5db768cb86f891ff014f0144589297e3c6a1aba6ed7cecfdace270c7" +dependencies = [ + "proc-macro2", + "syn 2.0.48", +] + [[package]] name = "primeorder" version = "0.13.6" @@ -6144,7 +6200,7 @@ dependencies = [ "percent-encoding", "pin-project-lite 0.2.13", "rustls 0.21.12", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "serde_urlencoded", @@ -6223,21 +6279,6 @@ dependencies = [ "syn 2.0.48", ] -[[package]] -name = "ring" -version = "0.16.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" -dependencies = [ - "cc", - "libc", - "once_cell", - "spin 0.5.2", - "untrusted 0.7.1", - "web-sys", - "winapi 0.3.9", -] - [[package]] name = "ring" version = "0.17.5" @@ -6248,7 +6289,7 @@ dependencies = [ "getrandom 0.2.12", "libc", "spin 0.9.8", - "untrusted 0.9.0", + "untrusted", "windows-sys 0.48.0", ] @@ -6420,18 +6461,6 @@ dependencies = [ "windows-sys 0.48.0", ] -[[package]] -name = "rustls" -version = "0.20.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99" -dependencies = [ - "log", - "ring 0.16.20", - "sct", - "webpki", -] - [[package]] name = "rustls" version = "0.21.12" @@ -6439,11 +6468,26 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" dependencies = [ "log", - "ring 0.17.5", - "rustls-webpki", + "ring", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.23.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79adb16721f56eb2d843e67676896a61ce7a0fa622dc18d3e372477a029d2740" +dependencies = [ + "aws-lc-rs", + "log", + "once_cell", + "rustls-pki-types", + "rustls-webpki 0.102.4", + "subtle", + "zeroize", +] + [[package]] name = "rustls-client-cert" version = "1.0.0" @@ -6452,8 +6496,8 @@ dependencies = [ "actix-web", "env_logger", "log", - "rustls 0.21.12", - "rustls-pemfile", + "rustls 0.23.8", + "rustls-pemfile 2.1.2", ] [[package]] @@ -6464,8 +6508,8 @@ dependencies = [ "actix-web", "env_logger", "log", - "rustls 0.21.12", - "rustls-pemfile", + "rustls 0.23.8", + "rustls-pemfile 2.1.2", ] [[package]] @@ -6475,7 +6519,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "schannel", "security-framework", ] @@ -6489,14 +6533,42 @@ dependencies = [ "base64 0.21.7", ] +[[package]] +name = "rustls-pemfile" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d" +dependencies = [ + "base64 0.22.1", + "rustls-pki-types", +] + +[[package]] +name = "rustls-pki-types" +version = "1.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d" + [[package]] name = "rustls-webpki" version = "0.101.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ - "ring 0.17.5", - "untrusted 0.9.0", + "ring", + "untrusted", +] + +[[package]] +name = "rustls-webpki" +version = "0.102.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff448f7e92e913c4b7d4c6d8e4540a1724b319b4152b8aef6d4cf8339712b33e" +dependencies = [ + "aws-lc-rs", + "ring", + "rustls-pki-types", + "untrusted", ] [[package]] @@ -6604,8 +6676,8 @@ version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ - "ring 0.17.5", - "untrusted 0.9.0", + "ring", + "untrusted", ] [[package]] @@ -7144,7 +7216,7 @@ dependencies = [ "paste", "percent-encoding", "rustls 0.21.12", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "serde", "serde_json", "sha2", @@ -7739,8 +7811,8 @@ dependencies = [ "env_logger", "eyre", "log", - "rustls 0.21.12", - "rustls-pemfile", + "rustls 0.23.8", + "rustls-pemfile 2.1.2", "tokio 1.37.0", ] @@ -7917,17 +7989,6 @@ dependencies = [ "tokio 1.37.0", ] -[[package]] -name = "tokio-rustls" -version = "0.23.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59" -dependencies = [ - "rustls 0.20.9", - "tokio 1.37.0", - "webpki", -] - [[package]] name = "tokio-rustls" version = "0.24.1" @@ -7938,6 +7999,17 @@ dependencies = [ "tokio 1.37.0", ] +[[package]] +name = "tokio-rustls" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +dependencies = [ + "rustls 0.23.8", + "rustls-pki-types", + "tokio 1.37.0", +] + [[package]] name = "tokio-stream" version = "0.1.14" @@ -8412,12 +8484,6 @@ dependencies = [ "void", ] -[[package]] -name = "untrusted" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" - [[package]] name = "untrusted" version = "0.9.0" @@ -8688,31 +8754,21 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki" -version = "0.22.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53" -dependencies = [ - "ring 0.17.5", - "untrusted 0.9.0", -] - -[[package]] -name = "webpki-roots" -version = "0.22.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6c71e40d7d2c34a5106301fb632274ca37242cd0c9d3e64dbece371a40a2d87" -dependencies = [ - "webpki", -] - [[package]] name = "webpki-roots" version = "0.25.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" +[[package]] +name = "webpki-roots" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "websocket" version = "1.0.0" @@ -8815,6 +8871,18 @@ dependencies = [ "tokio-util 0.7.10", ] +[[package]] +name = "which" +version = "4.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", +] + [[package]] name = "whoami" version = "1.5.1" @@ -9222,7 +9290,7 @@ dependencies = [ "buf-min", "dtoa", "itoa 1.0.9", - "prettyplease", + "prettyplease 0.1.25", "ryu", "serde", "syn 1.0.109", diff --git a/Cargo.toml b/Cargo.toml index dd4d9af..b2b219a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -105,7 +105,8 @@ futures-util = { version = "0.3.17", default-features = false, features = ["std" log = "0.4" openssl = { version = "0.10.60", features = ["v110"] } rand = "0.8" -rustls = "0.21" +rustls = "0.23" +rustls-pemfile = "2" serde = { version = "1", features = ["derive"] } serde_json = "1" tokio = { version = "1.24.2", features = ["sync", "io-util"] } diff --git a/https-tls/acme-letsencrypt/Cargo.toml b/https-tls/acme-letsencrypt/Cargo.toml index 4d4485e..62132a5 100644 --- a/https-tls/acme-letsencrypt/Cargo.toml +++ b/https-tls/acme-letsencrypt/Cargo.toml @@ -7,11 +7,11 @@ edition.workspace = true [dependencies] acme-rfc8555 = "0.1" actix-files.workspace = true -actix-web = { workspace = true, features = ["rustls"] } +actix-web = { workspace = true, features = ["rustls-0_23"] } color-eyre = "0.6" env_logger.workspace = true eyre = "0.6" log.workspace = true -rustls = "0.21" -rustls-pemfile = "1" +rustls.workspace = true +rustls-pemfile.workspace = true tokio = { workspace = true, features = ["fs"] } diff --git a/https-tls/acme-letsencrypt/src/main.rs b/https-tls/acme-letsencrypt/src/main.rs index 209744f..c97c311 100644 --- a/https-tls/acme-letsencrypt/src/main.rs +++ b/https-tls/acme-letsencrypt/src/main.rs @@ -4,6 +4,7 @@ use acme::{create_p256_key, Certificate, Directory, DirectoryUrl}; use actix_files::Files; use actix_web::{rt, web, App, HttpRequest, HttpServer, Responder}; use eyre::eyre; +use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; use tokio::fs; const CHALLENGE_DIR: &str = "./acme-challenges"; @@ -112,7 +113,7 @@ pub async fn gen_tls_cert(user_domain: &str, contact_email: &str) -> eyre::Resul // certificate is either issued or rejected. Again we poll // for the status change. let ord_cert = ord_csr - .finalize(signing_key, Duration::from_millis(5000)) + .finalize(signing_key, Duration::from_secs(5)) .await?; // Now download the certificate. Also stores the cert in @@ -139,6 +140,10 @@ async fn main() -> eyre::Result<()> { env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); color_eyre::install()?; + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + // Load keys // ============================================== // = IMPORTANT: = @@ -157,7 +162,7 @@ async fn main() -> eyre::Result<()> { // Start HTTP server! let srv = HttpServer::new(|| App::new().route("/", web::get().to(index))) - .bind_rustls_021(("0.0.0.0", 443), rustls_config)? + .bind_rustls_0_23(("0.0.0.0", 443), rustls_config)? .run(); let srv_handle = srv.handle(); @@ -177,19 +182,16 @@ async fn main() -> eyre::Result<()> { fn load_rustls_config(cert: Certificate) -> eyre::Result { // init server config builder with safe defaults - let config = rustls::ServerConfig::builder() - .with_safe_defaults() - .with_no_client_auth(); + let config = rustls::ServerConfig::builder().with_no_client_auth(); // convert ACME-obtained private key - let private_key = rustls::PrivateKey(cert.private_key_der()?.to_owned()); + let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.private_key_der()?)); // convert ACME-obtained certificate chain let cert_chain = - rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes()))? - .into_iter() - .map(rustls::Certificate) - .collect(); + rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes())) + .collect::, _>>() + .unwrap(); Ok(config.with_single_cert(cert_chain, private_key)?) } diff --git a/https-tls/awc-https/Cargo.toml b/https-tls/awc-https/Cargo.toml index 9d1f7f0..61cf992 100644 --- a/https-tls/awc-https/Cargo.toml +++ b/https-tls/awc-https/Cargo.toml @@ -5,10 +5,10 @@ edition = "2021" [dependencies] actix-web.workspace = true -awc = { workspace = true, features = ["rustls-0_21"] } +awc = { workspace = true, features = ["rustls-0_23"] } env_logger.workspace = true log.workspace = true mime = "0.3" rustls.workspace = true -webpki-roots = "0.25" +webpki-roots = "0.26" diff --git a/https-tls/awc-https/src/main.rs b/https-tls/awc-https/src/main.rs index 5847069..f79c239 100644 --- a/https-tls/awc-https/src/main.rs +++ b/https-tls/awc-https/src/main.rs @@ -2,7 +2,7 @@ use std::{sync::Arc, time::Instant}; use actix_web::{get, middleware, web::Data, App, HttpResponse, HttpServer}; use awc::{http::header, Client, Connector}; -use rustls::{ClientConfig, OwnedTrustAnchor, RootCertStore}; +use rustls::{ClientConfig, RootCertStore}; const MAP_URL: &str = "https://upload.wikimedia.org/wikipedia/commons/f/ff/Pizigani_1367_Chart_10MB.jpg"; @@ -49,7 +49,7 @@ async fn main() -> std::io::Result<()> { // Wikipedia requires a User-Agent header to make requests .add_default_header((header::USER_AGENT, "awc-example/1.0")) // a "connector" wraps the stream into an encrypted connection - .connector(Connector::new().rustls_021(Arc::clone(&client_tls_config))) + .connector(Connector::new().rustls_0_23(Arc::clone(&client_tls_config))) .finish(); App::new() @@ -65,17 +65,13 @@ async fn main() -> std::io::Result<()> { /// Create simple rustls client config from root certificates. fn rustls_config() -> ClientConfig { - let mut root_store = RootCertStore::empty(); - root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - })); + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + + let root_store = RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.to_owned()); rustls::ClientConfig::builder() - .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth() } diff --git a/https-tls/cert-watch/Cargo.toml b/https-tls/cert-watch/Cargo.toml index 9351f45..614a82c 100644 --- a/https-tls/cert-watch/Cargo.toml +++ b/https-tls/cert-watch/Cargo.toml @@ -4,7 +4,7 @@ version = "1.0.0" edition = "2021" [dependencies] -actix-web = { workspace = true, features = ["rustls-0_21"] } +actix-web = { workspace = true, features = ["rustls-0_23"] } actix-files.workspace = true color-eyre.workspace = true env_logger.workspace = true @@ -13,6 +13,6 @@ futures-util.workspace = true log.workspace = true notify = "6" rustls.workspace = true -rustls-pemfile = "1" +rustls-pemfile.workspace = true tokio = { workspace = true, features = ["time", "rt", "macros"] } parking_lot = "0.12" diff --git a/https-tls/cert-watch/src/main.rs b/https-tls/cert-watch/src/main.rs index 4aede18..3027492 100644 --- a/https-tls/cert-watch/src/main.rs +++ b/https-tls/cert-watch/src/main.rs @@ -5,7 +5,7 @@ use actix_web::{ }; use log::debug; use notify::{Event, RecursiveMode, Watcher as _}; -use rustls::{Certificate, PrivateKey, ServerConfig}; +use rustls::{pki_types::PrivateKeyDer, ServerConfig}; use rustls_pemfile::{certs, pkcs8_private_keys}; use tokio::sync::mpsc; @@ -65,7 +65,7 @@ async fn main() -> eyre::Result<()> { .wrap(middleware::Logger::default()) }) .workers(2) - .bind_rustls_021("127.0.0.1:8443", config)? + .bind_rustls_0_23("127.0.0.1:8443", config)? .run(); // server handle to send signals @@ -100,21 +100,23 @@ async fn main() -> eyre::Result<()> { } fn load_rustls_config() -> eyre::Result { + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + // init server config builder with safe defaults - let config = ServerConfig::builder() - .with_safe_defaults() - .with_no_client_auth(); + let config = ServerConfig::builder().with_no_client_auth(); // load TLS key/cert files let cert_file = &mut BufReader::new(File::open("cert.pem")?); let key_file = &mut BufReader::new(File::open("key.pem")?); // convert files to key/cert objects - let cert_chain = certs(cert_file)?.into_iter().map(Certificate).collect(); - let mut keys: Vec = pkcs8_private_keys(key_file)? - .into_iter() - .map(PrivateKey) - .collect(); + let cert_chain = certs(cert_file).collect::, _>>().unwrap(); + let mut keys = pkcs8_private_keys(key_file) + .map(|key| key.map(PrivateKeyDer::Pkcs8)) + .collect::, _>>() + .unwrap(); // exit if no keys could be parsed if keys.is_empty() { diff --git a/https-tls/rustls-client-cert/Cargo.toml b/https-tls/rustls-client-cert/Cargo.toml index dd25f67..79aaa3f 100644 --- a/https-tls/rustls-client-cert/Cargo.toml +++ b/https-tls/rustls-client-cert/Cargo.toml @@ -4,9 +4,9 @@ version = "1.0.0" edition = "2021" [dependencies] -actix-tls = { workspace = true, features = ["rustls-0_21"] } -actix-web = { workspace = true, features = ["rustls-0_21"] } +actix-tls = { workspace = true, features = ["rustls-0_23"] } +actix-web = { workspace = true, features = ["rustls-0_23"] } env_logger.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile = "1" +rustls-pemfile.workspace = true diff --git a/https-tls/rustls-client-cert/src/main.rs b/https-tls/rustls-client-cert/src/main.rs index 7c074a8..de9bb1d 100644 --- a/https-tls/rustls-client-cert/src/main.rs +++ b/https-tls/rustls-client-cert/src/main.rs @@ -3,13 +3,15 @@ use std::{any::Any, fs::File, io::BufReader, net::SocketAddr, sync::Arc}; -use actix_tls::accept::rustls_0_21::{reexports::ServerConfig, TlsStream}; +use actix_tls::accept::rustls_0_23::TlsStream; use actix_web::{ dev::Extensions, rt::net::TcpStream, web, App, HttpRequest, HttpResponse, HttpServer, Responder, }; use log::info; use rustls::{ - server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey, RootCertStore, + pki_types::{CertificateDer, PrivateKeyDer}, + server::WebPkiClientVerifier, + RootCertStore, ServerConfig, }; use rustls_pemfile::{certs, pkcs8_private_keys}; @@ -27,7 +29,7 @@ struct ConnectionInfo { async fn route_whoami(req: HttpRequest) -> impl Responder { let conn_info = req.conn_data::().unwrap(); - let client_cert = req.conn_data::(); + let client_cert = req.conn_data::>(); if let Some(cert) = client_cert { HttpResponse::Ok().body(format!("{:?}\n\n{:?}", &conn_info, &cert)) @@ -71,36 +73,35 @@ fn get_client_cert(connection: &dyn Any, data: &mut Extensions) { async fn main() -> std::io::Result<()> { env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + let mut cert_store = RootCertStore::empty(); // import CA cert let ca_cert = &mut BufReader::new(File::open(CA_CERT)?); - let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone()); + let ca_cert = certs(ca_cert).collect::, _>>().unwrap(); - cert_store - .add(&ca_cert) - .expect("root CA not added to store"); + for cert in ca_cert { + cert_store.add(cert).expect("root CA not added to store"); + } // set up client authentication requirements - let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store); - let config = ServerConfig::builder() - .with_safe_defaults() - .with_client_cert_verifier(Arc::new(client_auth)); + let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store)) + .build() + .unwrap(); + let config = ServerConfig::builder().with_client_cert_verifier(client_auth); // import server cert and key let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?); let key_file = &mut BufReader::new(File::open(SERVER_KEY)?); - let cert_chain = certs(cert_file) - .unwrap() - .into_iter() - .map(Certificate) - .collect(); - let mut keys: Vec = pkcs8_private_keys(key_file) - .unwrap() - .into_iter() - .map(PrivateKey) - .collect(); + let cert_chain = certs(cert_file).collect::, _>>().unwrap(); + let mut keys = pkcs8_private_keys(key_file) + .map(|key| key.map(PrivateKeyDer::Pkcs8)) + .collect::, _>>() + .unwrap(); let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap(); log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443"); @@ -108,7 +109,7 @@ async fn main() -> std::io::Result<()> { HttpServer::new(|| App::new().default_service(web::to(route_whoami))) .on_connect(get_client_cert) .bind(("localhost", 8080))? - .bind_rustls_021(("localhost", 8443), config)? + .bind_rustls_0_23(("localhost", 8443), config)? .workers(1) .run() .await diff --git a/https-tls/rustls/Cargo.toml b/https-tls/rustls/Cargo.toml index 273a945..4cbd781 100644 --- a/https-tls/rustls/Cargo.toml +++ b/https-tls/rustls/Cargo.toml @@ -3,15 +3,11 @@ name = "rustls-example" version = "1.0.0" edition = "2021" -[[bin]] -name = "rustls-server" -path = "src/main.rs" - [dependencies] -actix-web = { workspace = true, features = ["rustls-0_21"] } +actix-web = { workspace = true, features = ["rustls-0_23"] } actix-files.workspace = true env_logger.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile = "1" +rustls-pemfile.workspace = true diff --git a/https-tls/rustls/src/main.rs b/https-tls/rustls/src/main.rs index 66116ac..89c40b0 100644 --- a/https-tls/rustls/src/main.rs +++ b/https-tls/rustls/src/main.rs @@ -5,7 +5,7 @@ use actix_web::{ http::header::ContentType, middleware, web, App, HttpRequest, HttpResponse, HttpServer, }; use log::debug; -use rustls::{Certificate, PrivateKey, ServerConfig}; +use rustls::{pki_types::PrivateKeyDer, ServerConfig}; use rustls_pemfile::{certs, pkcs8_private_keys}; /// simple handle @@ -36,32 +36,29 @@ async fn main() -> std::io::Result<()> { .service(web::redirect("/", "/index.html")) .service(Files::new("/static", "static")) }) - .bind_rustls_021("127.0.0.1:8443", config)? + .bind_rustls_0_23("127.0.0.1:8443", config)? .run() .await } fn load_rustls_config() -> rustls::ServerConfig { + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + // init server config builder with safe defaults - let config = ServerConfig::builder() - .with_safe_defaults() - .with_no_client_auth(); + let config = ServerConfig::builder().with_no_client_auth(); // load TLS key/cert files let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); // convert files to key/cert objects - let cert_chain = certs(cert_file) - .unwrap() - .into_iter() - .map(Certificate) - .collect(); - let mut keys: Vec = pkcs8_private_keys(key_file) - .unwrap() - .into_iter() - .map(PrivateKey) - .collect(); + let cert_chain = certs(cert_file).collect::, _>>().unwrap(); + let mut keys = pkcs8_private_keys(key_file) + .map(|key| key.map(PrivateKeyDer::Pkcs8)) + .collect::, _>>() + .unwrap(); // exit if no keys could be parsed if keys.is_empty() { diff --git a/middleware/http-to-https/Cargo.toml b/middleware/http-to-https/Cargo.toml index b35b80f..759b956 100644 --- a/middleware/http-to-https/Cargo.toml +++ b/middleware/http-to-https/Cargo.toml @@ -5,9 +5,9 @@ publish.workspace = true edition.workspace = true [dependencies] -actix-web = { workspace = true, features = ["rustls-0_21"] } +actix-web = { workspace = true, features = ["rustls-0_23"] } env_logger.workspace = true futures-util.workspace = true log.workspace = true rustls.workspace = true -rustls-pemfile = "1" +rustls-pemfile.workspace = true diff --git a/middleware/http-to-https/README.md b/middleware/http-to-https/README.md index 6f1e440..4da84bd 100644 --- a/middleware/http-to-https/README.md +++ b/middleware/http-to-https/README.md @@ -2,7 +2,7 @@ ## Alternatives -A pre-built solution is soon to be built-in. For now, see [`RedirectHttps`](https://docs.rs/actix-web-lab/0.18/actix_web_lab/middleware/struct.RedirectHttps.html) from [`actix-web-lab`](https://crates.io/crates/actix-web-lab). +A pre-built solution is soon to be built-in. For now, see [`RedirectHttps`](https://docs.rs/actix-web-lab/0.20/actix_web_lab/middleware/struct.RedirectHttps.html) from [`actix-web-lab`](https://crates.io/crates/actix-web-lab). ## This Example diff --git a/middleware/http-to-https/src/main.rs b/middleware/http-to-https/src/main.rs index 65481eb..8355d4c 100644 --- a/middleware/http-to-https/src/main.rs +++ b/middleware/http-to-https/src/main.rs @@ -2,7 +2,7 @@ use std::{fs::File, io::BufReader}; use actix_web::{dev::Service, get, http, App, HttpResponse, HttpServer}; use futures_util::future::{self, Either, FutureExt}; -use rustls::{Certificate, PrivateKey, ServerConfig}; +use rustls::{pki_types::PrivateKeyDer, ServerConfig}; use rustls_pemfile::{certs, pkcs8_private_keys}; #[get("/")] @@ -14,27 +14,27 @@ async fn index() -> String { async fn main() -> std::io::Result<()> { env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); + rustls::crypto::aws_lc_rs::default_provider() + .install_default() + .unwrap(); + let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); - let cert_chain: Vec = certs(cert_file) - .unwrap() - .into_iter() - .map(Certificate) - .collect(); - let mut keys: Vec = pkcs8_private_keys(key_file) - .unwrap() - .into_iter() - .map(PrivateKey) - .collect(); + let cert_chain = certs(cert_file).collect::, _>>().unwrap(); + let mut keys = pkcs8_private_keys(key_file) + .map(|key| key.map(PrivateKeyDer::Pkcs8)) + .collect::, _>>() + .unwrap(); let config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert_chain, keys.remove(0)) .unwrap(); - log::info!("starting HTTP server at http://localhost:8080"); + log::info!( + "starting HTTP server at http://localhost:80 and HTTPS server on http://localhost:443" + ); HttpServer::new(|| { App::new() @@ -62,7 +62,7 @@ async fn main() -> std::io::Result<()> { .service(index) }) .bind(("127.0.0.1", 80))? // HTTP port - .bind_rustls_021(("127.0.0.1", 443), config)? // HTTPS port + .bind_rustls_0_23(("127.0.0.1", 443), config)? // HTTPS port .run() .await }