chore: upgrade to rustls v0.23

https-tls/rustls-client-cert/Cargo.toml

@@ -4,9 +4,9 @@ version = "1.0.0"
 edition = "2021"
 
 [dependencies]
-actix-tls = { workspace = true, features = ["rustls-0_21"] }
-actix-web = { workspace = true, features = ["rustls-0_21"] }
+actix-tls = { workspace = true, features = ["rustls-0_23"] }
+actix-web = { workspace = true, features = ["rustls-0_23"] }
 env_logger.workspace = true
 log.workspace = true
 rustls.workspace = true
-rustls-pemfile = "1"
+rustls-pemfile.workspace = true

https-tls/rustls-client-cert/src/main.rs

@@ -3,13 +3,15 @@
 
 use std::{any::Any, fs::File, io::BufReader, net::SocketAddr, sync::Arc};
 
-use actix_tls::accept::rustls_0_21::{reexports::ServerConfig, TlsStream};
+use actix_tls::accept::rustls_0_23::TlsStream;
 use actix_web::{
     dev::Extensions, rt::net::TcpStream, web, App, HttpRequest, HttpResponse, HttpServer, Responder,
 };
 use log::info;
 use rustls::{
-    server::AllowAnyAnonymousOrAuthenticatedClient, Certificate, PrivateKey, RootCertStore,
+    pki_types::{CertificateDer, PrivateKeyDer},
+    server::WebPkiClientVerifier,
+    RootCertStore, ServerConfig,
 };
 use rustls_pemfile::{certs, pkcs8_private_keys};
 
@@ -27,7 +29,7 @@ struct ConnectionInfo {
 
 async fn route_whoami(req: HttpRequest) -> impl Responder {
     let conn_info = req.conn_data::<ConnectionInfo>().unwrap();
-    let client_cert = req.conn_data::<Certificate>();
+    let client_cert = req.conn_data::<CertificateDer<'static>>();
 
     if let Some(cert) = client_cert {
         HttpResponse::Ok().body(format!("{:?}\n\n{:?}", &conn_info, &cert))
@@ -71,36 +73,35 @@ fn get_client_cert(connection: &dyn Any, data: &mut Extensions) {
 async fn main() -> std::io::Result<()> {
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
 
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .unwrap();
+
     let mut cert_store = RootCertStore::empty();
 
     // import CA cert
     let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
-    let ca_cert = Certificate(certs(ca_cert).unwrap()[0].clone());
+    let ca_cert = certs(ca_cert).collect::<Result<Vec<_>, _>>().unwrap();
 
-    cert_store
-        .add(&ca_cert)
-        .expect("root CA not added to store");
+    for cert in ca_cert {
+        cert_store.add(cert).expect("root CA not added to store");
+    }
 
     // set up client authentication requirements
-    let client_auth = AllowAnyAnonymousOrAuthenticatedClient::new(cert_store);
-    let config = ServerConfig::builder()
-        .with_safe_defaults()
-        .with_client_cert_verifier(Arc::new(client_auth));
+    let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store))
+        .build()
+        .unwrap();
+    let config = ServerConfig::builder().with_client_cert_verifier(client_auth);
 
     // import server cert and key
     let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
     let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);
 
-    let cert_chain = certs(cert_file)
-        .unwrap()
-        .into_iter()
-        .map(Certificate)
-        .collect();
-    let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
-        .unwrap()
-        .into_iter()
-        .map(PrivateKey)
-        .collect();
+    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
+    let mut keys = pkcs8_private_keys(key_file)
+        .map(|key| key.map(PrivateKeyDer::Pkcs8))
+        .collect::<Result<Vec<_>, _>>()
+        .unwrap();
     let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();
 
     log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443");
@@ -108,7 +109,7 @@ async fn main() -> std::io::Result<()> {
     HttpServer::new(|| App::new().default_service(web::to(route_whoami)))
         .on_connect(get_client_cert)
         .bind(("localhost", 8080))?
-        .bind_rustls_021(("localhost", 8443), config)?
+        .bind_rustls_0_23(("localhost", 8443), config)?
         .workers(1)
         .run()
         .await