From 671d9d16281f70fc8a66b830dc9d606cccbb8964 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Wed, 13 Sep 2023 11:28:35 +0800 Subject: [PATCH 01/24] preliminary hack to use dynamic dispatch for crypto provider --- Cargo.toml | 9 ++++++--- src/acceptor/builder.rs | 10 ++++++++-- src/config.rs | 25 +++++++++++++------------ src/connector/builder.rs | 7 +++++-- src/lib.rs | 2 ++ 5 files changed, 34 insertions(+), 19 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d8d9240..c0c801e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,15 +15,17 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.6", optional = true } -rustls = { version = "0.21.6", default-features = false } +rustls = { git = "https://github.com/rustls/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["webpki", "dangerous_configuration"] } tokio = "1.0" -tokio-rustls = { version = "0.24.0", default-features = false } +tokio-rustls = { git = "https://github.com/stevefan1999-personal/tokio-rustls", branch = "part-4-patch", version = "0.24.0", default-features = false } webpki-roots = { version = "0.25", optional = true } futures-util = { version = "0.3", default-features = false } +webpki = { package = "rustls-webpki", version = "0.102.0-alpha.2", default-features = false, features = ["alloc", "std"] } +pki-types = { package = "rustls-pki-types", version = "0.2.0" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { version = "0.21.0", default-features = false, features = ["tls12"] } +rustls = { git = "https://github.com/rustls/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["webpki", "tls12"] } rustls-pemfile = "1.0.0" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } @@ -37,6 +39,7 @@ native-tokio = ["tokio-runtime", "rustls-native-certs"] tokio-runtime = ["hyper/runtime"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] +ring = ["rustls/ring"] [[example]] name = "client" diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index 70c0ca7..0ee9d45 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -3,6 +3,11 @@ use std::sync::Arc; use hyper::server::conn::AddrIncoming; use rustls::ServerConfig; +#[cfg(feature = "ring")] +use pki_types::CertificateDer; +#[cfg(feature = "ring")] +use pki_types::PrivateKeyDer; + use super::TlsAcceptor; /// Builder for [`TlsAcceptor`] pub struct AcceptorBuilder(State); @@ -25,10 +30,11 @@ impl AcceptorBuilder { /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth + #[cfg(feature = "ring")] pub fn with_single_cert( self, - cert_chain: Vec, - key_der: rustls::PrivateKey, + cert_chain: Vec>, + key_der: PrivateKeyDer<'static>, ) -> Result, rustls::Error> { Ok(AcceptorBuilder(WantsAlpn( ServerConfig::builder() diff --git a/src/config.rs b/src/config.rs index 256856c..a3ca044 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,4 +1,5 @@ -use rustls::client::WantsTransparencyPolicyOrClientCert; +use pki_types::CertificateDer; +use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; /// Methods for configuring roots @@ -8,33 +9,33 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; pub trait ConfigBuilderExt { /// This configures the platform's trusted certs, as implemented by /// rustls-native-certs - #[cfg(feature = "rustls-native-certs")] + #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] - fn with_native_roots(self) -> ConfigBuilder; + fn with_native_roots(self) -> ConfigBuilder; /// This configures the webpki roots, which are Mozilla's set of /// trusted roots as packaged by webpki-roots. - #[cfg(feature = "webpki-roots")] + #[cfg(all(feature = "webpki-roots", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] - fn with_webpki_roots(self) -> ConfigBuilder; + fn with_webpki_roots(self) -> ConfigBuilder; } impl ConfigBuilderExt for ConfigBuilder { - #[cfg(feature = "rustls-native-certs")] + #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] - fn with_native_roots(self) -> ConfigBuilder { + fn with_native_roots(self) -> ConfigBuilder { let mut roots = rustls::RootCertStore::empty(); let mut valid_count = 0; let mut invalid_count = 0; for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { - let cert = rustls::Certificate(cert.0); - match roots.add(&cert) { + let cert = CertificateDer::from(cert.0); + match roots.add(cert.clone()) { Ok(_) => valid_count += 1, Err(err) => { - crate::log::trace!("invalid cert der {:?}", cert.0); + crate::log::trace!("invalid cert der {:?}", cert); crate::log::debug!("certificate parsing failed: {:?}", err); invalid_count += 1 } @@ -50,9 +51,9 @@ impl ConfigBuilderExt for ConfigBuilder { self.with_root_certificates(roots) } - #[cfg(feature = "webpki-roots")] + #[cfg(all(feature = "webpki-roots", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] - fn with_webpki_roots(self) -> ConfigBuilder { + fn with_webpki_roots(self) -> ConfigBuilder { let mut roots = rustls::RootCertStore::empty(); roots.add_trust_anchors( webpki_roots::TLS_SERVER_ROOTS diff --git a/src/connector/builder.rs b/src/connector/builder.rs index fdec7a8..def3c58 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -1,7 +1,10 @@ use rustls::ClientConfig; use super::HttpsConnector; -#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] +#[cfg(all( + any(feature = "rustls-native-certs", feature = "webpki-roots"), + feature = "ring" +))] use crate::config::ConfigBuilderExt; #[cfg(feature = "tokio-runtime")] @@ -57,7 +60,7 @@ impl ConnectorBuilder { /// See [`ConfigBuilderExt::with_native_roots`] /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults - #[cfg(feature = "rustls-native-certs")] + #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] pub fn with_native_roots(self) -> ConnectorBuilder { self.with_tls_config( diff --git a/src/lib.rs b/src/lib.rs index 308f71e..2a91f28 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -82,6 +82,7 @@ #[cfg(feature = "acceptor")] /// TLS acceptor implementing hyper's `Accept` trait. pub mod acceptor; +#[cfg(feature = "ring")] mod config; mod connector; mod stream; @@ -100,6 +101,7 @@ mod log { #[cfg(feature = "acceptor")] pub use crate::acceptor::{AcceptorBuilder, TlsAcceptor}; +#[cfg(feature = "ring")] pub use crate::config::ConfigBuilderExt; pub use crate::connector::builder::ConnectorBuilder as HttpsConnectorBuilder; pub use crate::connector::HttpsConnector; From aad1c2bfa3aab995f05972c3aa3865076f59da4a Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 14 Sep 2023 12:05:21 +0800 Subject: [PATCH 02/24] Update for upstream changes --- Cargo.toml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index c0c801e..d97c213 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,22 +15,22 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.6", optional = true } -rustls = { git = "https://github.com/rustls/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["webpki", "dangerous_configuration"] } +rustls = { git = "https://github.com/stevefan1999-personal/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["dangerous_configuration"] } tokio = "1.0" tokio-rustls = { git = "https://github.com/stevefan1999-personal/tokio-rustls", branch = "part-4-patch", version = "0.24.0", default-features = false } webpki-roots = { version = "0.25", optional = true } futures-util = { version = "0.3", default-features = false } -webpki = { package = "rustls-webpki", version = "0.102.0-alpha.2", default-features = false, features = ["alloc", "std"] } -pki-types = { package = "rustls-pki-types", version = "0.2.0" } +webpki = { package = "rustls-webpki", version = "0.102.0-alpha.3", default-features = false } +pki-types = { package = "rustls-pki-types", version = "0.2.1", default-features = false } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { git = "https://github.com/rustls/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["webpki", "tls12"] } +rustls = { git = "https://github.com/stevefan1999-personal/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } rustls-pemfile = "1.0.0" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] -default = ["native-tokio", "http1", "tls12", "logging", "acceptor"] +default = ["native-tokio", "http1", "tls12", "logging", "acceptor", "std"] acceptor = ["hyper/server", "tokio-runtime"] http1 = ["hyper/http1"] http2 = ["hyper/http2"] @@ -40,6 +40,8 @@ tokio-runtime = ["hyper/runtime"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] ring = ["rustls/ring"] +std = ["rustls/std", "webpki/std", "pki-types/std"] +alloc = ["rustls/alloc", "webpki/alloc", "pki-types/alloc"] [[example]] name = "client" From c180f50da43e3d77a804c0a93805ceddded2f926 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 21 Sep 2023 21:51:33 +0800 Subject: [PATCH 03/24] update to use upstream main branch --- Cargo.toml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d97c213..c5ffa12 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,22 +15,22 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.6", optional = true } -rustls = { git = "https://github.com/stevefan1999-personal/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["dangerous_configuration"] } +rustls = { git = "https://github.com/rustls/rustls", branch = "main", version = "0.22.0-alpha.2", default-features = false } tokio = "1.0" -tokio-rustls = { git = "https://github.com/stevefan1999-personal/tokio-rustls", branch = "part-4-patch", version = "0.24.0", default-features = false } +tokio-rustls = { git = "https://github.com/stevefan1999-personal/tokio-rustls", branch = "main", version = "0.24.0", default-features = false } webpki-roots = { version = "0.25", optional = true } futures-util = { version = "0.3", default-features = false } -webpki = { package = "rustls-webpki", version = "0.102.0-alpha.3", default-features = false } +webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.3", default-features = false } pki-types = { package = "rustls-pki-types", version = "0.2.1", default-features = false } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { git = "https://github.com/stevefan1999-personal/rustls", branch = "jbp-generalise-crypto-usage-pt4", version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } +rustls = { git = "https://github.com/rustls/rustls", branch = "main", version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } rustls-pemfile = "1.0.0" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] -default = ["native-tokio", "http1", "tls12", "logging", "acceptor", "std"] +default = ["native-tokio", "http1", "tls12", "logging", "acceptor"] acceptor = ["hyper/server", "tokio-runtime"] http1 = ["hyper/http1"] http2 = ["hyper/http2"] @@ -40,8 +40,6 @@ tokio-runtime = ["hyper/runtime"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] ring = ["rustls/ring"] -std = ["rustls/std", "webpki/std", "pki-types/std"] -alloc = ["rustls/alloc", "webpki/alloc", "pki-types/alloc"] [[example]] name = "client" From f16bef12eeb19d86fb7915464e89a933e815d46d Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 21 Sep 2023 21:59:24 +0800 Subject: [PATCH 04/24] use patch instead --- Cargo.toml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index c5ffa12..6894d07 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,22 +15,20 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.6", optional = true } -rustls = { git = "https://github.com/rustls/rustls", branch = "main", version = "0.22.0-alpha.2", default-features = false } +rustls = { version = "0.22.0-alpha.2", default-features = false } tokio = "1.0" -tokio-rustls = { git = "https://github.com/stevefan1999-personal/tokio-rustls", branch = "main", version = "0.24.0", default-features = false } +tokio-rustls = { version = "0.24.1", default-features = false } webpki-roots = { version = "0.25", optional = true } futures-util = { version = "0.3", default-features = false } -webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.3", default-features = false } -pki-types = { package = "rustls-pki-types", version = "0.2.1", default-features = false } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { git = "https://github.com/rustls/rustls", branch = "main", version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } +rustls = { version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } rustls-pemfile = "1.0.0" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] -default = ["native-tokio", "http1", "tls12", "logging", "acceptor"] +default = ["native-tokio", "http1", "tls12", "logging", "acceptor", "ring"] acceptor = ["hyper/server", "tokio-runtime"] http1 = ["hyper/http1"] http2 = ["hyper/http2"] @@ -54,3 +52,6 @@ required-features = ["tokio-runtime", "acceptor"] [package.metadata.docs.rs] all-features = true rustdoc-args = ["--cfg", "docsrs"] + +[patch.crates-io] +rustls = { git = 'https://github.com/rustls/rustls' } \ No newline at end of file From 488b28ca7b9a45470bf88e0562836f6a432f2005 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 21 Sep 2023 22:07:00 +0800 Subject: [PATCH 05/24] add pki-types back --- Cargo.toml | 6 ++++-- src/acceptor/builder.rs | 4 +--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 6894d07..dd52017 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -20,6 +20,7 @@ tokio = "1.0" tokio-rustls = { version = "0.24.1", default-features = false } webpki-roots = { version = "0.25", optional = true } futures-util = { version = "0.3", default-features = false } +pki-types = { package = "rustls-pki-types", version = "0.2.1", optional = true } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } @@ -37,7 +38,7 @@ native-tokio = ["tokio-runtime", "rustls-native-certs"] tokio-runtime = ["hyper/runtime"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] -ring = ["rustls/ring"] +ring = ["rustls/ring", "pki-types"] [[example]] name = "client" @@ -54,4 +55,5 @@ all-features = true rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] -rustls = { git = 'https://github.com/rustls/rustls' } \ No newline at end of file +rustls = { git = 'https://github.com/rustls/rustls' } +tokio-rustls = { git = 'https://github.com/stevefan1999-personal/tokio-rustls' } diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index e6381df..dead828 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -4,9 +4,7 @@ use hyper::server::conn::AddrIncoming; use rustls::ServerConfig; #[cfg(feature = "ring")] -use pki_types::CertificateDer; -#[cfg(feature = "ring")] -use pki_types::PrivateKeyDer; +use pki_types::{CertificateDer, PrivateKeyDer}; use super::TlsAcceptor; /// Builder for [`TlsAcceptor`] From a735de09e6d16c251429c2c3e80444a5f79fe7e6 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 21 Sep 2023 22:30:59 +0800 Subject: [PATCH 06/24] use upstream tokio-rustls as patch target --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index dd52017..0d9349a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -56,4 +56,4 @@ rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] rustls = { git = 'https://github.com/rustls/rustls' } -tokio-rustls = { git = 'https://github.com/stevefan1999-personal/tokio-rustls' } +tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } From ebf8a54092c88a8a932198117c37d259f450cc81 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 21 Sep 2023 23:39:32 +0800 Subject: [PATCH 07/24] upgrade rustls to 0.22.0-alpha.3 --- Cargo.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index dd52017..e03939e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,7 +15,7 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.6", optional = true } -rustls = { version = "0.22.0-alpha.2", default-features = false } +rustls = { version = "0.22.0-alpha.3", default-features = false } tokio = "1.0" tokio-rustls = { version = "0.24.1", default-features = false } webpki-roots = { version = "0.25", optional = true } @@ -24,7 +24,7 @@ pki-types = { package = "rustls-pki-types", version = "0.2.1", optional = true } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { version = "0.22.0-alpha.2", default-features = false, features = ["tls12"] } +rustls = { version = "0.22.0-alpha.3", default-features = false, features = ["tls12"] } rustls-pemfile = "1.0.0" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } @@ -55,5 +55,4 @@ all-features = true rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] -rustls = { git = 'https://github.com/rustls/rustls' } -tokio-rustls = { git = 'https://github.com/stevefan1999-personal/tokio-rustls' } +tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } From 47dc485c127cdf52f5c60c92bce05652fe0a6414 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 19:39:15 +0800 Subject: [PATCH 08/24] fix checks for examples and tests --- examples/client.rs | 6 ++++-- examples/server.rs | 11 +++++++---- src/lib.rs | 4 ++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/examples/client.rs b/examples/client.rs index 4659b6d..d1b388d 100644 --- a/examples/client.rs +++ b/examples/client.rs @@ -48,9 +48,11 @@ async fn run_client() -> io::Result<()> { Some(ref mut rd) => { // Read trust roots let certs = rustls_pemfile::certs(rd) - .map_err(|_| error("failed to load custom CA store".into()))?; + .map_err(|_| error("failed to load custom CA store".into()))? + .into_iter() + .map(Into::into); let mut roots = RootCertStore::empty(); - roots.add_parsable_certificates(&certs); + roots.add_parsable_certificates(certs); // TLS client config using the custom CA store for lookups rustls::ClientConfig::builder() .with_safe_defaults() diff --git a/examples/server.rs b/examples/server.rs index 964303b..2b3395e 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -14,6 +14,8 @@ use hyper::server::conn::AddrIncoming; use hyper::service::{make_service_fn, service_fn}; use hyper::{Body, Method, Request, Response, Server, StatusCode}; use hyper_rustls::TlsAcceptor; +use pki_types::CertificateDer; +use pki_types::PrivateKeyDer; fn main() { // Serve an echo service over HTTPS, with proper error handling. @@ -80,7 +82,7 @@ async fn echo(req: Request) -> Result, hyper::Error> { } // Load public certificate from file. -fn load_certs(filename: &str) -> io::Result> { +fn load_certs(filename: &str) -> io::Result> { // Open certificate file. let certfile = fs::File::open(filename) .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?; @@ -91,12 +93,12 @@ fn load_certs(filename: &str) -> io::Result> { .map_err(|_| error("failed to load certificate".into()))?; Ok(certs .into_iter() - .map(rustls::Certificate) + .map(Into::into) .collect()) } // Load private key from file. -fn load_private_key(filename: &str) -> io::Result { +fn load_private_key(filename: &str) -> io::Result { // Open keyfile. let keyfile = fs::File::open(filename) .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?; @@ -109,5 +111,6 @@ fn load_private_key(filename: &str) -> io::Result { return Err(error("expected a single private key".into())); } - Ok(rustls::PrivateKey(keys[0].clone())) + // TODO: should PKCS#8 be supported? + Ok(PrivateKeyDer::Pkcs1(keys[0].clone().into())) } diff --git a/src/lib.rs b/src/lib.rs index 2a91f28..bf4e977 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -48,7 +48,7 @@ //! //! // Load and return certificate. //! let certs = rustls_pemfile::certs(&mut reader).unwrap(); -//! let certs = certs.into_iter().map(rustls::Certificate).collect(); +//! let certs = certs.into_iter().map(Into::into).collect(); //! //! // Load private key. (see `examples/server.rs`) //! let keyfile = File::open("examples/sample.rsa").unwrap(); @@ -56,7 +56,7 @@ //! //! // Load and return a single private key. //! let keys = rustls_pemfile::rsa_private_keys(&mut reader).unwrap(); -//! let key = rustls::PrivateKey(keys[0].clone()); +//! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].clone().into()); //! let https = hyper_rustls::HttpsConnectorBuilder::new() //! .with_native_roots() //! .https_only() From 24398a69e3586c7115aa74165addf83dcab9e049 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 20:01:56 +0800 Subject: [PATCH 09/24] upgrade webpki-roots and mandate pki-types usage --- Cargo.toml | 6 +++--- src/config.rs | 11 ++--------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index e03939e..108bd5f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,9 +18,9 @@ rustls-native-certs = { version = "0.6", optional = true } rustls = { version = "0.22.0-alpha.3", default-features = false } tokio = "1.0" tokio-rustls = { version = "0.24.1", default-features = false } -webpki-roots = { version = "0.25", optional = true } +webpki-roots = { version = "0.26.0-alpha.1", optional = true } futures-util = { version = "0.3", default-features = false } -pki-types = { package = "rustls-pki-types", version = "0.2.1", optional = true } +pki-types = { package = "rustls-pki-types", version = "0.2.1" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } @@ -38,7 +38,7 @@ native-tokio = ["tokio-runtime", "rustls-native-certs"] tokio-runtime = ["hyper/runtime"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] logging = ["log", "tokio-rustls/logging", "rustls/logging"] -ring = ["rustls/ring", "pki-types"] +ring = ["rustls/ring"] [[example]] name = "client" diff --git a/src/config.rs b/src/config.rs index a3ca044..ac892d9 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,4 +1,3 @@ -use pki_types::CertificateDer; use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; @@ -55,16 +54,10 @@ impl ConfigBuilderExt for ConfigBuilder { #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] fn with_webpki_roots(self) -> ConfigBuilder { let mut roots = rustls::RootCertStore::empty(); - roots.add_trust_anchors( + roots.extend( webpki_roots::TLS_SERVER_ROOTS .iter() - .map(|ta| { - rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), + .cloned(), ); self.with_root_certificates(roots) } From 0d1c44a9cd6f2dc8f935a63ba8cf7d433e6b9086 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 20:02:12 +0800 Subject: [PATCH 10/24] match original lines in config as much as possible --- src/config.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/config.rs b/src/config.rs index ac892d9..5a072de 100644 --- a/src/config.rs +++ b/src/config.rs @@ -30,11 +30,10 @@ impl ConfigBuilderExt for ConfigBuilder { for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { - let cert = CertificateDer::from(cert.0); - match roots.add(cert.clone()) { + match roots.add(cert.0.clone().into()) { Ok(_) => valid_count += 1, Err(err) => { - crate::log::trace!("invalid cert der {:?}", cert); + crate::log::trace!("invalid cert der {:?}", cert.0); crate::log::debug!("certificate parsing failed: {:?}", err); invalid_count += 1 } From f23517eab3a49ab347abe7d7491cfdec29e09e8c Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 20:37:33 +0800 Subject: [PATCH 11/24] use alpha version of rustls family crates --- Cargo.toml | 7 ++++--- examples/client.rs | 5 +---- examples/server.rs | 16 +++++++++++----- src/config.rs | 4 ++-- src/lib.rs | 8 ++++---- 5 files changed, 22 insertions(+), 18 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 108bd5f..5f51451 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,10 +14,10 @@ documentation = "https://docs.rs/hyper-rustls/" http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } -rustls-native-certs = { version = "0.6", optional = true } +rustls-native-certs = { version = "0.7.0-alpha.0", optional = true } rustls = { version = "0.22.0-alpha.3", default-features = false } tokio = "1.0" -tokio-rustls = { version = "0.24.1", default-features = false } +tokio-rustls = { version = "0.25.0-alpha.1", default-features = false } webpki-roots = { version = "0.26.0-alpha.1", optional = true } futures-util = { version = "0.3", default-features = false } pki-types = { package = "rustls-pki-types", version = "0.2.1" } @@ -25,7 +25,7 @@ pki-types = { package = "rustls-pki-types", version = "0.2.1" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } rustls = { version = "0.22.0-alpha.3", default-features = false, features = ["tls12"] } -rustls-pemfile = "1.0.0" +rustls-pemfile = "2.0.0-alpha.1" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] @@ -55,4 +55,5 @@ all-features = true rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] +rustls-native-certs = { git = 'https://github.com/rustls/rustls-native-certs' } tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } diff --git a/examples/client.rs b/examples/client.rs index d1b388d..e0a59dc 100644 --- a/examples/client.rs +++ b/examples/client.rs @@ -47,10 +47,7 @@ async fn run_client() -> io::Result<()> { let tls = match ca { Some(ref mut rd) => { // Read trust roots - let certs = rustls_pemfile::certs(rd) - .map_err(|_| error("failed to load custom CA store".into()))? - .into_iter() - .map(Into::into); + let certs = rustls_pemfile::certs(rd).flat_map(|x| x); let mut roots = RootCertStore::empty(); roots.add_parsable_certificates(certs); // TLS client config using the custom CA store for lookups diff --git a/examples/server.rs b/examples/server.rs index 2b3395e..4932ffa 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -89,8 +89,7 @@ fn load_certs(filename: &str) -> io::Result> { let mut reader = io::BufReader::new(certfile); // Load and return certificate. - let certs = rustls_pemfile::certs(&mut reader) - .map_err(|_| error("failed to load certificate".into()))?; + let certs = rustls_pemfile::certs(&mut reader).flat_map(|x| x); Ok(certs .into_iter() .map(Into::into) @@ -105,12 +104,19 @@ fn load_private_key(filename: &str) -> io::Result { let mut reader = io::BufReader::new(keyfile); // Load and return a single private key. - let keys = rustls_pemfile::rsa_private_keys(&mut reader) - .map_err(|_| error("failed to load private key".into()))?; + let keys: Vec> = + rustls_pemfile::rsa_private_keys(&mut reader) + .flat_map(|x| x) + .collect(); if keys.len() != 1 { return Err(error("expected a single private key".into())); } // TODO: should PKCS#8 be supported? - Ok(PrivateKeyDer::Pkcs1(keys[0].clone().into())) + Ok(PrivateKeyDer::Pkcs1( + keys[0] + .secret_pkcs1_der() + .to_owned() + .into(), + )) } diff --git a/src/config.rs b/src/config.rs index 5a072de..b53d3bd 100644 --- a/src/config.rs +++ b/src/config.rs @@ -30,10 +30,10 @@ impl ConfigBuilderExt for ConfigBuilder { for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { - match roots.add(cert.0.clone().into()) { + match roots.add(cert.as_ref().into()) { Ok(_) => valid_count += 1, Err(err) => { - crate::log::trace!("invalid cert der {:?}", cert.0); + crate::log::trace!("invalid cert der {:?}", cert.as_ref()); crate::log::debug!("certificate parsing failed: {:?}", err); invalid_count += 1 } diff --git a/src/lib.rs b/src/lib.rs index bf4e977..acf5679 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -47,16 +47,16 @@ //! let mut reader = io::BufReader::new(certfile); //! //! // Load and return certificate. -//! let certs = rustls_pemfile::certs(&mut reader).unwrap(); -//! let certs = certs.into_iter().map(Into::into).collect(); +//! let certs = rustls_pemfile::certs(&mut reader).flat_map(|x| x); +//! let certs = certs.map(Into::into).collect(); //! //! // Load private key. (see `examples/server.rs`) //! let keyfile = File::open("examples/sample.rsa").unwrap(); //! let mut reader = io::BufReader::new(keyfile); //! //! // Load and return a single private key. -//! let keys = rustls_pemfile::rsa_private_keys(&mut reader).unwrap(); -//! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].clone().into()); +//! let keys: Vec> = rustls_pemfile::rsa_private_keys(&mut reader).flat_map(|x| x).collect(); +//! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].secret_pkcs1_der().to_vec().into()); //! let https = hyper_rustls::HttpsConnectorBuilder::new() //! .with_native_roots() //! .https_only() From b4f266805b585fa3ed5ed453e84153f033838f56 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 20:38:09 +0800 Subject: [PATCH 12/24] assert exact version for rustls --- Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 5f51451..800efd2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,7 +15,7 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "0.7.0-alpha.0", optional = true } -rustls = { version = "0.22.0-alpha.3", default-features = false } +rustls = { version = "=0.22.0-alpha.3", default-features = false } tokio = "1.0" tokio-rustls = { version = "0.25.0-alpha.1", default-features = false } webpki-roots = { version = "0.26.0-alpha.1", optional = true } @@ -24,7 +24,7 @@ pki-types = { package = "rustls-pki-types", version = "0.2.1" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { version = "0.22.0-alpha.3", default-features = false, features = ["tls12"] } +rustls = { version = "=0.22.0-alpha.3", default-features = false, features = ["tls12"] } rustls-pemfile = "2.0.0-alpha.1" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } From 805af65ae5f2a7a3c89a72bb09b6fc09d59050cc Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 20:41:46 +0800 Subject: [PATCH 13/24] fold pki_types CertificateDer, PrivateKeyDer --- examples/server.rs | 3 +-- src/acceptor/builder.rs | 7 ++----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/examples/server.rs b/examples/server.rs index 4932ffa..778772a 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -14,8 +14,7 @@ use hyper::server::conn::AddrIncoming; use hyper::service::{make_service_fn, service_fn}; use hyper::{Body, Method, Request, Response, Server, StatusCode}; use hyper_rustls::TlsAcceptor; -use pki_types::CertificateDer; -use pki_types::PrivateKeyDer; +use pki_types::{CertificateDer, PrivateKeyDer}; fn main() { // Serve an echo service over HTTPS, with proper error handling. diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index dead828..ef7d4b6 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -3,9 +3,6 @@ use std::sync::Arc; use hyper::server::conn::AddrIncoming; use rustls::ServerConfig; -#[cfg(feature = "ring")] -use pki_types::{CertificateDer, PrivateKeyDer}; - use super::TlsAcceptor; /// Builder for [`TlsAcceptor`] pub struct AcceptorBuilder(State); @@ -31,8 +28,8 @@ impl AcceptorBuilder { #[cfg(feature = "ring")] pub fn with_single_cert( self, - cert_chain: Vec>, - key_der: PrivateKeyDer<'static>, + cert_chain: Vec>, + key_der: pki_types::PrivateKeyDer<'static>, ) -> Result, rustls::Error> { Ok(AcceptorBuilder(WantsAlpn( ServerConfig::builder() From b4e5ee559f34e35ad01431ab6eaa91c38cbb16d0 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Sat, 23 Sep 2023 21:20:04 +0800 Subject: [PATCH 14/24] don't ignore errors on parsing private keys --- examples/client.rs | 2 +- examples/server.rs | 11 +++-------- src/lib.rs | 5 ++--- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/examples/client.rs b/examples/client.rs index e0a59dc..a698fcd 100644 --- a/examples/client.rs +++ b/examples/client.rs @@ -47,7 +47,7 @@ async fn run_client() -> io::Result<()> { let tls = match ca { Some(ref mut rd) => { // Read trust roots - let certs = rustls_pemfile::certs(rd).flat_map(|x| x); + let certs = rustls_pemfile::certs(rd).collect::, _>>()?; let mut roots = RootCertStore::empty(); roots.add_parsable_certificates(certs); // TLS client config using the custom CA store for lookups diff --git a/examples/server.rs b/examples/server.rs index 778772a..ca5614e 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -88,11 +88,8 @@ fn load_certs(filename: &str) -> io::Result> { let mut reader = io::BufReader::new(certfile); // Load and return certificate. - let certs = rustls_pemfile::certs(&mut reader).flat_map(|x| x); - Ok(certs - .into_iter() - .map(Into::into) - .collect()) + let certs = rustls_pemfile::certs(&mut reader).collect::, _>>()?; + Ok(certs) } // Load private key from file. @@ -104,9 +101,7 @@ fn load_private_key(filename: &str) -> io::Result { // Load and return a single private key. let keys: Vec> = - rustls_pemfile::rsa_private_keys(&mut reader) - .flat_map(|x| x) - .collect(); + rustls_pemfile::rsa_private_keys(&mut reader).collect::, _>>()?; if keys.len() != 1 { return Err(error("expected a single private key".into())); } diff --git a/src/lib.rs b/src/lib.rs index acf5679..bf37488 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -47,15 +47,14 @@ //! let mut reader = io::BufReader::new(certfile); //! //! // Load and return certificate. -//! let certs = rustls_pemfile::certs(&mut reader).flat_map(|x| x); -//! let certs = certs.map(Into::into).collect(); +//! let certs = rustls_pemfile::certs(&mut reader).collect::, _>>().unwrap(); //! //! // Load private key. (see `examples/server.rs`) //! let keyfile = File::open("examples/sample.rsa").unwrap(); //! let mut reader = io::BufReader::new(keyfile); //! //! // Load and return a single private key. -//! let keys: Vec> = rustls_pemfile::rsa_private_keys(&mut reader).flat_map(|x| x).collect(); +//! let keys: Vec> = rustls_pemfile::rsa_private_keys(&mut reader).collect::, _>>().unwrap(); //! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].secret_pkcs1_der().to_vec().into()); //! let https = hyper_rustls::HttpsConnectorBuilder::new() //! .with_native_roots() From 9a03a61ea8d526b6e2db9fb3b8c1b1043a4c8bef Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 21:24:58 +0800 Subject: [PATCH 15/24] use upstream pemfile --- Cargo.toml | 1 + examples/server.rs | 17 ++++------------- src/lib.rs | 3 +-- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index a52dd42..af41ab6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -57,3 +57,4 @@ rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] rustls-native-certs = { git = 'https://github.com/rustls/rustls-native-certs' } tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } +rustls-pemfile = { git = 'https://github.com/rustls/pemfile' } diff --git a/examples/server.rs b/examples/server.rs index ca5614e..1fd18fd 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -88,7 +88,8 @@ fn load_certs(filename: &str) -> io::Result> { let mut reader = io::BufReader::new(certfile); // Load and return certificate. - let certs = rustls_pemfile::certs(&mut reader).collect::, _>>()?; + let certs: Vec> = + rustls_pemfile::certs(&mut reader).collect::, _>>()?; Ok(certs) } @@ -100,17 +101,7 @@ fn load_private_key(filename: &str) -> io::Result { let mut reader = io::BufReader::new(keyfile); // Load and return a single private key. - let keys: Vec> = - rustls_pemfile::rsa_private_keys(&mut reader).collect::, _>>()?; - if keys.len() != 1 { - return Err(error("expected a single private key".into())); - } - - // TODO: should PKCS#8 be supported? - Ok(PrivateKeyDer::Pkcs1( - keys[0] - .secret_pkcs1_der() - .to_owned() - .into(), + rustls_pemfile::private_key(&mut reader)?.ok_or(error( + "expected a valid private key from the key file".into(), )) } diff --git a/src/lib.rs b/src/lib.rs index 2e26644..4dc0b2e 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -55,8 +55,7 @@ //! let mut reader = io::BufReader::new(keyfile); //! //! // Load and return a single private key. -//! let keys: Vec> = rustls_pemfile::rsa_private_keys(&mut reader).collect::, _>>().unwrap(); -//! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].secret_pkcs1_der().to_vec().into()); +//! let key = rustls_pemfile::private_key(&mut reader).unwrap().unwrap(); //! let https = hyper_rustls::HttpsConnectorBuilder::new() //! .with_native_roots() //! .expect("no native root CA certificates found") From 7475b7611f29df477938f8ba44d095b32faad9cc Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 21:27:49 +0800 Subject: [PATCH 16/24] use exact version match for alpha packages --- Cargo.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index af41ab6..627ed92 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,18 +14,18 @@ documentation = "https://docs.rs/hyper-rustls/" http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } -rustls-native-certs = { version = "0.7.0-alpha.0", optional = true } +rustls-native-certs = { version = "=0.7.0-alpha.1", optional = true } rustls = { version = "=0.22.0-alpha.3", default-features = false } tokio = "1.0" -tokio-rustls = { version = "0.25.0-alpha.1", default-features = false } -webpki-roots = { version = "0.26.0-alpha.1", optional = true } +tokio-rustls = { version = "=0.25.0-alpha.1", default-features = false } +webpki-roots = { version = "=0.26.0-alpha.1", optional = true } futures-util = { version = "0.3", default-features = false } pki-types = { package = "rustls-pki-types", version = "0.2.1" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } rustls = { version = "=0.22.0-alpha.3", default-features = false, features = ["tls12"] } -rustls-pemfile = "2.0.0-alpha.1" +rustls-pemfile = "=2.0.0-alpha.1" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] From 09c1b2a1f4994bd61d82f5484e49c3b8b511f385 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 21:43:39 +0800 Subject: [PATCH 17/24] bump rustls version and rewrite crate until alpha 4 release on crates.io --- Cargo.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 627ed92..feb12b7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,7 +15,7 @@ http = "0.2" hyper = { version = "0.14", default-features = false, features = ["client"] } log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "=0.7.0-alpha.1", optional = true } -rustls = { version = "=0.22.0-alpha.3", default-features = false } +rustls = { version = "=0.22.0-alpha.4", default-features = false } tokio = "1.0" tokio-rustls = { version = "=0.25.0-alpha.1", default-features = false } webpki-roots = { version = "=0.26.0-alpha.1", optional = true } @@ -24,7 +24,7 @@ pki-types = { package = "rustls-pki-types", version = "0.2.1" } [dev-dependencies] hyper = { version = "0.14", features = ["full"] } -rustls = { version = "=0.22.0-alpha.3", default-features = false, features = ["tls12"] } +rustls = { version = "=0.22.0-alpha.4", default-features = false, features = ["tls12"] } rustls-pemfile = "=2.0.0-alpha.1" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } @@ -56,5 +56,5 @@ rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] rustls-native-certs = { git = 'https://github.com/rustls/rustls-native-certs' } -tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } +tokio-rustls = { git = 'https://github.com/stevefan1999-personal/tokio-rustls', branch = "patch-1" } rustls-pemfile = { git = 'https://github.com/rustls/pemfile' } From 676664265dd2863b7ec5367327092d9a1ff882ce Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 21:47:08 +0800 Subject: [PATCH 18/24] breaking abi change, exclude ring as a necessary default --- Cargo.toml | 4 ++-- examples/client.rs | 4 ++-- src/acceptor/builder.rs | 30 +++++++++++++++++++++++++----- src/connector/builder.rs | 12 ++++++------ src/lib.rs | 8 ++++---- 5 files changed, 39 insertions(+), 19 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index feb12b7..8675d56 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -43,12 +43,12 @@ ring = ["rustls/ring"] [[example]] name = "client" path = "examples/client.rs" -required-features = ["native-tokio", "http1"] +required-features = ["native-tokio", "http1", "ring"] [[example]] name = "server" path = "examples/server.rs" -required-features = ["tokio-runtime", "acceptor"] +required-features = ["tokio-runtime", "acceptor", "ring"] [package.metadata.docs.rs] all-features = true diff --git a/examples/client.rs b/examples/client.rs index 773715b..11a5ffa 100644 --- a/examples/client.rs +++ b/examples/client.rs @@ -51,13 +51,13 @@ async fn run_client() -> io::Result<()> { let mut roots = RootCertStore::empty(); roots.add_parsable_certificates(certs); // TLS client config using the custom CA store for lookups - rustls::ClientConfig::builder() + rustls::ClientConfig::builder_with_ring() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth() } // Default TLS client config with native roots - None => rustls::ClientConfig::builder() + None => rustls::ClientConfig::builder_with_ring() .with_safe_defaults() .with_native_roots()? .with_no_client_auth(), diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index ef7d4b6..ee4a382 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -1,7 +1,7 @@ use std::sync::Arc; use hyper::server::conn::AddrIncoming; -use rustls::ServerConfig; +use rustls::{ServerConfig, crypto::CryptoProvider}; use super::TlsAcceptor; /// Builder for [`TlsAcceptor`] @@ -21,18 +21,38 @@ impl AcceptorBuilder { AcceptorBuilder(WantsAlpn(config)) } - /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth] + #[cfg(feature = "ring")] + /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth], + /// with ring as the provided crypto suites /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth - #[cfg(feature = "ring")] - pub fn with_single_cert( + pub fn with_ring_and_single_cert( + self, + cert_chain: Vec>, + key_der: pki_types::PrivateKeyDer<'static>, + ) -> Result, rustls::Error> { + Ok(AcceptorBuilder(WantsAlpn( + ServerConfig::builder_with_ring() + .with_safe_defaults() + .with_no_client_auth() + .with_single_cert(cert_chain, key_der)?, + ))) + } + + /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth], + /// and the user has to provide a crypto suite implemention + /// + /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults + /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth + pub fn with_provider_and_single_cert( self, + provider: &'static dyn CryptoProvider, cert_chain: Vec>, key_der: pki_types::PrivateKeyDer<'static>, ) -> Result, rustls::Error> { Ok(AcceptorBuilder(WantsAlpn( - ServerConfig::builder() + ServerConfig::builder_with_provider(provider) .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert_chain, key_der)?, diff --git a/src/connector/builder.rs b/src/connector/builder.rs index f5d7a39..5519f0d 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -64,7 +64,7 @@ impl ConnectorBuilder { #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] pub fn with_native_roots(self) -> std::io::Result> { Ok(self.with_tls_config( - ClientConfig::builder() + ClientConfig::builder_with_ring() .with_safe_defaults() .with_native_roots()? .with_no_client_auth(), @@ -81,7 +81,7 @@ impl ConnectorBuilder { #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] pub fn with_webpki_roots(self) -> ConnectorBuilder { self.with_tls_config( - ClientConfig::builder() + ClientConfig::builder_with_ring() .with_safe_defaults() .with_webpki_roots() .with_no_client_auth(), @@ -295,11 +295,11 @@ mod tests { } #[test] - #[cfg(feature = "http1")] + #[cfg(all(feature = "http1", feature = "ring"))] #[should_panic(expected = "ALPN protocols should not be pre-defined")] fn test_reject_predefined_alpn() { let roots = rustls::RootCertStore::empty(); - let mut config_with_alpn = rustls::ClientConfig::builder() + let mut config_with_alpn = rustls::ClientConfig::builder_with_ring() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); @@ -315,7 +315,7 @@ mod tests { #[cfg(all(feature = "http1", feature = "http2"))] fn test_alpn() { let roots = rustls::RootCertStore::empty(); - let tls_config = rustls::ClientConfig::builder() + let tls_config = rustls::ClientConfig::builder_with_ring() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); @@ -359,7 +359,7 @@ mod tests { #[cfg(all(not(feature = "http1"), feature = "http2"))] fn test_alpn_http2() { let roots = rustls::RootCertStore::empty(); - let tls_config = rustls::ClientConfig::builder() + let tls_config = rustls::ClientConfig::builder_with_ring() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); diff --git a/src/lib.rs b/src/lib.rs index 4dc0b2e..b944c46 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -6,7 +6,7 @@ //! ## Example client //! //! ```no_run -//! # #[cfg(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1"))] +//! # #[cfg(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1", feature = "ring"))] //! # fn main() { //! use hyper::{Body, Client, StatusCode, Uri}; //! @@ -24,14 +24,14 @@ //! let res = rt.block_on(client.get(url)).unwrap(); //! assert_eq!(res.status(), StatusCode::OK); //! # } -//! # #[cfg(not(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1")))] +//! # #[cfg(not(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1", feature = "ring")))] //! # fn main() {} //! ``` //! //! ## Example server //! //! ```no_run -//! # #[cfg(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1", feature = "acceptor"))] +//! # #[cfg(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1", feature = "acceptor", feature = "ring"))] //! # fn main() { //! use hyper::server::conn::AddrIncoming; //! use hyper::service::{make_service_fn, service_fn}; @@ -72,7 +72,7 @@ //! let server = Server::builder(acceptor).serve(service); //! // server.await.unwrap(); //! # } -//! # #[cfg(not(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1")))] +//! # #[cfg(not(all(feature = "rustls-native-certs", feature = "tokio-runtime", feature = "http1", feature = "ring")))] //! # fn main() {} //! ``` From b78f598370afc092e74249c187b76c29772c6453 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 21:55:31 +0800 Subject: [PATCH 19/24] allow builder extension to be used but futher distinguish away from ring --- examples/server.rs | 2 +- src/acceptor/builder.rs | 4 +-- src/config.rs | 8 +++--- src/connector/builder.rs | 56 +++++++++++++++++++++++++++++++++------- src/lib.rs | 2 -- 5 files changed, 54 insertions(+), 18 deletions(-) diff --git a/examples/server.rs b/examples/server.rs index 1fd18fd..a491ba1 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -46,7 +46,7 @@ async fn run_server() -> Result<(), Box> { // Create a TCP listener via tokio. let incoming = AddrIncoming::bind(&addr)?; let acceptor = TlsAcceptor::builder() - .with_single_cert(certs, key) + .with_ring_and_single_cert(certs, key) .map_err(|e| error(format!("{}", e)))? .with_all_versions_alpn() .with_incoming(incoming); diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index ee4a382..5401a6a 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -1,7 +1,7 @@ use std::sync::Arc; use hyper::server::conn::AddrIncoming; -use rustls::{ServerConfig, crypto::CryptoProvider}; +use rustls::{crypto::CryptoProvider, ServerConfig}; use super::TlsAcceptor; /// Builder for [`TlsAcceptor`] @@ -22,7 +22,7 @@ impl AcceptorBuilder { } #[cfg(feature = "ring")] - /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth], + /// Use rustls [defaults][with_safe_defaults] without [client authentication][with_no_client_auth], /// with ring as the provided crypto suites /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults diff --git a/src/config.rs b/src/config.rs index a66aab9..c063998 100644 --- a/src/config.rs +++ b/src/config.rs @@ -8,19 +8,19 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; pub trait ConfigBuilderExt { /// This configures the platform's trusted certs, as implemented by /// rustls-native-certs - #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] + #[cfg(feature = "rustls-native-certs")] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] fn with_native_roots(self) -> std::io::Result>; /// This configures the webpki roots, which are Mozilla's set of /// trusted roots as packaged by webpki-roots. - #[cfg(all(feature = "webpki-roots", feature = "ring"))] + #[cfg(feature = "webpki-roots")] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] fn with_webpki_roots(self) -> ConfigBuilder; } impl ConfigBuilderExt for ConfigBuilder { - #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] + #[cfg(feature = "rustls-native-certs")] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] fn with_native_roots(self) -> std::io::Result> { @@ -55,7 +55,7 @@ impl ConfigBuilderExt for ConfigBuilder { Ok(self.with_root_certificates(roots)) } - #[cfg(all(feature = "webpki-roots", feature = "ring"))] + #[cfg(feature = "webpki-roots")] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] fn with_webpki_roots(self) -> ConfigBuilder { let mut roots = rustls::RootCertStore::empty(); diff --git a/src/connector/builder.rs b/src/connector/builder.rs index 5519f0d..741cd78 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -1,14 +1,12 @@ use rustls::ClientConfig; use super::HttpsConnector; -#[cfg(all( - any(feature = "rustls-native-certs", feature = "webpki-roots"), - feature = "ring" -))] +#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] use crate::config::ConfigBuilderExt; #[cfg(feature = "tokio-runtime")] use hyper::client::HttpConnector; +use rustls::crypto::CryptoProvider; /// A builder for an [`HttpsConnector`] /// @@ -55,14 +53,14 @@ impl ConnectorBuilder { } /// Shorthand for using rustls' [safe defaults][with_safe_defaults] - /// and native roots + /// and native roots, with ring as the provided crypto suites /// /// See [`ConfigBuilderExt::with_native_roots`] /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] - pub fn with_native_roots(self) -> std::io::Result> { + pub fn with_ring_and_native_roots(self) -> std::io::Result> { Ok(self.with_tls_config( ClientConfig::builder_with_ring() .with_safe_defaults() @@ -72,14 +70,14 @@ impl ConnectorBuilder { } /// Shorthand for using rustls' [safe defaults][with_safe_defaults] - /// and Mozilla roots + /// and Mozilla roots, with ring as the provided crypto suites /// /// See [`ConfigBuilderExt::with_webpki_roots`] /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults - #[cfg(feature = "webpki-roots")] + #[cfg(all(feature = "webpki-roots", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] - pub fn with_webpki_roots(self) -> ConnectorBuilder { + pub fn with_ring_and_webpki_roots(self) -> ConnectorBuilder { self.with_tls_config( ClientConfig::builder_with_ring() .with_safe_defaults() @@ -87,6 +85,46 @@ impl ConnectorBuilder { .with_no_client_auth(), ) } + + /// Shorthand for using rustls' [safe defaults][with_safe_defaults] + /// and native roots, with user's provided crypto suites + /// + /// See [`ConfigBuilderExt::with_native_roots`] + /// + /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults + #[cfg(feature = "rustls-native-certs")] + #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] + pub fn with_provider_and_native_roots( + self, + provider: &'static dyn CryptoProvider, + ) -> std::io::Result> { + Ok(self.with_tls_config( + ClientConfig::builder_with_provider(provider) + .with_safe_defaults() + .with_native_roots()? + .with_no_client_auth(), + )) + } + + /// Shorthand for using rustls' [safe defaults][with_safe_defaults] + /// and Mozilla roots, with user's provided crypto suites + /// + /// See [`ConfigBuilderExt::with_webpki_roots`] + /// + /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults + #[cfg(feature = "webpki-roots")] + #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] + pub fn with_provider_and_webpki_roots( + self, + provider: &'static dyn CryptoProvider, + ) -> ConnectorBuilder { + self.with_tls_config( + ClientConfig::builder_with_provider(provider) + .with_safe_defaults() + .with_webpki_roots() + .with_no_client_auth(), + ) + } } impl Default for ConnectorBuilder { diff --git a/src/lib.rs b/src/lib.rs index b944c46..4cbb54f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -82,7 +82,6 @@ #[cfg(feature = "acceptor")] /// TLS acceptor implementing hyper's `Accept` trait. pub mod acceptor; -#[cfg(feature = "ring")] mod config; mod connector; mod stream; @@ -101,7 +100,6 @@ mod log { #[cfg(feature = "acceptor")] pub use crate::acceptor::{AcceptorBuilder, TlsAcceptor}; -#[cfg(feature = "ring")] pub use crate::config::ConfigBuilderExt; pub use crate::connector::builder::ConnectorBuilder as HttpsConnectorBuilder; pub use crate::connector::HttpsConnector; From b5ed5bfa90b7f1773312eb7c379acf5edf1c6e99 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Thu, 16 Nov 2023 22:32:52 +0800 Subject: [PATCH 20/24] bump version as 0.25.0-alpha.1 --- Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 8675d56..d1d7e8f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hyper-rustls" -version = "0.24.2" +version = "0.25.0-alpha.1" edition = "2021" rust-version = "1.63" license = "Apache-2.0 OR ISC OR MIT" @@ -29,7 +29,7 @@ rustls-pemfile = "=2.0.0-alpha.1" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } [features] -default = ["native-tokio", "http1", "tls12", "logging", "acceptor", "ring"] +default = ["native-tokio", "http1", "tls12", "logging", "acceptor"] acceptor = ["hyper/server", "tokio-runtime"] http1 = ["hyper/http1"] http2 = ["hyper/http2"] From ea1aff581249a02dc5ee01bac13d920bcc5ecc53 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Fri, 17 Nov 2023 11:33:54 +0800 Subject: [PATCH 21/24] revert ring renaming but keep custom provider --- examples/client.rs | 4 ++-- examples/server.rs | 2 +- src/acceptor/builder.rs | 4 ++-- src/connector/builder.rs | 18 +++++++++--------- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/examples/client.rs b/examples/client.rs index 11a5ffa..773715b 100644 --- a/examples/client.rs +++ b/examples/client.rs @@ -51,13 +51,13 @@ async fn run_client() -> io::Result<()> { let mut roots = RootCertStore::empty(); roots.add_parsable_certificates(certs); // TLS client config using the custom CA store for lookups - rustls::ClientConfig::builder_with_ring() + rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth() } // Default TLS client config with native roots - None => rustls::ClientConfig::builder_with_ring() + None => rustls::ClientConfig::builder() .with_safe_defaults() .with_native_roots()? .with_no_client_auth(), diff --git a/examples/server.rs b/examples/server.rs index a491ba1..1fd18fd 100644 --- a/examples/server.rs +++ b/examples/server.rs @@ -46,7 +46,7 @@ async fn run_server() -> Result<(), Box> { // Create a TCP listener via tokio. let incoming = AddrIncoming::bind(&addr)?; let acceptor = TlsAcceptor::builder() - .with_ring_and_single_cert(certs, key) + .with_single_cert(certs, key) .map_err(|e| error(format!("{}", e)))? .with_all_versions_alpn() .with_incoming(incoming); diff --git a/src/acceptor/builder.rs b/src/acceptor/builder.rs index 5401a6a..8179c5d 100644 --- a/src/acceptor/builder.rs +++ b/src/acceptor/builder.rs @@ -27,13 +27,13 @@ impl AcceptorBuilder { /// /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth - pub fn with_ring_and_single_cert( + pub fn with_single_cert( self, cert_chain: Vec>, key_der: pki_types::PrivateKeyDer<'static>, ) -> Result, rustls::Error> { Ok(AcceptorBuilder(WantsAlpn( - ServerConfig::builder_with_ring() + ServerConfig::builder() .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert_chain, key_der)?, diff --git a/src/connector/builder.rs b/src/connector/builder.rs index 741cd78..f8f3f22 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -60,9 +60,9 @@ impl ConnectorBuilder { /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults #[cfg(all(feature = "rustls-native-certs", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] - pub fn with_ring_and_native_roots(self) -> std::io::Result> { + pub fn with_native_roots(self) -> std::io::Result> { Ok(self.with_tls_config( - ClientConfig::builder_with_ring() + ClientConfig::builder() .with_safe_defaults() .with_native_roots()? .with_no_client_auth(), @@ -77,9 +77,9 @@ impl ConnectorBuilder { /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults #[cfg(all(feature = "webpki-roots", feature = "ring"))] #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] - pub fn with_ring_and_webpki_roots(self) -> ConnectorBuilder { + pub fn with_webpki_roots(self) -> ConnectorBuilder { self.with_tls_config( - ClientConfig::builder_with_ring() + ClientConfig::builder() .with_safe_defaults() .with_webpki_roots() .with_no_client_auth(), @@ -337,7 +337,7 @@ mod tests { #[should_panic(expected = "ALPN protocols should not be pre-defined")] fn test_reject_predefined_alpn() { let roots = rustls::RootCertStore::empty(); - let mut config_with_alpn = rustls::ClientConfig::builder_with_ring() + let mut config_with_alpn = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); @@ -350,10 +350,10 @@ mod tests { } #[test] - #[cfg(all(feature = "http1", feature = "http2"))] + #[cfg(all(feature = "http1", feature = "http2", feature = "ring"))] fn test_alpn() { let roots = rustls::RootCertStore::empty(); - let tls_config = rustls::ClientConfig::builder_with_ring() + let tls_config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); @@ -394,10 +394,10 @@ mod tests { } #[test] - #[cfg(all(not(feature = "http1"), feature = "http2"))] + #[cfg(all(not(feature = "http1"), feature = "http2", feature = "ring"))] fn test_alpn_http2() { let roots = rustls::RootCertStore::empty(); - let tls_config = rustls::ClientConfig::builder_with_ring() + let tls_config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(roots) .with_no_client_auth(); From 37eaf1853e4bb68c608a2a050e8dcb9ed77eef10 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Fri, 17 Nov 2023 11:36:29 +0800 Subject: [PATCH 22/24] track upstream tokio-rustls --- Cargo.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d1d7e8f..ee5d200 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -17,7 +17,7 @@ log = { version = "0.4.4", optional = true } rustls-native-certs = { version = "=0.7.0-alpha.1", optional = true } rustls = { version = "=0.22.0-alpha.4", default-features = false } tokio = "1.0" -tokio-rustls = { version = "=0.25.0-alpha.1", default-features = false } +tokio-rustls = { version = "=0.25.0-alpha.2", default-features = false } webpki-roots = { version = "=0.26.0-alpha.1", optional = true } futures-util = { version = "0.3", default-features = false } pki-types = { package = "rustls-pki-types", version = "0.2.1" } @@ -56,5 +56,5 @@ rustdoc-args = ["--cfg", "docsrs"] [patch.crates-io] rustls-native-certs = { git = 'https://github.com/rustls/rustls-native-certs' } -tokio-rustls = { git = 'https://github.com/stevefan1999-personal/tokio-rustls', branch = "patch-1" } +tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' } rustls-pemfile = { git = 'https://github.com/rustls/pemfile' } From 847817aa8c36061b60cdd00d0003984ec6200733 Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Fri, 17 Nov 2023 11:44:33 +0800 Subject: [PATCH 23/24] add back the missing comment --- src/config.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/config.rs b/src/config.rs index c063998..c737698 100644 --- a/src/config.rs +++ b/src/config.rs @@ -8,6 +8,9 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; pub trait ConfigBuilderExt { /// This configures the platform's trusted certs, as implemented by /// rustls-native-certs + /// + /// This will return an error if no valid certs were found. In that case, + /// it's recommended to use `with_webpki_roots`. #[cfg(feature = "rustls-native-certs")] #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] fn with_native_roots(self) -> std::io::Result>; From f0bb1651fc010d9e993687006d92b10dcdd99c2d Mon Sep 17 00:00:00 2001 From: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com> Date: Fri, 17 Nov 2023 11:48:18 +0800 Subject: [PATCH 24/24] guard more import items with cfg features --- src/config.rs | 4 +++- src/connector/builder.rs | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/config.rs b/src/config.rs index c737698..b7a598f 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,6 +1,8 @@ -use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; +#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] +use rustls::client::WantsClientCert; + /// Methods for configuring roots /// /// This adds methods (gated by crate features) for easily configuring diff --git a/src/connector/builder.rs b/src/connector/builder.rs index f8f3f22..66d122c 100644 --- a/src/connector/builder.rs +++ b/src/connector/builder.rs @@ -6,6 +6,8 @@ use crate::config::ConfigBuilderExt; #[cfg(feature = "tokio-runtime")] use hyper::client::HttpConnector; + +#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] use rustls::crypto::CryptoProvider; /// A builder for an [`HttpsConnector`]