chore: upgrade to reqwest 0.12.4 and rustls 0.22 (#24056)

This commit updates Deno to use `reqwest` at 0.12.4
and `rustls` at 0.22. Other related crates were updated
as well to match versions accepted by `reqwest` and `rustls`.

Note: we are not using the latest available `rustls` yet,
but this upgrade was non-trivial already, so a bump to
0.23 for `rustls` will be done in a separate commit.

Closes #23370

---------

Signed-off-by: Ryan Dahl <ry@tinyclouds.org>
Signed-off-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Co-authored-by: Ryan Dahl <ry@tinyclouds.org>
Co-authored-by: Divy Srivastava <dj.srivastava23@gmail.com>

1 files changed, 28 insertions, 18 deletions

diff --git a/ext/tls/tls_key.rs b/ext/tls/tls_key.rs
index 18064a91a..1e60e7cf0 100644
--- a/ext/tls/tls_key.rs
+++ b/ext/tls/tls_key.rs
@@ -11,8 +11,6 @@
 //! key lookup can handle closing one end of the pair, in which case they will just
 //! attempt to clean up the associated resources.
 
-use crate::Certificate;
-use crate::PrivateKey;
 use deno_core::anyhow::anyhow;
 use deno_core::error::AnyError;
 use deno_core::futures::future::poll_fn;
@@ -32,12 +30,21 @@ use std::sync::Arc;
 use tokio::sync::broadcast;
 use tokio::sync::mpsc;
 use tokio::sync::oneshot;
+use webpki::types::CertificateDer;
+use webpki::types::PrivateKeyDer;
 
 type ErrorType = Rc<AnyError>;
 
 /// A TLS certificate/private key pair.
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey);
+/// see https://docs.rs/rustls-pki-types/latest/rustls_pki_types/#cloning-private-keys
+#[derive(Debug, PartialEq, Eq)]
+pub struct TlsKey(pub Vec<CertificateDer<'static>>, pub PrivateKeyDer<'static>);
+
+impl Clone for TlsKey {
+  fn clone(&self) -> Self {
+    Self(self.0.clone(), self.1.clone_key())
+  }
+}
 
 #[derive(Clone, Debug, Default)]
 pub enum TlsKeys {
@@ -109,9 +116,8 @@ impl TlsKeyResolver {
     let key = self.resolve(sni).await?;
 
     let mut tls_config = ServerConfig::builder()
-      .with_safe_defaults()
       .with_no_client_auth()
-      .with_single_cert(key.0, key.1)?;
+      .with_single_cert(key.0, key.1.clone_key())?;
     tls_config.alpn_protocols = alpn;
     Ok(tls_config.into())
   }
@@ -251,14 +257,18 @@ impl TlsKeyLookup {
 pub mod tests {
   use super::*;
   use deno_core::unsync::spawn;
-  use rustls::Certificate;
-  use rustls::PrivateKey;
 
   fn tls_key_for_test(sni: &str) -> TlsKey {
-    TlsKey(
-      vec![Certificate(format!("{sni}-cert").into_bytes())],
-      PrivateKey(format!("{sni}-key").into_bytes()),
-    )
+    let manifest_dir =
+      std::path::PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap());
+    let sni = sni.replace(".com", "");
+    let cert_file = manifest_dir.join(format!("testdata/{}_cert.der", sni));
+    let prikey_file = manifest_dir.join(format!("testdata/{}_prikey.der", sni));
+    let cert = std::fs::read(cert_file).unwrap();
+    let prikey = std::fs::read(prikey_file).unwrap();
+    let cert = CertificateDer::from(cert);
+    let prikey = PrivateKeyDer::try_from(prikey).unwrap();
+    TlsKey(vec![cert], prikey)
   }
 
   #[tokio::test]
@@ -270,8 +280,8 @@ pub mod tests {
       }
     });
 
-    let key = resolver.resolve("example.com".to_owned()).await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    let key = resolver.resolve("example1.com".to_owned()).await.unwrap();
+    assert_eq!(tls_key_for_test("example1.com"), key);
     drop(resolver);
 
     task.await.unwrap();
@@ -286,13 +296,13 @@ pub mod tests {
       }
     });
 
-    let f1 = resolver.resolve("example.com".to_owned());
-    let f2 = resolver.resolve("example.com".to_owned());
+    let f1 = resolver.resolve("example1.com".to_owned());
+    let f2 = resolver.resolve("example1.com".to_owned());
 
     let key = f1.await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    assert_eq!(tls_key_for_test("example1.com"), key);
     let key = f2.await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    assert_eq!(tls_key_for_test("example1.com"), key);
     drop(resolver);
 
     task.await.unwrap();