diff options
| author | Matt Mastracci <matthew@mastracci.com> | 2024-04-08 15:01:02 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-08 15:01:02 -0600 |
| commit | cb12a9350332860971387e3a1fb40dc77fa992d3 (patch) | |
| tree | 287def7ddad815423f8bc4196a76f9546940435d /ext/tls | |
| parent | 3826598974efd44c9d3da7694c0a325b011bc20a (diff) | |
refactor(ext/tls): use cppgc to deduplicate the tls key loading code (#23289)
Pass the certificates and key files as CPPGC objects.
Towards #23233
Diffstat (limited to 'ext/tls')
| -rw-r--r-- | ext/tls/lib.rs | 37 |
1 files changed, 21 insertions, 16 deletions
diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index be8cabadc..63fc04628 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -174,19 +174,9 @@ pub fn create_client_config( root_cert_store: Option<RootCertStore>, ca_certs: Vec<Vec<u8>>, unsafely_ignore_certificate_errors: Option<Vec<String>>, - client_cert_chain_and_key: Option<(String, String)>, + maybe_cert_chain_and_key: Option<TlsKey>, socket_use: SocketUse, ) -> Result<ClientConfig, AnyError> { - let maybe_cert_chain_and_key = - if let Some((cert_chain, private_key)) = client_cert_chain_and_key { - // The `remove` is safe because load_private_keys checks that there is at least one key. - let private_key = load_private_keys(private_key.as_bytes())?.remove(0); - let cert_chain = load_certs(&mut cert_chain.as_bytes())?; - Some((cert_chain, private_key)) - } else { - None - }; - if let Some(ic_allowlist) = unsafely_ignore_certificate_errors { let client_config = ClientConfig::builder() .with_safe_defaults() @@ -199,7 +189,7 @@ pub fn create_client_config( // are not type-compatible - one wants "client cert", the other wants "transparency policy // or client cert". let mut client = - if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key { + if let Some(TlsKey(cert_chain, private_key)) = maybe_cert_chain_and_key { client_config .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate") @@ -236,7 +226,7 @@ pub fn create_client_config( }); let mut client = - if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key { + if let Some(TlsKey(cert_chain, private_key)) = maybe_cert_chain_and_key { client_config .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate") @@ -270,8 +260,7 @@ pub fn load_certs( .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?; if certs.is_empty() { - let e = custom_error("InvalidData", "No certificates found in cert file"); - return Err(e); + return Err(cert_not_found_err()); } Ok(certs.into_iter().map(Certificate).collect()) @@ -282,7 +271,11 @@ fn key_decode_err() -> AnyError { } fn key_not_found_err() -> AnyError { - custom_error("InvalidData", "No keys found in key file") + custom_error("InvalidData", "No keys found in key data") +} + +fn cert_not_found_err() -> AnyError { + custom_error("InvalidData", "No certificates found in certificate data") } /// Starts with -----BEGIN RSA PRIVATE KEY----- @@ -331,3 +324,15 @@ pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { Ok(keys) } + +/// A loaded key. +// FUTURE(mmastrac): add resolver enum value to support dynamic SNI +pub enum TlsKeys { + // TODO(mmastrac): We need Option<&T> for cppgc -- this is a workaround + Null, + Static(TlsKey), +} + +/// A TLS certificate/private key pair. +#[derive(Clone, Debug)] +pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey); |