chore: upgrade to reqwest 0.12.4 and rustls 0.22 (#24056)

This commit updates Deno to use `reqwest` at 0.12.4
and `rustls` at 0.22. Other related crates were updated
as well to match versions accepted by `reqwest` and `rustls`.

Note: we are not using the latest available `rustls` yet,
but this upgrade was non-trivial already, so a bump to
0.23 for `rustls` will be done in a separate commit.

Closes #23370

---------

Signed-off-by: Ryan Dahl <ry@tinyclouds.org>
Signed-off-by: Bartek Iwańczuk <biwanczuk@gmail.com>
Co-authored-by: Ryan Dahl <ry@tinyclouds.org>
Co-authored-by: Divy Srivastava <dj.srivastava23@gmail.com>

8 files changed, 141 insertions, 114 deletions

diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml
index b1ff5a2da..800126633 100644
--- a/ext/tls/Cargo.toml
+++ b/ext/tls/Cargo.toml
@@ -15,8 +15,8 @@ path = "lib.rs"
 
 [dependencies]
 deno_core.workspace = true
-deno_native_certs = "0.2.0"
-rustls = { workspace = true, features = ["dangerous_configuration"] }
+deno_native_certs = "0.3.0"
+rustls.workspace = true
 rustls-pemfile.workspace = true
 rustls-tokio-stream.workspace = true
 rustls-webpki.workspace = true
diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs
index 5122264bf..c4d548ccf 100644
--- a/ext/tls/lib.rs
+++ b/ext/tls/lib.rs
@@ -1,7 +1,9 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
-
 pub use deno_native_certs;
 pub use rustls;
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::PrivateKeyDer;
+use rustls::pki_types::ServerName;
 pub use rustls_pemfile;
 pub use rustls_tokio_stream::*;
 pub use webpki;
@@ -11,14 +13,14 @@ use deno_core::anyhow::anyhow;
 use deno_core::error::custom_error;
 use deno_core::error::AnyError;
 
-use rustls::client::HandshakeSignatureValid;
-use rustls::client::ServerCertVerified;
-use rustls::client::ServerCertVerifier;
-use rustls::client::WebPkiVerifier;
+use rustls::client::danger::HandshakeSignatureValid;
+use rustls::client::danger::ServerCertVerified;
+use rustls::client::danger::ServerCertVerifier;
+use rustls::client::WebPkiServerVerifier;
 use rustls::ClientConfig;
 use rustls::DigitallySignedStruct;
 use rustls::Error;
-use rustls::ServerName;
+use rustls::RootCertStore;
 use rustls_pemfile::certs;
 use rustls_pemfile::ec_private_keys;
 use rustls_pemfile::pkcs8_private_keys;
@@ -27,16 +29,12 @@ use serde::Deserialize;
 use std::io::BufRead;
 use std::io::BufReader;
 use std::io::Cursor;
+use std::net::IpAddr;
 use std::sync::Arc;
-use std::time::SystemTime;
 
 mod tls_key;
 pub use tls_key::*;
 
-pub type Certificate = rustls::Certificate;
-pub type PrivateKey = rustls::PrivateKey;
-pub type RootCertStore = rustls::RootCertStore;
-
 /// Lazily resolves the root cert store.
 ///
 /// This was done because the root cert store is not needed in all cases
@@ -48,56 +46,59 @@ pub trait RootCertStoreProvider: Send + Sync {
 // This extension has no runtime apis, it only exports some shared native functions.
 deno_core::extension!(deno_tls);
 
-struct DefaultSignatureVerification;
+#[derive(Debug)]
+pub struct NoCertificateVerification {
+  pub ic_allowlist: Vec<String>,
+  default_verifier: Arc<WebPkiServerVerifier>,
+}
 
-impl ServerCertVerifier for DefaultSignatureVerification {
-  fn verify_server_cert(
-    &self,
-    _end_entity: &Certificate,
-    _intermediates: &[Certificate],
-    _server_name: &ServerName,
-    _scts: &mut dyn Iterator<Item = &[u8]>,
-    _ocsp_response: &[u8],
-    _now: SystemTime,
-  ) -> Result<ServerCertVerified, Error> {
-    Err(Error::General("Should not be used".to_string()))
+impl NoCertificateVerification {
+  pub fn new(ic_allowlist: Vec<String>) -> Self {
+    Self {
+      ic_allowlist,
+      default_verifier: WebPkiServerVerifier::builder(
+        create_default_root_cert_store().into(),
+      )
+      .build()
+      .unwrap(),
+    }
   }
 }
 
-pub struct NoCertificateVerification(pub Vec<String>);
-
 impl ServerCertVerifier for NoCertificateVerification {
+  fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
+    self.default_verifier.supported_verify_schemes()
+  }
+
   fn verify_server_cert(
     &self,
-    end_entity: &Certificate,
-    intermediates: &[Certificate],
-    server_name: &ServerName,
-    scts: &mut dyn Iterator<Item = &[u8]>,
+    end_entity: &rustls::pki_types::CertificateDer<'_>,
+    intermediates: &[rustls::pki_types::CertificateDer<'_>],
+    server_name: &rustls::pki_types::ServerName<'_>,
     ocsp_response: &[u8],
-    now: SystemTime,
+    now: rustls::pki_types::UnixTime,
   ) -> Result<ServerCertVerified, Error> {
-    if self.0.is_empty() {
+    if self.ic_allowlist.is_empty() {
       return Ok(ServerCertVerified::assertion());
     }
     let dns_name_or_ip_address = match server_name {
       ServerName::DnsName(dns_name) => dns_name.as_ref().to_owned(),
-      ServerName::IpAddress(ip_address) => ip_address.to_string(),
+      ServerName::IpAddress(ip_address) => {
+        Into::<IpAddr>::into(*ip_address).to_string()
+      }
       _ => {
         // NOTE(bartlomieju): `ServerName` is a non-exhaustive enum
         // so we have this catch all errors here.
         return Err(Error::General("Unknown `ServerName` variant".to_string()));
       }
     };
-    if self.0.contains(&dns_name_or_ip_address) {
+    if self.ic_allowlist.contains(&dns_name_or_ip_address) {
       Ok(ServerCertVerified::assertion())
     } else {
-      let root_store = create_default_root_cert_store();
-      let verifier = WebPkiVerifier::new(root_store, None);
-      verifier.verify_server_cert(
+      self.default_verifier.verify_server_cert(
         end_entity,
         intermediates,
         server_name,
-        scts,
         ocsp_response,
         now,
       )
@@ -107,28 +108,32 @@ impl ServerCertVerifier for NoCertificateVerification {
   fn verify_tls12_signature(
     &self,
     message: &[u8],
-    cert: &rustls::Certificate,
+    cert: &rustls::pki_types::CertificateDer,
     dss: &DigitallySignedStruct,
   ) -> Result<HandshakeSignatureValid, Error> {
-    if self.0.is_empty() {
+    if self.ic_allowlist.is_empty() {
       return Ok(HandshakeSignatureValid::assertion());
     }
     filter_invalid_encoding_err(
-      DefaultSignatureVerification.verify_tls12_signature(message, cert, dss),
+      self
+        .default_verifier
+        .verify_tls12_signature(message, cert, dss),
     )
   }
 
   fn verify_tls13_signature(
     &self,
     message: &[u8],
-    cert: &rustls::Certificate,
+    cert: &rustls::pki_types::CertificateDer,
     dss: &DigitallySignedStruct,
   ) -> Result<HandshakeSignatureValid, Error> {
-    if self.0.is_empty() {
+    if self.ic_allowlist.is_empty() {
       return Ok(HandshakeSignatureValid::assertion());
     }
     filter_invalid_encoding_err(
-      DefaultSignatureVerification.verify_tls13_signature(message, cert, dss),
+      self
+        .default_verifier
+        .verify_tls13_signature(message, cert, dss),
     )
   }
 }
@@ -149,17 +154,10 @@ pub struct BasicAuth {
 }
 
 pub fn create_default_root_cert_store() -> RootCertStore {
-  let mut root_cert_store = RootCertStore::empty();
-  // TODO(@justinmchase): Consider also loading the system keychain here
-  root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
-    |ta| {
-      rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-        ta.subject,
-        ta.spki,
-        ta.name_constraints,
-      )
-    },
-  ));
+  let root_cert_store = rustls::RootCertStore {
+    roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
+  };
+  debug_assert!(!root_cert_store.is_empty());
   root_cert_store
 }
 
@@ -183,10 +181,10 @@ pub fn create_client_config(
 ) -> Result<ClientConfig, AnyError> {
   if let Some(ic_allowlist) = unsafely_ignore_certificate_errors {
     let client_config = ClientConfig::builder()
-      .with_safe_defaults()
-      .with_custom_certificate_verifier(Arc::new(NoCertificateVerification(
-        ic_allowlist,
-      )));
+      .dangerous()
+      .with_custom_certificate_verifier(Arc::new(
+        NoCertificateVerification::new(ic_allowlist),
+      ));
 
     // NOTE(bartlomieju): this if/else is duplicated at the end of the body of this function.
     // However it's not really feasible to deduplicate it as the `client_config` instances
@@ -194,7 +192,7 @@ pub fn create_client_config(
     // or client cert".
     let mut client = match maybe_cert_chain_and_key {
       TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
-        .with_client_auth_cert(cert_chain, private_key)
+        .with_client_auth_cert(cert_chain, private_key.clone_key())
         .expect("invalid client key or certificate"),
       TlsKeys::Null => client_config.with_no_client_auth(),
       TlsKeys::Resolver(_) => unimplemented!(),
@@ -204,33 +202,33 @@ pub fn create_client_config(
     return Ok(client);
   }
 
-  let client_config = ClientConfig::builder()
-    .with_safe_defaults()
-    .with_root_certificates({
-      let mut root_cert_store =
-        root_cert_store.unwrap_or_else(create_default_root_cert_store);
-      // If custom certs are specified, add them to the store
-      for cert in ca_certs {
-        let reader = &mut BufReader::new(Cursor::new(cert));
-        // This function does not return specific errors, if it fails give a generic message.
-        match rustls_pemfile::certs(reader) {
-          Ok(certs) => {
-            root_cert_store.add_parsable_certificates(&certs);
-          }
-          Err(e) => {
-            return Err(anyhow!(
-              "Unable to add pem file to certificate store: {}",
-              e
-            ));
-          }
+  let mut root_cert_store =
+    root_cert_store.unwrap_or_else(create_default_root_cert_store);
+  // If custom certs are specified, add them to the store
+  for cert in ca_certs {
+    let reader = &mut BufReader::new(Cursor::new(cert));
+    // This function does not return specific errors, if it fails give a generic message.
+    for r in rustls_pemfile::certs(reader) {
+      match r {
+        Ok(cert) => {
+          root_cert_store.add(cert)?;
+        }
+        Err(e) => {
+          return Err(anyhow!(
+            "Unable to add pem file to certificate store: {}",
+            e
+          ));
         }
       }
-      root_cert_store
-    });
+    }
+  }
+
+  let client_config =
+    ClientConfig::builder().with_root_certificates(root_cert_store);
 
   let mut client = match maybe_cert_chain_and_key {
     TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config
-      .with_client_auth_cert(cert_chain, private_key)
+      .with_client_auth_cert(cert_chain, private_key.clone_key())
       .expect("invalid client key or certificate"),
     TlsKeys::Null => client_config.with_no_client_auth(),
     TlsKeys::Resolver(_) => unimplemented!(),
@@ -257,15 +255,17 @@ fn add_alpn(client: &mut ClientConfig, socket_use: SocketUse) {
 
 pub fn load_certs(
   reader: &mut dyn BufRead,
-) -> Result<Vec<Certificate>, AnyError> {
-  let certs = certs(reader)
+) -> Result<Vec<CertificateDer<'static>>, AnyError> {
+  let certs: Result<Vec<_>, _> = certs(reader).collect();
+
+  let certs = certs
     .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?;
 
   if certs.is_empty() {
     return Err(cert_not_found_err());
   }
 
-  Ok(certs.into_iter().map(rustls::Certificate).collect())
+  Ok(certs)
 }
 
 fn key_decode_err() -> AnyError {
@@ -281,21 +281,32 @@ fn cert_not_found_err() -> AnyError {
 }
 
 /// Starts with -----BEGIN RSA PRIVATE KEY-----
-fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
-  let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
+fn load_rsa_keys(
+  mut bytes: &[u8],
+) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> {
+  let keys: Result<Vec<_>, _> = rsa_private_keys(&mut bytes).collect();
+  let keys = keys.map_err(|_| key_decode_err())?;
+  Ok(keys.into_iter().map(PrivateKeyDer::Pkcs1).collect())
 }
 
 /// Starts with -----BEGIN EC PRIVATE KEY-----
-fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
-  let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
+fn load_ec_keys(
+  mut bytes: &[u8],
+) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> {
+  let keys: Result<Vec<_>, std::io::Error> =
+    ec_private_keys(&mut bytes).collect();
+  let keys2 = keys.map_err(|_| key_decode_err())?;
+  Ok(keys2.into_iter().map(PrivateKeyDer::Sec1).collect())
 }
 
 /// Starts with -----BEGIN PRIVATE KEY-----
-fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
-  let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
+fn load_pkcs8_keys(
+  mut bytes: &[u8],
+) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> {
+  let keys: Result<Vec<_>, std::io::Error> =
+    pkcs8_private_keys(&mut bytes).collect();
+  let keys2 = keys.map_err(|_| key_decode_err())?;
+  Ok(keys2.into_iter().map(PrivateKeyDer::Pkcs8).collect())
 }
 
 fn filter_invalid_encoding_err(
@@ -309,7 +320,9 @@ fn filter_invalid_encoding_err(
   }
 }
 
-pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
+pub fn load_private_keys(
+  bytes: &[u8],
+) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> {
   let mut keys = load_rsa_keys(bytes)?;
 
   if keys.is_empty() {
diff --git a/ext/tls/testdata/README b/ext/tls/testdata/README
new file mode 100644
index 000000000..12046561c
--- /dev/null
+++ b/ext/tls/testdata/README
@@ -0,0 +1,4 @@
+
+openssl req -x509 -newkey rsa:2048 -nodes -keyout example2_prikey.pem -out example2_cert.der -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example2.com" -outform der
+
+openssl pkey -in example2_prikey.pem -out example2_prikey.der -outform der
diff --git a/ext/tls/testdata/example1_cert.der b/ext/tls/testdata/example1_cert.der
new file mode 100644
index 000000000..fb1b2e64b
--- /dev/null
+++ b/ext/tls/testdata/example1_cert.der
diff --git a/ext/tls/testdata/example1_prikey.der b/ext/tls/testdata/example1_prikey.der
new file mode 100644
index 000000000..1cf7ef1d2
--- /dev/null
+++ b/ext/tls/testdata/example1_prikey.der
diff --git a/ext/tls/testdata/example2_cert.der b/ext/tls/testdata/example2_cert.der
new file mode 100644
index 000000000..4428f3f6b
--- /dev/null
+++ b/ext/tls/testdata/example2_cert.der
diff --git a/ext/tls/testdata/example2_prikey.der b/ext/tls/testdata/example2_prikey.der
new file mode 100644
index 000000000..8bdef8df3
--- /dev/null
+++ b/ext/tls/testdata/example2_prikey.der
diff --git a/ext/tls/tls_key.rs b/ext/tls/tls_key.rs
index 18064a91a..1e60e7cf0 100644
--- a/ext/tls/tls_key.rs
+++ b/ext/tls/tls_key.rs
@@ -11,8 +11,6 @@
 //! key lookup can handle closing one end of the pair, in which case they will just
 //! attempt to clean up the associated resources.
 
-use crate::Certificate;
-use crate::PrivateKey;
 use deno_core::anyhow::anyhow;
 use deno_core::error::AnyError;
 use deno_core::futures::future::poll_fn;
@@ -32,12 +30,21 @@ use std::sync::Arc;
 use tokio::sync::broadcast;
 use tokio::sync::mpsc;
 use tokio::sync::oneshot;
+use webpki::types::CertificateDer;
+use webpki::types::PrivateKeyDer;
 
 type ErrorType = Rc<AnyError>;
 
 /// A TLS certificate/private key pair.
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey);
+/// see https://docs.rs/rustls-pki-types/latest/rustls_pki_types/#cloning-private-keys
+#[derive(Debug, PartialEq, Eq)]
+pub struct TlsKey(pub Vec<CertificateDer<'static>>, pub PrivateKeyDer<'static>);
+
+impl Clone for TlsKey {
+  fn clone(&self) -> Self {
+    Self(self.0.clone(), self.1.clone_key())
+  }
+}
 
 #[derive(Clone, Debug, Default)]
 pub enum TlsKeys {
@@ -109,9 +116,8 @@ impl TlsKeyResolver {
     let key = self.resolve(sni).await?;
 
     let mut tls_config = ServerConfig::builder()
-      .with_safe_defaults()
       .with_no_client_auth()
-      .with_single_cert(key.0, key.1)?;
+      .with_single_cert(key.0, key.1.clone_key())?;
     tls_config.alpn_protocols = alpn;
     Ok(tls_config.into())
   }
@@ -251,14 +257,18 @@ impl TlsKeyLookup {
 pub mod tests {
   use super::*;
   use deno_core::unsync::spawn;
-  use rustls::Certificate;
-  use rustls::PrivateKey;
 
   fn tls_key_for_test(sni: &str) -> TlsKey {
-    TlsKey(
-      vec![Certificate(format!("{sni}-cert").into_bytes())],
-      PrivateKey(format!("{sni}-key").into_bytes()),
-    )
+    let manifest_dir =
+      std::path::PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap());
+    let sni = sni.replace(".com", "");
+    let cert_file = manifest_dir.join(format!("testdata/{}_cert.der", sni));
+    let prikey_file = manifest_dir.join(format!("testdata/{}_prikey.der", sni));
+    let cert = std::fs::read(cert_file).unwrap();
+    let prikey = std::fs::read(prikey_file).unwrap();
+    let cert = CertificateDer::from(cert);
+    let prikey = PrivateKeyDer::try_from(prikey).unwrap();
+    TlsKey(vec![cert], prikey)
   }
 
   #[tokio::test]
@@ -270,8 +280,8 @@ pub mod tests {
       }
     });
 
-    let key = resolver.resolve("example.com".to_owned()).await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    let key = resolver.resolve("example1.com".to_owned()).await.unwrap();
+    assert_eq!(tls_key_for_test("example1.com"), key);
     drop(resolver);
 
     task.await.unwrap();
@@ -286,13 +296,13 @@ pub mod tests {
       }
     });
 
-    let f1 = resolver.resolve("example.com".to_owned());
-    let f2 = resolver.resolve("example.com".to_owned());
+    let f1 = resolver.resolve("example1.com".to_owned());
+    let f2 = resolver.resolve("example1.com".to_owned());
 
     let key = f1.await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    assert_eq!(tls_key_for_test("example1.com"), key);
     let key = f2.await.unwrap();
-    assert_eq!(tls_key_for_test("example.com"), key);
+    assert_eq!(tls_key_for_test("example1.com"), key);
     drop(resolver);
 
     task.await.unwrap();