diff options
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/fetch/Cargo.toml | 2 | ||||
| -rw-r--r-- | ext/fetch/fs_fetch_handler.rs | 2 | ||||
| -rw-r--r-- | ext/fetch/lib.rs | 13 | ||||
| -rw-r--r-- | ext/kv/Cargo.toml | 2 | ||||
| -rw-r--r-- | ext/kv/remote.rs | 44 | ||||
| -rw-r--r-- | ext/net/ops_tls.rs | 28 | ||||
| -rw-r--r-- | ext/node/Cargo.toml | 4 | ||||
| -rw-r--r-- | ext/node/ops/http2.rs | 14 | ||||
| -rw-r--r-- | ext/tls/Cargo.toml | 4 | ||||
| -rw-r--r-- | ext/tls/lib.rs | 201 | ||||
| -rw-r--r-- | ext/tls/testdata/README | 4 | ||||
| -rw-r--r-- | ext/tls/testdata/example1_cert.der | bin | 929 -> 0 bytes | |||
| -rw-r--r-- | ext/tls/testdata/example1_prikey.der | bin | 1190 -> 0 bytes | |||
| -rw-r--r-- | ext/tls/testdata/example2_cert.der | bin | 929 -> 0 bytes | |||
| -rw-r--r-- | ext/tls/testdata/example2_prikey.der | bin | 1191 -> 0 bytes | |||
| -rw-r--r-- | ext/tls/tls_key.rs | 46 | ||||
| -rw-r--r-- | ext/websocket/lib.rs | 11 |
17 files changed, 155 insertions, 220 deletions
diff --git a/ext/fetch/Cargo.toml b/ext/fetch/Cargo.toml index 0fb9e0ed6..8d8c2205e 100644 --- a/ext/fetch/Cargo.toml +++ b/ext/fetch/Cargo.toml @@ -20,7 +20,7 @@ deno_core.workspace = true deno_permissions.workspace = true deno_tls.workspace = true dyn-clone = "1" -http.workspace = true +http_v02.workspace = true reqwest.workspace = true serde.workspace = true serde_json.workspace = true diff --git a/ext/fetch/fs_fetch_handler.rs b/ext/fetch/fs_fetch_handler.rs index 29bad5992..8f83cef88 100644 --- a/ext/fetch/fs_fetch_handler.rs +++ b/ext/fetch/fs_fetch_handler.rs @@ -31,7 +31,7 @@ impl FetchHandler for FsFetchHandler { let file = tokio::fs::File::open(path).map_err(|_| ()).await?; let stream = ReaderStream::new(file); let body = reqwest::Body::wrap_stream(stream); - let response = http::Response::builder() + let response = http_v02::Response::builder() .status(StatusCode::OK) .body(body) .map_err(|_| ())? diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs index 75ceb86d9..066f1685b 100644 --- a/ext/fetch/lib.rs +++ b/ext/fetch/lib.rs @@ -47,8 +47,8 @@ use data_url::DataUrl; use deno_tls::TlsKey; use deno_tls::TlsKeys; use deno_tls::TlsKeysHolder; -use http::header::CONTENT_LENGTH; -use http::Uri; +use http_v02::header::CONTENT_LENGTH; +use http_v02::Uri; use reqwest::header::HeaderMap; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; @@ -449,9 +449,12 @@ where .decode_to_vec() .map_err(|e| type_error(format!("{e:?}")))?; - let response = http::Response::builder() - .status(http::StatusCode::OK) - .header(http::header::CONTENT_TYPE, data_url.mime_type().to_string()) + let response = http_v02::Response::builder() + .status(http_v02::StatusCode::OK) + .header( + http_v02::header::CONTENT_TYPE, + data_url.mime_type().to_string(), + ) .body(reqwest::Body::from(body))?; let fut = async move { Ok(Ok(Response::from(response))) }; diff --git a/ext/kv/Cargo.toml b/ext/kv/Cargo.toml index 503900b2c..47659f6e1 100644 --- a/ext/kv/Cargo.toml +++ b/ext/kv/Cargo.toml @@ -17,7 +17,6 @@ path = "lib.rs" anyhow.workspace = true async-trait.workspace = true base64.workspace = true -bytes.workspace = true chrono = { workspace = true, features = ["now"] } deno_core.workspace = true deno_fetch.workspace = true @@ -28,7 +27,6 @@ denokv_proto.workspace = true denokv_remote.workspace = true denokv_sqlite.workspace = true faster-hex.workspace = true -http.workspace = true log.workspace = true num-bigint.workspace = true prost.workspace = true diff --git a/ext/kv/remote.rs b/ext/kv/remote.rs index 7541b5a06..a1273e78b 100644 --- a/ext/kv/remote.rs +++ b/ext/kv/remote.rs @@ -8,14 +8,10 @@ use std::sync::Arc; use crate::DatabaseHandler; use anyhow::Context; use async_trait::async_trait; -use bytes::Bytes; use deno_core::error::type_error; use deno_core::error::AnyError; -use deno_core::futures::Stream; -use deno_core::futures::TryStreamExt as _; use deno_core::OpState; use deno_fetch::create_http_client; -use deno_fetch::reqwest; use deno_fetch::CreateHttpClientOptions; use deno_tls::rustls::RootCertStore; use deno_tls::Proxy; @@ -23,8 +19,6 @@ use deno_tls::RootCertStoreProvider; use deno_tls::TlsKeys; use denokv_remote::MetadataEndpoint; use denokv_remote::Remote; -use denokv_remote::RemoteResponse; -use denokv_remote::RemoteTransport; use url::Url; #[derive(Clone)] @@ -108,44 +102,11 @@ impl<P: RemoteDbHandlerPermissions + 'static> denokv_remote::RemotePermissions } } -#[derive(Clone)] -pub struct ReqwestClient(reqwest::Client); -pub struct ReqwestResponse(reqwest::Response); - -impl RemoteTransport for ReqwestClient { - type Response = ReqwestResponse; - async fn post( - &self, - url: Url, - headers: http::HeaderMap, - body: Bytes, - ) -> Result<(Url, http::StatusCode, Self::Response), anyhow::Error> { - let res = self.0.post(url).headers(headers).body(body).send().await?; - let url = res.url().clone(); - let status = res.status(); - Ok((url, status, ReqwestResponse(res))) - } -} - -impl RemoteResponse for ReqwestResponse { - async fn bytes(self) -> Result<Bytes, anyhow::Error> { - Ok(self.0.bytes().await?) - } - fn stream( - self, - ) -> impl Stream<Item = Result<Bytes, anyhow::Error>> + Send + Sync { - self.0.bytes_stream().map_err(|e| e.into()) - } - async fn text(self) -> Result<String, anyhow::Error> { - Ok(self.0.text().await?) - } -} - #[async_trait(?Send)] impl<P: RemoteDbHandlerPermissions + 'static> DatabaseHandler for RemoteDbHandler<P> { - type DB = Remote<PermissionChecker<P>, ReqwestClient>; + type DB = Remote<PermissionChecker<P>>; async fn open( &self, @@ -201,14 +162,13 @@ impl<P: RemoteDbHandlerPermissions + 'static> DatabaseHandler http2: true, }, )?; - let reqwest_client = ReqwestClient(client); let permissions = PermissionChecker { state: state.clone(), _permissions: PhantomData, }; - let remote = Remote::new(reqwest_client, permissions, metadata_endpoint); + let remote = Remote::new(client, permissions, metadata_endpoint); Ok(remote) } diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index ccea8eb75..c52985908 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -31,11 +31,11 @@ use deno_tls::create_client_config; use deno_tls::load_certs; use deno_tls::load_private_keys; use deno_tls::new_resolver; -use deno_tls::rustls::pki_types::ServerName; +use deno_tls::rustls::Certificate; use deno_tls::rustls::ClientConnection; +use deno_tls::rustls::PrivateKey; use deno_tls::rustls::ServerConfig; -use deno_tls::webpki::types::CertificateDer; -use deno_tls::webpki::types::PrivateKeyDer; +use deno_tls::rustls::ServerName; use deno_tls::ServerConfigProvider; use deno_tls::SocketUse; use deno_tls::TlsKey; @@ -48,6 +48,7 @@ use serde::Deserialize; use std::borrow::Cow; use std::cell::RefCell; use std::convert::From; +use std::convert::TryFrom; use std::fs::File; use std::io::BufReader; use std::io::ErrorKind; @@ -303,14 +304,14 @@ where { let rid = args.rid; let hostname = match &*args.hostname { - "" => "localhost".to_string(), - n => n.to_string(), + "" => "localhost", + n => n, }; { let mut s = state.borrow_mut(); let permissions = s.borrow_mut::<NP>(); - permissions.check_net(&(&hostname, Some(0)), "Deno.startTls()")?; + permissions.check_net(&(hostname, Some(0)), "Deno.startTls()")?; } let ca_certs = args @@ -319,8 +320,8 @@ where .map(|s| s.into_bytes()) .collect::<Vec<_>>(); - let hostname_dns = ServerName::try_from(hostname.to_string()) - .map_err(|_| invalid_hostname(&hostname))?; + let hostname_dns = + ServerName::try_from(hostname).map_err(|_| invalid_hostname(hostname))?; let unsafely_ignore_certificate_errors = state .borrow() @@ -421,9 +422,9 @@ where .borrow::<DefaultTlsOptions>() .root_cert_store()?; let hostname_dns = if let Some(server_name) = args.server_name { - ServerName::try_from(server_name) + ServerName::try_from(server_name.as_str()) } else { - ServerName::try_from(addr.hostname.clone()) + ServerName::try_from(&*addr.hostname) } .map_err(|_| invalid_hostname(&addr.hostname))?; let connect_addr = resolve_addr(&addr.hostname, addr.port) @@ -465,9 +466,7 @@ where Ok((rid, IpAddr::from(local_addr), IpAddr::from(remote_addr))) } -fn load_certs_from_file( - path: &str, -) -> Result<Vec<CertificateDer<'static>>, AnyError> { +fn load_certs_from_file(path: &str) -> Result<Vec<Certificate>, AnyError> { let cert_file = File::open(path)?; let reader = &mut BufReader::new(cert_file); load_certs(reader) @@ -475,7 +474,7 @@ fn load_certs_from_file( fn load_private_keys_from_file( path: &str, -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { +) -> Result<Vec<PrivateKey>, AnyError> { let key_bytes = std::fs::read(path)?; load_private_keys(&key_bytes) } @@ -524,6 +523,7 @@ where TlsKeys::Null => Err(anyhow!("Deno.listenTls requires a key")), TlsKeys::Static(TlsKey(cert, key)) => { let mut tls_config = ServerConfig::builder() + .with_safe_defaults() .with_no_client_auth() .with_single_cert(cert, key) .map_err(|e| anyhow!(e))?; diff --git a/ext/node/Cargo.toml b/ext/node/Cargo.toml index 906fe08b3..475ca2113 100644 --- a/ext/node/Cargo.toml +++ b/ext/node/Cargo.toml @@ -35,10 +35,10 @@ ecb.workspace = true elliptic-curve.workspace = true errno = "0.2.8" faster-hex.workspace = true -h2.workspace = true +h2 = { version = "0.3.26", features = ["unstable"] } hkdf.workspace = true home = "0.5.9" -http.workspace = true +http_v02.workspace = true idna = "0.3.0" indexmap.workspace = true ipnetwork = "0.20.0" diff --git a/ext/node/ops/http2.rs b/ext/node/ops/http2.rs index d12e108e6..abf7eae5d 100644 --- a/ext/node/ops/http2.rs +++ b/ext/node/ops/http2.rs @@ -26,11 +26,11 @@ use deno_net::raw::NetworkStream; use h2; use h2::Reason; use h2::RecvStream; -use http; -use http::request::Parts; -use http::HeaderMap; -use http::Response; -use http::StatusCode; +use http_v02; +use http_v02::request::Parts; +use http_v02::HeaderMap; +use http_v02::Response; +use http_v02::StatusCode; use reqwest::header::HeaderName; use reqwest::header::HeaderValue; use url::Url; @@ -311,7 +311,7 @@ pub async fn op_http2_client_request( let url = url.join(&pseudo_path)?; - let mut req = http::Request::builder() + let mut req = http_v02::Request::builder() .uri(url.as_str()) .method(pseudo_method.as_str()); @@ -383,7 +383,7 @@ pub async fn op_http2_client_send_trailers( .get::<Http2ClientStream>(stream_rid)?; let mut stream = RcRef::map(&resource, |r| &r.stream).borrow_mut().await; - let mut trailers_map = http::HeaderMap::new(); + let mut trailers_map = http_v02::HeaderMap::new(); for (name, value) in trailers { trailers_map.insert( HeaderName::from_bytes(&name).unwrap(), diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml index e9f432848..65c407d1c 100644 --- a/ext/tls/Cargo.toml +++ b/ext/tls/Cargo.toml @@ -15,8 +15,8 @@ path = "lib.rs" [dependencies] deno_core.workspace = true -deno_native_certs = "0.3.0" -rustls.workspace = true +deno_native_certs = "0.2.0" +rustls = { workspace = true, features = ["dangerous_configuration"] } rustls-pemfile.workspace = true rustls-tokio-stream.workspace = true rustls-webpki.workspace = true diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index c4d548ccf..5122264bf 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -1,9 +1,7 @@ // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license. + pub use deno_native_certs; pub use rustls; -use rustls::pki_types::CertificateDer; -use rustls::pki_types::PrivateKeyDer; -use rustls::pki_types::ServerName; pub use rustls_pemfile; pub use rustls_tokio_stream::*; pub use webpki; @@ -13,14 +11,14 @@ use deno_core::anyhow::anyhow; use deno_core::error::custom_error; use deno_core::error::AnyError; -use rustls::client::danger::HandshakeSignatureValid; -use rustls::client::danger::ServerCertVerified; -use rustls::client::danger::ServerCertVerifier; -use rustls::client::WebPkiServerVerifier; +use rustls::client::HandshakeSignatureValid; +use rustls::client::ServerCertVerified; +use rustls::client::ServerCertVerifier; +use rustls::client::WebPkiVerifier; use rustls::ClientConfig; use rustls::DigitallySignedStruct; use rustls::Error; -use rustls::RootCertStore; +use rustls::ServerName; use rustls_pemfile::certs; use rustls_pemfile::ec_private_keys; use rustls_pemfile::pkcs8_private_keys; @@ -29,12 +27,16 @@ use serde::Deserialize; use std::io::BufRead; use std::io::BufReader; use std::io::Cursor; -use std::net::IpAddr; use std::sync::Arc; +use std::time::SystemTime; mod tls_key; pub use tls_key::*; +pub type Certificate = rustls::Certificate; +pub type PrivateKey = rustls::PrivateKey; +pub type RootCertStore = rustls::RootCertStore; + /// Lazily resolves the root cert store. /// /// This was done because the root cert store is not needed in all cases @@ -46,59 +48,56 @@ pub trait RootCertStoreProvider: Send + Sync { // This extension has no runtime apis, it only exports some shared native functions. deno_core::extension!(deno_tls); -#[derive(Debug)] -pub struct NoCertificateVerification { - pub ic_allowlist: Vec<String>, - default_verifier: Arc<WebPkiServerVerifier>, -} +struct DefaultSignatureVerification; -impl NoCertificateVerification { - pub fn new(ic_allowlist: Vec<String>) -> Self { - Self { - ic_allowlist, - default_verifier: WebPkiServerVerifier::builder( - create_default_root_cert_store().into(), - ) - .build() - .unwrap(), - } +impl ServerCertVerifier for DefaultSignatureVerification { + fn verify_server_cert( + &self, + _end_entity: &Certificate, + _intermediates: &[Certificate], + _server_name: &ServerName, + _scts: &mut dyn Iterator<Item = &[u8]>, + _ocsp_response: &[u8], + _now: SystemTime, + ) -> Result<ServerCertVerified, Error> { + Err(Error::General("Should not be used".to_string())) } } -impl ServerCertVerifier for NoCertificateVerification { - fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> { - self.default_verifier.supported_verify_schemes() - } +pub struct NoCertificateVerification(pub Vec<String>); +impl ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, - end_entity: &rustls::pki_types::CertificateDer<'_>, - intermediates: &[rustls::pki_types::CertificateDer<'_>], - server_name: &rustls::pki_types::ServerName<'_>, + end_entity: &Certificate, + intermediates: &[Certificate], + server_name: &ServerName, + scts: &mut dyn Iterator<Item = &[u8]>, ocsp_response: &[u8], - now: rustls::pki_types::UnixTime, + now: SystemTime, ) -> Result<ServerCertVerified, Error> { - if self.ic_allowlist.is_empty() { + if self.0.is_empty() { return Ok(ServerCertVerified::assertion()); } let dns_name_or_ip_address = match server_name { ServerName::DnsName(dns_name) => dns_name.as_ref().to_owned(), - ServerName::IpAddress(ip_address) => { - Into::<IpAddr>::into(*ip_address).to_string() - } + ServerName::IpAddress(ip_address) => ip_address.to_string(), _ => { // NOTE(bartlomieju): `ServerName` is a non-exhaustive enum // so we have this catch all errors here. return Err(Error::General("Unknown `ServerName` variant".to_string())); } }; - if self.ic_allowlist.contains(&dns_name_or_ip_address) { + if self.0.contains(&dns_name_or_ip_address) { Ok(ServerCertVerified::assertion()) } else { - self.default_verifier.verify_server_cert( + let root_store = create_default_root_cert_store(); + let verifier = WebPkiVerifier::new(root_store, None); + verifier.verify_server_cert( end_entity, intermediates, server_name, + scts, ocsp_response, now, ) @@ -108,32 +107,28 @@ impl ServerCertVerifier for NoCertificateVerification { fn verify_tls12_signature( &self, message: &[u8], - cert: &rustls::pki_types::CertificateDer, + cert: &rustls::Certificate, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error> { - if self.ic_allowlist.is_empty() { + if self.0.is_empty() { return Ok(HandshakeSignatureValid::assertion()); } filter_invalid_encoding_err( - self - .default_verifier - .verify_tls12_signature(message, cert, dss), + DefaultSignatureVerification.verify_tls12_signature(message, cert, dss), ) } fn verify_tls13_signature( &self, message: &[u8], - cert: &rustls::pki_types::CertificateDer, + cert: &rustls::Certificate, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error> { - if self.ic_allowlist.is_empty() { + if self.0.is_empty() { return Ok(HandshakeSignatureValid::assertion()); } filter_invalid_encoding_err( - self - .default_verifier - .verify_tls13_signature(message, cert, dss), + DefaultSignatureVerification.verify_tls13_signature(message, cert, dss), ) } } @@ -154,10 +149,17 @@ pub struct BasicAuth { } pub fn create_default_root_cert_store() -> RootCertStore { - let root_cert_store = rustls::RootCertStore { - roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(), - }; - debug_assert!(!root_cert_store.is_empty()); + let mut root_cert_store = RootCertStore::empty(); + // TODO(@justinmchase): Consider also loading the system keychain here + root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map( + |ta| { + rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( + ta.subject, + ta.spki, + ta.name_constraints, + ) + }, + )); root_cert_store } @@ -181,10 +183,10 @@ pub fn create_client_config( ) -> Result<ClientConfig, AnyError> { if let Some(ic_allowlist) = unsafely_ignore_certificate_errors { let client_config = ClientConfig::builder() - .dangerous() - .with_custom_certificate_verifier(Arc::new( - NoCertificateVerification::new(ic_allowlist), - )); + .with_safe_defaults() + .with_custom_certificate_verifier(Arc::new(NoCertificateVerification( + ic_allowlist, + ))); // NOTE(bartlomieju): this if/else is duplicated at the end of the body of this function. // However it's not really feasible to deduplicate it as the `client_config` instances @@ -192,7 +194,7 @@ pub fn create_client_config( // or client cert". let mut client = match maybe_cert_chain_and_key { TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config - .with_client_auth_cert(cert_chain, private_key.clone_key()) + .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate"), TlsKeys::Null => client_config.with_no_client_auth(), TlsKeys::Resolver(_) => unimplemented!(), @@ -202,33 +204,33 @@ pub fn create_client_config( return Ok(client); } - let mut root_cert_store = - root_cert_store.unwrap_or_else(create_default_root_cert_store); - // If custom certs are specified, add them to the store - for cert in ca_certs { - let reader = &mut BufReader::new(Cursor::new(cert)); - // This function does not return specific errors, if it fails give a generic message. - for r in rustls_pemfile::certs(reader) { - match r { - Ok(cert) => { - root_cert_store.add(cert)?; - } - Err(e) => { - return Err(anyhow!( - "Unable to add pem file to certificate store: {}", - e - )); + let client_config = ClientConfig::builder() + .with_safe_defaults() + .with_root_certificates({ + let mut root_cert_store = + root_cert_store.unwrap_or_else(create_default_root_cert_store); + // If custom certs are specified, add them to the store + for cert in ca_certs { + let reader = &mut BufReader::new(Cursor::new(cert)); + // This function does not return specific errors, if it fails give a generic message. + match rustls_pemfile::certs(reader) { + Ok(certs) => { + root_cert_store.add_parsable_certificates(&certs); + } + Err(e) => { + return Err(anyhow!( + "Unable to add pem file to certificate store: {}", + e + )); + } } } - } - } - - let client_config = - ClientConfig::builder().with_root_certificates(root_cert_store); + root_cert_store + }); let mut client = match maybe_cert_chain_and_key { TlsKeys::Static(TlsKey(cert_chain, private_key)) => client_config - .with_client_auth_cert(cert_chain, private_key.clone_key()) + .with_client_auth_cert(cert_chain, private_key) .expect("invalid client key or certificate"), TlsKeys::Null => client_config.with_no_client_auth(), TlsKeys::Resolver(_) => unimplemented!(), @@ -255,17 +257,15 @@ fn add_alpn(client: &mut ClientConfig, socket_use: SocketUse) { pub fn load_certs( reader: &mut dyn BufRead, -) -> Result<Vec<CertificateDer<'static>>, AnyError> { - let certs: Result<Vec<_>, _> = certs(reader).collect(); - - let certs = certs +) -> Result<Vec<Certificate>, AnyError> { + let certs = certs(reader) .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?; if certs.is_empty() { return Err(cert_not_found_err()); } - Ok(certs) + Ok(certs.into_iter().map(rustls::Certificate).collect()) } fn key_decode_err() -> AnyError { @@ -281,32 +281,21 @@ fn cert_not_found_err() -> AnyError { } /// Starts with -----BEGIN RSA PRIVATE KEY----- -fn load_rsa_keys( - mut bytes: &[u8], -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { - let keys: Result<Vec<_>, _> = rsa_private_keys(&mut bytes).collect(); - let keys = keys.map_err(|_| key_decode_err())?; - Ok(keys.into_iter().map(PrivateKeyDer::Pkcs1).collect()) +fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } /// Starts with -----BEGIN EC PRIVATE KEY----- -fn load_ec_keys( - mut bytes: &[u8], -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { - let keys: Result<Vec<_>, std::io::Error> = - ec_private_keys(&mut bytes).collect(); - let keys2 = keys.map_err(|_| key_decode_err())?; - Ok(keys2.into_iter().map(PrivateKeyDer::Sec1).collect()) +fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } /// Starts with -----BEGIN PRIVATE KEY----- -fn load_pkcs8_keys( - mut bytes: &[u8], -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { - let keys: Result<Vec<_>, std::io::Error> = - pkcs8_private_keys(&mut bytes).collect(); - let keys2 = keys.map_err(|_| key_decode_err())?; - Ok(keys2.into_iter().map(PrivateKeyDer::Pkcs8).collect()) +fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(rustls::PrivateKey).collect()) } fn filter_invalid_encoding_err( @@ -320,9 +309,7 @@ fn filter_invalid_encoding_err( } } -pub fn load_private_keys( - bytes: &[u8], -) -> Result<Vec<PrivateKeyDer<'static>>, AnyError> { +pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { let mut keys = load_rsa_keys(bytes)?; if keys.is_empty() { diff --git a/ext/tls/testdata/README b/ext/tls/testdata/README deleted file mode 100644 index 12046561c..000000000 --- a/ext/tls/testdata/README +++ /dev/null @@ -1,4 +0,0 @@ - -openssl req -x509 -newkey rsa:2048 -nodes -keyout example2_prikey.pem -out example2_cert.der -subj "/C=US/ST=State/L=Locality/O=Organization/CN=example2.com" -outform der - -openssl pkey -in example2_prikey.pem -out example2_prikey.der -outform der diff --git a/ext/tls/testdata/example1_cert.der b/ext/tls/testdata/example1_cert.der Binary files differdeleted file mode 100644 index fb1b2e64b..000000000 --- a/ext/tls/testdata/example1_cert.der +++ /dev/null diff --git a/ext/tls/testdata/example1_prikey.der b/ext/tls/testdata/example1_prikey.der Binary files differdeleted file mode 100644 index 1cf7ef1d2..000000000 --- a/ext/tls/testdata/example1_prikey.der +++ /dev/null diff --git a/ext/tls/testdata/example2_cert.der b/ext/tls/testdata/example2_cert.der Binary files differdeleted file mode 100644 index 4428f3f6b..000000000 --- a/ext/tls/testdata/example2_cert.der +++ /dev/null diff --git a/ext/tls/testdata/example2_prikey.der b/ext/tls/testdata/example2_prikey.der Binary files differdeleted file mode 100644 index 8bdef8df3..000000000 --- a/ext/tls/testdata/example2_prikey.der +++ /dev/null diff --git a/ext/tls/tls_key.rs b/ext/tls/tls_key.rs index 1e60e7cf0..18064a91a 100644 --- a/ext/tls/tls_key.rs +++ b/ext/tls/tls_key.rs @@ -11,6 +11,8 @@ //! key lookup can handle closing one end of the pair, in which case they will just //! attempt to clean up the associated resources. +use crate::Certificate; +use crate::PrivateKey; use deno_core::anyhow::anyhow; use deno_core::error::AnyError; use deno_core::futures::future::poll_fn; @@ -30,21 +32,12 @@ use std::sync::Arc; use tokio::sync::broadcast; use tokio::sync::mpsc; use tokio::sync::oneshot; -use webpki::types::CertificateDer; -use webpki::types::PrivateKeyDer; type ErrorType = Rc<AnyError>; /// A TLS certificate/private key pair. -/// see https://docs.rs/rustls-pki-types/latest/rustls_pki_types/#cloning-private-keys -#[derive(Debug, PartialEq, Eq)] -pub struct TlsKey(pub Vec<CertificateDer<'static>>, pub PrivateKeyDer<'static>); - -impl Clone for TlsKey { - fn clone(&self) -> Self { - Self(self.0.clone(), self.1.clone_key()) - } -} +#[derive(Clone, Debug, PartialEq, Eq)] +pub struct TlsKey(pub Vec<Certificate>, pub PrivateKey); #[derive(Clone, Debug, Default)] pub enum TlsKeys { @@ -116,8 +109,9 @@ impl TlsKeyResolver { let key = self.resolve(sni).await?; let mut tls_config = ServerConfig::builder() + .with_safe_defaults() .with_no_client_auth() - .with_single_cert(key.0, key.1.clone_key())?; + .with_single_cert(key.0, key.1)?; tls_config.alpn_protocols = alpn; Ok(tls_config.into()) } @@ -257,18 +251,14 @@ impl TlsKeyLookup { pub mod tests { use super::*; use deno_core::unsync::spawn; + use rustls::Certificate; + use rustls::PrivateKey; fn tls_key_for_test(sni: &str) -> TlsKey { - let manifest_dir = - std::path::PathBuf::from(std::env::var("CARGO_MANIFEST_DIR").unwrap()); - let sni = sni.replace(".com", ""); - let cert_file = manifest_dir.join(format!("testdata/{}_cert.der", sni)); - let prikey_file = manifest_dir.join(format!("testdata/{}_prikey.der", sni)); - let cert = std::fs::read(cert_file).unwrap(); - let prikey = std::fs::read(prikey_file).unwrap(); - let cert = CertificateDer::from(cert); - let prikey = PrivateKeyDer::try_from(prikey).unwrap(); - TlsKey(vec![cert], prikey) + TlsKey( + vec![Certificate(format!("{sni}-cert").into_bytes())], + PrivateKey(format!("{sni}-key").into_bytes()), + ) } #[tokio::test] @@ -280,8 +270,8 @@ pub mod tests { } }); - let key = resolver.resolve("example1.com".to_owned()).await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + let key = resolver.resolve("example.com".to_owned()).await.unwrap(); + assert_eq!(tls_key_for_test("example.com"), key); drop(resolver); task.await.unwrap(); @@ -296,13 +286,13 @@ pub mod tests { } }); - let f1 = resolver.resolve("example1.com".to_owned()); - let f2 = resolver.resolve("example1.com".to_owned()); + let f1 = resolver.resolve("example.com".to_owned()); + let f2 = resolver.resolve("example.com".to_owned()); let key = f1.await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + assert_eq!(tls_key_for_test("example.com"), key); let key = f2.await.unwrap(); - assert_eq!(tls_key_for_test("example1.com"), key); + assert_eq!(tls_key_for_test("example.com"), key); drop(resolver); task.await.unwrap(); diff --git a/ext/websocket/lib.rs b/ext/websocket/lib.rs index a8bb3415d..87503120b 100644 --- a/ext/websocket/lib.rs +++ b/ext/websocket/lib.rs @@ -36,13 +36,14 @@ use http::Request; use http::StatusCode; use http::Uri; use once_cell::sync::Lazy; -use rustls_tokio_stream::rustls::pki_types::ServerName; use rustls_tokio_stream::rustls::RootCertStore; +use rustls_tokio_stream::rustls::ServerName; use rustls_tokio_stream::TlsStream; use serde::Serialize; use std::borrow::Cow; use std::cell::Cell; use std::cell::RefCell; +use std::convert::TryFrom; use std::fmt; use std::future::Future; use std::num::NonZeroUsize; @@ -244,8 +245,8 @@ async fn handshake_http1_wss( ) -> Result<(WebSocket<WebSocketStream>, http::HeaderMap), AnyError> { let tcp_socket = TcpStream::connect(addr).await?; let tls_config = create_ws_client_config(state, SocketUse::Http1Only)?; - let dnsname = ServerName::try_from(domain.to_string()) - .map_err(|_| invalid_hostname(domain))?; + let dnsname = + ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?; let mut tls_connector = TlsStream::new_client_side( tcp_socket, ClientConnection::new(tls_config.into(), dnsname)?, @@ -269,8 +270,8 @@ async fn handshake_http2_wss( ) -> Result<(WebSocket<WebSocketStream>, http::HeaderMap), AnyError> { let tcp_socket = TcpStream::connect(addr).await?; let tls_config = create_ws_client_config(state, SocketUse::Http2Only)?; - let dnsname = ServerName::try_from(domain.to_string()) - .map_err(|_| invalid_hostname(domain))?; + let dnsname = + ServerName::try_from(domain).map_err(|_| invalid_hostname(domain))?; // We need to better expose the underlying errors here let mut tls_connector = TlsStream::new_client_side( tcp_socket, |