diff options
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/fetch/lib.rs | 25 | ||||
| -rw-r--r-- | ext/net/ops_tls.rs | 52 | ||||
| -rw-r--r-- | ext/tls/lib.rs | 70 |
3 files changed, 94 insertions, 53 deletions
diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs index 8f49d8859..c419180c5 100644 --- a/ext/fetch/lib.rs +++ b/ext/fetch/lib.rs @@ -62,6 +62,7 @@ pub fn init<P: FetchPermissions + 'static>( proxy: Option<Proxy>, request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>, unsafely_ignore_certificate_errors: Option<Vec<String>>, + client_cert_chain_and_key: Option<(String, String)>, ) -> Extension { Extension::builder() .js(include_js_files!( @@ -90,6 +91,7 @@ pub fn init<P: FetchPermissions + 'static>( None, proxy.clone(), unsafely_ignore_certificate_errors.clone(), + client_cert_chain_and_key.clone(), ) .unwrap() }); @@ -100,6 +102,7 @@ pub fn init<P: FetchPermissions + 'static>( request_builder_hook, unsafely_ignore_certificate_errors: unsafely_ignore_certificate_errors .clone(), + client_cert_chain_and_key: client_cert_chain_and_key.clone(), }); Ok(()) }) @@ -112,6 +115,7 @@ pub struct HttpClientDefaults { pub proxy: Option<Proxy>, pub request_builder_hook: Option<fn(RequestBuilder) -> RequestBuilder>, pub unsafely_ignore_certificate_errors: Option<Vec<String>>, + pub client_cert_chain_and_key: Option<(String, String)>, } pub trait FetchPermissions { @@ -508,6 +512,8 @@ pub struct CreateHttpClientOptions { ca_file: Option<String>, ca_data: Option<ByteString>, proxy: Option<Proxy>, + cert_chain: Option<String>, + private_key: Option<String>, } pub fn op_create_http_client<FP>( @@ -529,6 +535,21 @@ where permissions.check_net_url(&url)?; } + let client_cert_chain_and_key = { + if args.cert_chain.is_some() || args.private_key.is_some() { + let cert_chain = args + .cert_chain + .ok_or_else(|| type_error("No certificate chain provided"))?; + let private_key = args + .private_key + .ok_or_else(|| type_error("No private key provided"))?; + + Some((cert_chain, private_key)) + } else { + None + } + }; + let defaults = state.borrow::<HttpClientDefaults>(); let cert_data = get_cert_data(args.ca_file.as_deref(), args.ca_data.as_deref())?; @@ -539,8 +560,8 @@ where cert_data, args.proxy, defaults.unsafely_ignore_certificate_errors.clone(), - ) - .unwrap(); + client_cert_chain_and_key, + )?; let rid = state.resource_table.add(HttpClientResource::new(client)); Ok(rid) diff --git a/ext/net/ops_tls.rs b/ext/net/ops_tls.rs index b89cc4005..58b6147cb 100644 --- a/ext/net/ops_tls.rs +++ b/ext/net/ops_tls.rs @@ -37,9 +37,8 @@ use deno_core::RcRef; use deno_core::Resource; use deno_core::ResourceId; use deno_tls::create_client_config; -use deno_tls::rustls::internal::pemfile::certs; -use deno_tls::rustls::internal::pemfile::pkcs8_private_keys; -use deno_tls::rustls::internal::pemfile::rsa_private_keys; +use deno_tls::load_certs; +use deno_tls::load_private_keys; use deno_tls::rustls::Certificate; use deno_tls::rustls::ClientConfig; use deno_tls::rustls::ClientSession; @@ -58,7 +57,6 @@ use std::cell::RefCell; use std::convert::From; use std::fs::File; use std::io; -use std::io::BufRead; use std::io::BufReader; use std::io::ErrorKind; use std::ops::Deref; @@ -862,58 +860,12 @@ where }) } -fn load_certs(reader: &mut dyn BufRead) -> Result<Vec<Certificate>, AnyError> { - let certs = certs(reader) - .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?; - - if certs.is_empty() { - let e = custom_error("InvalidData", "No certificates found in cert file"); - return Err(e); - } - - Ok(certs) -} - fn load_certs_from_file(path: &str) -> Result<Vec<Certificate>, AnyError> { let cert_file = File::open(path)?; let reader = &mut BufReader::new(cert_file); load_certs(reader) } -fn key_decode_err() -> AnyError { - custom_error("InvalidData", "Unable to decode key") -} - -fn key_not_found_err() -> AnyError { - custom_error("InvalidData", "No keys found in key file") -} - -/// Starts with -----BEGIN RSA PRIVATE KEY----- -fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { - let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?; - Ok(keys) -} - -/// Starts with -----BEGIN PRIVATE KEY----- -fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { - let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; - Ok(keys) -} - -fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { - let mut keys = load_rsa_keys(bytes)?; - - if keys.is_empty() { - keys = load_pkcs8_keys(bytes)?; - } - - if keys.is_empty() { - return Err(key_not_found_err()); - } - - Ok(keys) -} - fn load_private_keys_from_file( path: &str, ) -> Result<Vec<PrivateKey>, AnyError> { diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 8f56f0ffd..7632da5e6 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -7,6 +7,7 @@ pub use webpki; pub use webpki_roots; use deno_core::error::anyhow; +use deno_core::error::custom_error; use deno_core::error::generic_error; use deno_core::error::AnyError; use deno_core::parking_lot::Mutex; @@ -17,9 +18,13 @@ use reqwest::header::USER_AGENT; use reqwest::redirect::Policy; use reqwest::Client; use rustls::internal::msgs::handshake::DigitallySignedStruct; +use rustls::internal::pemfile::certs; +use rustls::internal::pemfile::pkcs8_private_keys; +use rustls::internal::pemfile::rsa_private_keys; use rustls::Certificate; use rustls::ClientConfig; use rustls::HandshakeSignatureValid; +use rustls::PrivateKey; use rustls::RootCertStore; use rustls::ServerCertVerified; use rustls::ServerCertVerifier; @@ -28,6 +33,7 @@ use rustls::TLSError; use rustls::WebPKIVerifier; use serde::Deserialize; use std::collections::HashMap; +use std::io::BufRead; use std::io::BufReader; use std::io::Cursor; use std::sync::Arc; @@ -156,6 +162,54 @@ pub fn create_client_config( Ok(tls_config) } +pub fn load_certs( + reader: &mut dyn BufRead, +) -> Result<Vec<Certificate>, AnyError> { + let certs = certs(reader) + .map_err(|_| custom_error("InvalidData", "Unable to decode certificate"))?; + + if certs.is_empty() { + let e = custom_error("InvalidData", "No certificates found in cert file"); + return Err(e); + } + + Ok(certs) +} + +fn key_decode_err() -> AnyError { + custom_error("InvalidData", "Unable to decode key") +} + +fn key_not_found_err() -> AnyError { + custom_error("InvalidData", "No keys found in key file") +} + +/// Starts with -----BEGIN RSA PRIVATE KEY----- +fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys) +} + +/// Starts with -----BEGIN PRIVATE KEY----- +fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys) +} + +pub fn load_private_keys(bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> { + let mut keys = load_rsa_keys(bytes)?; + + if keys.is_empty() { + keys = load_pkcs8_keys(bytes)?; + } + + if keys.is_empty() { + return Err(key_not_found_err()); + } + + Ok(keys) +} + /// Create new instance of async reqwest::Client. This client supports /// proxies and doesn't follow redirects. pub fn create_http_client( @@ -164,12 +218,26 @@ pub fn create_http_client( ca_data: Option<Vec<u8>>, proxy: Option<Proxy>, unsafely_ignore_certificate_errors: Option<Vec<String>>, + client_cert_chain_and_key: Option<(String, String)>, ) -> Result<Client, AnyError> { - let tls_config = create_client_config( + let mut tls_config = create_client_config( root_cert_store, ca_data, unsafely_ignore_certificate_errors, )?; + + if let Some((cert_chain, private_key)) = client_cert_chain_and_key { + // The `remove` is safe because load_private_keys checks that there is at least one key. + let private_key = load_private_keys(private_key.as_bytes())?.remove(0); + + tls_config + .set_single_client_cert( + load_certs(&mut cert_chain.as_bytes())?, + private_key, + ) + .expect("invalid client key or certificate"); + } + let mut headers = HeaderMap::new(); headers.insert(USER_AGENT, user_agent.parse().unwrap()); let mut builder = Client::builder() |