fix(dgw): update cryptography dependencies

We keep using ring as our crypto provider for now.
Devolutions · Aug 19, 2024 · 787027c · 787027c
1 parent cc7a90e
commit 787027c
Show file tree

Hide file tree

Showing 10 changed files with 156 additions and 126 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/devolutions-agent/Cargo.toml b/devolutions-agent/Cargo.toml
@@ -20,25 +20,22 @@ ctrlc = "3.4"
 devolutions-agent-shared = { path = "../crates/devolutions-agent-shared" }
 devolutions-gateway-task = { path = "../crates/devolutions-gateway-task" }
 devolutions-log = { path = "../crates/devolutions-log" }
-# TODO(@pacmancoder): This should point to IronRDP repo after `now-proto-pdu` code is merged to `IronRDP` codebase
-# now-proto-pdu = { path = "../crates/now-proto-pdu" }
 futures = "0.3"
 parking_lot = "0.12"
 rand = "0.8" # FIXME(@CBenoit): maybe we don’t need this crate
-rustls = "0.23"
 rustls-pemfile = "2.1" # FIXME(@CBenoit): maybe we don’t need this crate
 serde_json = "1"
 serde = { version = "1", features = ["derive"] }
 tap = "1.0"
-tokio-rustls = "0.26"
+tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"] }
 tracing = "0.1"
 
 [dependencies.ironrdp]
 git = "https://github.com/Devolutions/IronRDP"
 rev = "2e1a9ac88e38e7d92d893007bc25d0a05c365861"
 default-features = false
 features = [
-    "server",
+    "server", # FIXME(@CBenoit): this is enabling AWS LC unconditionnally.
     "acceptor",
 ]
 

diff --git a/devolutions-agent/src/main.rs b/devolutions-agent/src/main.rs
@@ -4,8 +4,8 @@
 // Used by devolutions-agent library.
 use {
     anyhow as _, async_trait as _, camino as _, devolutions_agent_shared as _, devolutions_gateway_task as _,
-    devolutions_log as _, futures as _, ironrdp as _, parking_lot as _, rand as _, rustls as _, rustls_pemfile as _,
-    serde as _, serde_json as _, tap as _, tokio as _, tokio_rustls as _,
+    devolutions_log as _, futures as _, ironrdp as _, parking_lot as _, rand as _, rustls_pemfile as _, serde as _,
+    serde_json as _, tap as _, tokio as _, tokio_rustls as _,
 };
 
 #[macro_use]

diff --git a/devolutions-agent/src/remote_desktop/tls.rs b/devolutions-agent/src/remote_desktop/tls.rs
@@ -5,7 +5,7 @@ use std::sync::Arc;
 use anyhow::Context as _;
 use camino::Utf8Path;
 use rustls::ServerConfig;
-use tokio_rustls::TlsAcceptor;
+use tokio_rustls::{rustls, TlsAcceptor};
 
 pub(crate) fn acceptor(cert_path: &Utf8Path, key_path: &Utf8Path) -> anyhow::Result<TlsAcceptor> {
     let cert_file = File::open(cert_path).with_context(|| format!("failed to open {cert_path}"))?;

diff --git a/devolutions-gateway/Cargo.toml b/devolutions-gateway/Cargo.toml
@@ -65,8 +65,8 @@ tracing = "0.1"
 
 # Async, futures…
 tokio = { version = "1.38", features = ["signal", "net", "io-util", "time", "rt", "rt-multi-thread", "sync", "macros", "parking_lot", "fs"] }
-tokio-rustls = { version = "0.24", features = ["dangerous_configuration", "tls12"] }
-reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "json"] } # TODO: directly use hyper in subscriber module
+tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"] }
+reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "json"] }
 futures = "0.3"
 async-trait = "0.1"
 tower = { version = "0.4", features = ["timeout"] }
@@ -104,7 +104,7 @@ etherparse = "0.15"
 portpicker = "0.1"
 
 [target.'cfg(windows)'.dependencies]
-rustls-cng = "0.3"
+rustls-cng = { version = "0.5", default-features = false, features = ["logging", "tls12", "ring"] }
 
 [target.'cfg(windows)'.build-dependencies]
 embed-resource = "2.4"

diff --git a/devolutions-gateway/src/config.rs b/devolutions-gateway/src/config.rs
@@ -14,7 +14,7 @@ use std::io::BufReader;
 use std::sync::Arc;
 use tap::prelude::*;
 use tokio::sync::Notify;
-use tokio_rustls::rustls;
+use tokio_rustls::rustls::pki_types;
 use url::Url;
 use uuid::Uuid;
 
@@ -569,7 +569,10 @@ fn default_hostname() -> Option<String> {
 fn read_pfx_file(
     path: &Utf8Path,
     password: Option<&dto::Password>,
-) -> anyhow::Result<(Vec<rustls::Certificate>, rustls::PrivateKey)> {
+) -> anyhow::Result<(
+    Vec<pki_types::CertificateDer<'static>>,
+    pki_types::PrivateKeyDer<'static>,
+)> {
     use picky::pkcs12::{
         Pfx, Pkcs12AttributeKind, Pkcs12CryptoContext, Pkcs12ParsingParams, SafeBagKind, SafeContentsKind,
     };
@@ -665,19 +668,19 @@ fn read_pfx_file(
     let private_key = private_key.context("leaf private key not found")?.clone();
     let private_key = private_key
         .to_pkcs8()
-        .map(rustls::PrivateKey)
+        .map(|der| pki_types::PrivateKeyDer::Pkcs8(der.into()))
         .context("invalid private key")?;
 
     let certificates = certificates
         .into_iter()
-        .map(|(cert, _)| cert.to_der().map(rustls::Certificate))
+        .map(|(cert, _)| cert.to_der().map(pki_types::CertificateDer::from))
         .collect::<Result<_, _>>()
         .context("invalid certificate")?;
 
     Ok((certificates, private_key))
 }
 
-fn read_rustls_certificate_file(path: &Utf8Path) -> anyhow::Result<Vec<rustls::Certificate>> {
+fn read_rustls_certificate_file(path: &Utf8Path) -> anyhow::Result<Vec<pki_types::CertificateDer<'static>>> {
     read_rustls_certificate(Some(path), None)
         .transpose()
         .expect("a path is provided, so it’s never None")
@@ -686,7 +689,7 @@ fn read_rustls_certificate_file(path: &Utf8Path) -> anyhow::Result<Vec<rustls::C
 fn read_rustls_certificate(
     path: Option<&Utf8Path>,
     data: Option<&dto::ConfData<dto::CertFormat>>,
-) -> anyhow::Result<Option<Vec<rustls::Certificate>>> {
+) -> anyhow::Result<Option<Vec<pki_types::CertificateDer<'static>>>> {
     use picky::pem::{read_pem, PemError};
 
     match (path, data) {
@@ -709,7 +712,7 @@ fn read_rustls_certificate(
                             );
                         }
 
-                        x509_chain.push(rustls::Certificate(pem.into_data().into_owned()));
+                        x509_chain.push(pki_types::CertificateDer::from(pem.into_data().into_owned()));
                     }
                     Err(e @ PemError::HeaderNotFound) => {
                         if x509_chain.is_empty() {
@@ -734,7 +737,7 @@ fn read_rustls_certificate(
             let value = data.decode_value()?;
 
             match data.format {
-                dto::CertFormat::X509 => Ok(Some(vec![rustls::Certificate(value)])),
+                dto::CertFormat::X509 => Ok(Some(vec![pki_types::CertificateDer::from(value)])),
             }
         }
         (None, None) => Ok(None),
@@ -771,7 +774,7 @@ fn read_pub_key(
     }
 }
 
-fn read_rustls_priv_key_file(path: &Utf8Path) -> anyhow::Result<rustls::PrivateKey> {
+fn read_rustls_priv_key_file(path: &Utf8Path) -> anyhow::Result<pki_types::PrivateKeyDer<'static>> {
     read_rustls_priv_key(Some(path), None)
         .transpose()
         .expect("path is provided, so it’s never None")
@@ -780,29 +783,40 @@ fn read_rustls_priv_key_file(path: &Utf8Path) -> anyhow::Result<rustls::PrivateK
 fn read_rustls_priv_key(
     path: Option<&Utf8Path>,
     data: Option<&dto::ConfData<dto::PrivKeyFormat>>,
-) -> anyhow::Result<Option<rustls::PrivateKey>> {
-    let data = match (path, data) {
+) -> anyhow::Result<Option<pki_types::PrivateKeyDer<'static>>> {
+    let private_key = match (path, data) {
         (Some(path), _) => {
             let pem: Pem<'_> = normalize_data_path(path, &get_data_dir())
                 .pipe_ref(std::fs::read_to_string)
                 .with_context(|| format!("couldn't read file at {path}"))?
                 .pipe_deref(str::parse)
                 .context("couldn't parse pem document")?;
 
-            if PRIVATE_KEY_LABELS.iter().all(|&label| pem.label() != label) {
-                anyhow::bail!(
-                    "bad pem label (got {}, expected one of {PRIVATE_KEY_LABELS:?})",
-                    pem.label(),
-                );
+            match pem.label() {
+                "PRIVATE KEY" => pki_types::PrivateKeyDer::Pkcs8(pem.into_data().into_owned().into()),
+                "RSA PRIVATE KEY" => pki_types::PrivateKeyDer::Pkcs1(pem.into_data().into_owned().into()),
+                "EC PRIVATE KEY" => pki_types::PrivateKeyDer::Sec1(pem.into_data().into_owned().into()),
+                _ => {
+                    anyhow::bail!(
+                        "bad pem label (got {}, expected one of {PRIVATE_KEY_LABELS:?})",
+                        pem.label(),
+                    );
+                }
             }
+        }
+        (None, Some(data)) => {
+            let value = data.decode_value()?;
 
-            pem.into_data().into_owned()
+            match data.format {
+                dto::PrivKeyFormat::Pkcs8 => pki_types::PrivateKeyDer::Pkcs8(value.into()),
+                dto::PrivKeyFormat::Pkcs1 => pki_types::PrivateKeyDer::Pkcs1(value.into()),
+                dto::PrivKeyFormat::Ec => pki_types::PrivateKeyDer::Sec1(value.into()),
+            }
         }
-        (None, Some(data)) => data.decode_value()?,
         (None, None) => return Ok(None),
     };
 
-    Ok(Some(rustls::PrivateKey(data)))
+    Ok(Some(private_key))
 }
 
 fn read_priv_key(

diff --git a/devolutions-gateway/src/main.rs b/devolutions-gateway/src/main.rs
@@ -2,6 +2,8 @@
 #![allow(clippy::print_stdout)]
 
 // Used by devolutions-gateway library.
+#[cfg(windows)]
+use rustls_cng as _;
 #[cfg(feature = "openapi")]
 use utoipa as _;
 use {