fix(dgw): better TLS leaf certificate public key extracting (#390)

Use `x509-cert` crate to extract the public key from the leaf TLS certificate. `x509-cert` supports more certificates.
Devolutions · Feb 22, 2023 · a4dec08 · a4dec08
1 parent e08fd23
commit a4dec08
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 11 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/devolutions-gateway/Cargo.toml b/devolutions-gateway/Cargo.toml
@@ -56,6 +56,7 @@ backoff = "0.4.0"
 zeroize = { version = "1.5.7", features = ["derive"] }
 rust-argon2 = "1.0.0"
 picky = { version = "7.0.0-rc.4", default-features = false, features = ["jose", "x509"] }
+x509-cert = { version = "0.1.1", features = ["std"] }
 sspi = "0.6.0"
 # evaluate use of ring in our codebase
 ring = "0.16.20"

diff --git a/devolutions-gateway/src/config.rs b/devolutions-gateway/src/config.rs
@@ -58,12 +58,17 @@ impl fmt::Debug for Tls {
 
 impl Tls {
     fn init(certificates: Vec<rustls::Certificate>, private_key: rustls::PrivateKey) -> anyhow::Result<Self> {
+        use x509_cert::der::{Decode as _, Encode as _};
+
         let leaf_certificate = certificates.last().context("TLS leaf certificate is missing")?.clone();
 
-        let leaf_public_key = {
-            let cert = picky::x509::Cert::from_der(&leaf_certificate.0).context("Failed to parse TLS certificate")?;
-            TlsPublicKey(cert.public_key().to_der().unwrap())
-        };
+        let leaf_public_key = x509_cert::Certificate::from_der(&leaf_certificate.0)
+            .context("Failed to parse leaf TLS certificate")?
+            .tbs_certificate
+            .subject_public_key_info
+            .to_vec()
+            .context("Failed to retrieve DER encoding of the leaf TLS certificate public key")?
+            .pipe(TlsPublicKey);
 
         let rustls_config =
             crate::tls_sanity::build_rustls_config(certificates, private_key).context("Failed build TLS config")?;