Update tokio-rustls requirement from 0.22 to 0.23 (#573)

Updates the requirements on [tokio-rustls](https://github.com/tokio-rs/tls) to permit the latest version. - [Release notes](https://github.com/tokio-rs/tls/releases) - [Commits](https://github.com/tokio-rs/tls/commits) --- updated-dependencies: - dependency-name: tokio-rustls dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dominic <git@msrd0.de>
gotham-rs · Oct 19, 2021 · d4f3780 · d4f3780
1 parent 13f9a07
commit d4f3780
Show file tree

Hide file tree

Showing 14 changed files with 81 additions and 180 deletions.
diff --git a/examples/hello_world_tls/Cargo.toml b/examples/hello_world_tls/Cargo.toml
@@ -7,3 +7,4 @@ edition = "2018"
 
 [dependencies]
 gotham = { path = "../../gotham", features = ["rustls"] }
+rustls-pemfile = "0.2.1"
diff --git a/examples/hello_world_tls/src/main.rs b/examples/hello_world_tls/src/main.rs
@@ -1,8 +1,8 @@
 //! A Hello World example application for working with Gotham.
 use gotham::anyhow;
-use gotham::rustls::internal::pemfile::{certs, pkcs8_private_keys};
-use gotham::rustls::{self, NoClientAuth};
+use gotham::rustls::{self, Certificate, PrivateKey, ServerConfig};
 use gotham::state::State;
+use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::io::BufReader;
 
 const HELLO_WORLD: &str = "Hello World!";
@@ -19,19 +19,24 @@ pub fn say_hello(state: State) -> (State, &'static str) {
 /// Start a server and call the `Handler` we've defined above for each `Request` we receive.
 pub fn main() -> anyhow::Result<()> {
     let addr = "127.0.0.1:7878";
-    println!("Listening for requests at http://{}", addr);
+    println!("Listening for requests at https://{}", addr);
     gotham::start_with_tls(addr, || Ok(say_hello), build_config()?)?;
     Ok(())
 }
 
-fn build_config() -> Result<rustls::ServerConfig, rustls::TLSError> {
-    let mut cfg = rustls::ServerConfig::new(NoClientAuth::new());
+fn build_config() -> Result<ServerConfig, rustls::Error> {
     let mut cert_file = BufReader::new(&include_bytes!("cert.pem")[..]);
     let mut key_file = BufReader::new(&include_bytes!("key.pem")[..]);
-    let certs = certs(&mut cert_file).unwrap();
+    let certs = certs(&mut cert_file)
+        .unwrap()
+        .into_iter()
+        .map(Certificate)
+        .collect();
     let mut keys = pkcs8_private_keys(&mut key_file).unwrap();
-    cfg.set_single_cert(certs, keys.remove(0))?;
-    Ok(cfg)
+    ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(certs, PrivateKey(keys.remove(0)))
 }
 
 #[cfg(test)]
@@ -45,7 +50,7 @@ mod tests {
         let test_server = TestServer::new(|| Ok(say_hello)).unwrap();
         let response = test_server
             .client()
-            .get("http://localhost")
+            .get("https://localhost")
             .perform()
             .unwrap();
 

diff --git a/gotham/Cargo.toml b/gotham/Cargo.toml
@@ -3,7 +3,7 @@ name = "gotham"
 version = "0.6.0" # Alter html_root_url in lib.rs also
 authors = ["Shaun Mangelsdorf <s.mangelsdorf@gmail.com>",
           "Colin Bankier <colinbankier@gmail.com>",
-		  "Dominic Meiser <git@msrd0.de>",
+          "Dominic Meiser <git@msrd0.de>",
           "Isaac Whitfield <iw@whitfin.io>",
           "Judson Lester <nyarly@gmail.com>",
           "Bradley Beddoes <bradleybeddoes@gmail.com>"]
@@ -15,6 +15,7 @@ readme = "README.md"
 categories = ["web-programming::http-server"]
 keywords = ["http", "async", "web", "framework", "server"]
 edition = "2018"
+exclude = ["src/tls/tls_new_cert.sh"]
 
 [features]
 default = ["derive", "http2", "session", "testing"]
@@ -49,7 +50,7 @@ rand_chacha = "0.3"
 regex = "1.0"
 serde = { version = "1.0", features = ["derive"] }
 tokio = { version = "1.11.0", features = ["net", "rt-multi-thread", "time", "fs", "io-util"] }
-tokio-rustls = { version = "0.22", optional = true }
+tokio-rustls = { version = "0.23", optional = true }
 uuid = { version = "0.8", features = ["v4"] }
 
 [dev-dependencies]

diff --git a/gotham/src/tls/build_pki.sh b/gotham/src/tls/build_pki.sh
diff --git a/gotham/src/tls/ca.cfg b/gotham/src/tls/ca.cfg
diff --git a/gotham/src/tls/ca_cert.pem b/gotham/src/tls/ca_cert.pem
diff --git a/gotham/src/tls/cert.pem b/gotham/src/tls/cert.pem
diff --git a/gotham/src/tls/key.pem b/gotham/src/tls/key.pem
diff --git a/gotham/src/tls/srv.cfg b/gotham/src/tls/srv.cfg
diff --git a/gotham/src/tls/test.rs b/gotham/src/tls/test.rs
@@ -2,34 +2,44 @@
 //!
 //! See the [`TestServer`] and [`AsyncTestServer`] types for example usage.
 
+use std::convert::TryFrom;
 use std::future::Future;
-use std::io::{self, BufReader};
+use std::io;
 use std::net::SocketAddr;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::task::{Context, Poll};
+use std::time::Duration;
 
 use futures_util::future::{BoxFuture, FutureExt};
 use hyper::client::connect::{Connected, Connection};
 use hyper::service::Service;
 use hyper::Uri;
 use log::info;
 use pin_project::pin_project;
-use rustls::Session;
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tokio::net::TcpStream;
 use tokio::time::Sleep;
 use tokio_rustls::client::TlsStream;
-use tokio_rustls::rustls::internal::pemfile::{certs, pkcs8_private_keys};
-use tokio_rustls::rustls::{self, NoClientAuth};
-use tokio_rustls::webpki::DNSNameRef;
+use tokio_rustls::rustls::{
+    self, Certificate, ClientConfig, PrivateKey, RootCertStore, ServerConfig, ServerName,
+};
 use tokio_rustls::TlsConnector;
 
 use crate::handler::NewHandler;
 use crate::test::async_test::{AsyncTestClient, AsyncTestServerInner};
 use crate::test::{self, TestClient, TestServerData};
 use crate::tls::rustls_wrap;
-use std::time::Duration;
+
+fn server_config() -> ServerConfig {
+    let cert = Certificate(include_bytes!("tls_cert.der").to_vec());
+    let key = PrivateKey(include_bytes!("tls_key.der").to_vec());
+    ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_single_cert(vec![cert], key)
+        .expect("Unable to create TLS server config")
+}
 
 /// The `TestServer` type, which is used as a harness when writing test cases for Hyper services
 /// (which Gotham's `Router` is). An instance of `TestServer` is run asynchronously within the
@@ -90,15 +100,8 @@ impl TestServer {
         new_handler: NH,
         timeout: u64,
     ) -> anyhow::Result<TestServer> {
-        let mut cfg = rustls::ServerConfig::new(NoClientAuth::new());
-        let mut cert_file = BufReader::new(&include_bytes!("cert.pem")[..]);
-        let mut key_file = BufReader::new(&include_bytes!("key.pem")[..]);
-        let certs = certs(&mut cert_file).unwrap();
-        let mut keys = pkcs8_private_keys(&mut key_file).unwrap();
-        cfg.set_single_cert(certs, keys.remove(0))?;
-
+        let cfg = server_config();
         let data = TestServerData::new(new_handler, timeout, rustls_wrap(cfg))?;
-
         Ok(TestServer {
             data: Arc::new(data),
         })
@@ -167,13 +170,7 @@ impl AsyncTestServer {
         new_handler: NH,
         timeout: Duration,
     ) -> anyhow::Result<AsyncTestServer> {
-        let mut cfg = rustls::ServerConfig::new(NoClientAuth::new());
-        let mut cert_file = BufReader::new(&include_bytes!("cert.pem")[..]);
-        let mut key_file = BufReader::new(&include_bytes!("key.pem")[..]);
-        let certs = certs(&mut cert_file).unwrap();
-        let mut keys = pkcs8_private_keys(&mut key_file).unwrap();
-        cfg.set_single_cert(certs, keys.remove(0))?;
-
+        let cfg = server_config();
         let inner = AsyncTestServerInner::new(new_handler, timeout, rustls_wrap(cfg)).await?;
         Ok(AsyncTestServer {
             inner: Arc::new(inner),
@@ -194,7 +191,7 @@ pub struct TlsConnectionStream<IO>(#[pin] TlsStream<IO>);
 impl<IO: AsyncRead + AsyncWrite + Connection + Unpin> Connection for TlsConnectionStream<IO> {
     fn connected(&self) -> Connected {
         let (tcp, tls) = self.0.get_ref();
-        if tls.get_alpn_protocol() == Some(b"h2") {
+        if tls.alpn_protocol() == Some(b"h2") {
             tcp.connected().negotiated_h2()
         } else {
             tcp.connected()
@@ -261,7 +258,7 @@ impl Service<Uri> for TestConnect {
         async move {
             match TcpStream::connect(address).await {
                 Ok(stream) => {
-                    let domain = DNSNameRef::try_from_ascii_str(req.host().unwrap()).unwrap();
+                    let domain = ServerName::try_from(req.host().unwrap()).unwrap();
                     match tls.connect(domain, stream).await {
                         Ok(tls_stream) => {
                             info!("Client TcpStream connected: {:?}", tls_stream);
@@ -282,13 +279,17 @@ impl Service<Uri> for TestConnect {
 
 impl From<SocketAddr> for TestConnect {
     fn from(addr: SocketAddr) -> Self {
-        let mut config = rustls::ClientConfig::new();
-        let mut cert_file = BufReader::new(&include_bytes!("ca_cert.pem")[..]);
-        config.root_store.add_pem_file(&mut cert_file).unwrap();
+        let mut root_store = RootCertStore::empty();
+        let ca_cert = include_bytes!("tls_ca_cert.der").to_vec();
+        root_store.add(&Certificate(ca_cert)).unwrap();
+        let cfg = ClientConfig::builder()
+            .with_safe_defaults()
+            .with_root_certificates(root_store)
+            .with_no_client_auth();
 
         Self {
             addr,
-            config: Arc::new(config),
+            config: Arc::new(cfg),
         }
     }
 }

diff --git a/gotham/src/tls/tls_ca_cert.der b/gotham/src/tls/tls_ca_cert.der
diff --git a/gotham/src/tls/tls_cert.der b/gotham/src/tls/tls_cert.der
diff --git a/gotham/src/tls/tls_key.der b/gotham/src/tls/tls_key.der
diff --git a/gotham/src/tls/tls_new_cert.sh b/gotham/src/tls/tls_new_cert.sh
@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# certificate authority
+openssl ecparam -genkey -name prime256v1 -out tls_ca_key.pem
+openssl req -batch -new -x509 -days 3650 -subj '/CN=Gotham Test CA' -extensions v3_ca -key tls_ca_key.pem -outform DER -out tls_ca_cert.der
+
+# server certificate
+openssl ecparam -genkey -name prime256v1 -outform DER | \
+  openssl pkcs8 -topk8 -inform DER -nocrypt -outform DER -out tls_key.der
+serial=$(calc 0x`openssl rand -hex 20`)
+cat >tls_req.cnf <<EOF
+[ext]
+subjectAltName = @alt_names
+[alt_names]
+DNS.1=example.org
+DNS.2=example.com
+DNS.3=localhost
+IP.1=127.0.0.1
+IP.2=::1
+EOF
+openssl req -batch -new -subj '/CN=example.org' -keyform DER -key tls_key.der | \
+  openssl x509 -req -days 3650 -CAform DER -CA tls_ca_cert.der -CAkey tls_ca_key.pem -extfile tls_req.cnf -extensions ext -set_serial $serial -outform DER -out tls_cert.der
+
+# cleanup
+rm tls_req.cnf
+rm tls_ca_key.pem
+
+# print certificates
+echo
+echo -e "\e[1mCA certificate:\e[0m"
+openssl x509 -noout -text -inform DER -in tls_ca_cert.der
+echo
+echo -e "\e[1mServer certificate:\e[0m"
+openssl x509 -noout -text -inform DER -in tls_cert.der