From dc93477644c0fc58d9afeb515ddc286297124faa Mon Sep 17 00:00:00 2001 From: tottoto Date: Thu, 4 Jul 2024 01:14:36 +0900 Subject: [PATCH] chore(tls): Change method to convert certificate and identity to rustls-pki-types type to independent function --- tonic/src/transport/channel/service/tls.rs | 8 +++--- tonic/src/transport/server/service/tls.rs | 9 ++++--- tonic/src/transport/service/tls.rs | 30 ++++++++++------------ 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/tonic/src/transport/channel/service/tls.rs b/tonic/src/transport/channel/service/tls.rs index 7912e5a72..2fc963ab9 100644 --- a/tonic/src/transport/channel/service/tls.rs +++ b/tonic/src/transport/channel/service/tls.rs @@ -12,7 +12,9 @@ use tokio_rustls::{ }; use super::io::BoxedIo; -use crate::transport::service::tls::{TlsError, ALPN_H2}; +use crate::transport::service::tls::{ + convert_certificate_to_pki_types, convert_identity_to_pki_types, TlsError, ALPN_H2, +}; use crate::transport::tls::{Certificate, Identity}; #[derive(Clone)] @@ -54,13 +56,13 @@ impl TlsConnector { } for cert in ca_certs { - roots.add_parsable_certificates(cert.parse()?); + roots.add_parsable_certificates(convert_certificate_to_pki_types(&cert)?); } let builder = builder.with_root_certificates(roots); let mut config = match identity { Some(identity) => { - let (client_cert, client_key) = identity.parse()?; + let (client_cert, client_key) = convert_identity_to_pki_types(&identity)?; builder.with_client_auth_cert(client_cert, client_key)? } None => builder.with_no_client_auth(), diff --git a/tonic/src/transport/server/service/tls.rs b/tonic/src/transport/server/service/tls.rs index e6191edc3..ce486c09d 100644 --- a/tonic/src/transport/server/service/tls.rs +++ b/tonic/src/transport/server/service/tls.rs @@ -7,7 +7,10 @@ use tokio_rustls::{ TlsAcceptor as RustlsAcceptor, }; -use crate::transport::{service::tls::ALPN_H2, Certificate, Identity}; +use crate::transport::{ + service::tls::{convert_certificate_to_pki_types, convert_identity_to_pki_types, ALPN_H2}, + Certificate, Identity, +}; #[derive(Clone)] pub(crate) struct TlsAcceptor { @@ -26,7 +29,7 @@ impl TlsAcceptor { None => builder.with_no_client_auth(), Some(cert) => { let mut roots = RootCertStore::empty(); - roots.add_parsable_certificates(cert.parse()?); + roots.add_parsable_certificates(convert_certificate_to_pki_types(&cert)?); let verifier = if client_auth_optional { WebPkiClientVerifier::builder(roots.into()).allow_unauthenticated() } else { @@ -37,7 +40,7 @@ impl TlsAcceptor { } }; - let (cert, key) = identity.parse()?; + let (cert, key) = convert_identity_to_pki_types(&identity)?; let mut config = builder.with_single_cert(cert, key)?; config.alpn_protocols.push(ALPN_H2.into()); diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs index 7e9172b9e..1b0c1c458 100644 --- a/tonic/src/transport/service/tls.rs +++ b/tonic/src/transport/service/tls.rs @@ -35,22 +35,20 @@ impl fmt::Display for TlsError { impl std::error::Error for TlsError {} -impl Certificate { - pub(crate) fn parse(&self) -> Result>, TlsError> { - rustls_pemfile::certs(&mut Cursor::new(&self.pem)) - .collect::, _>>() - .map_err(|_| TlsError::CertificateParseError) - } +pub(crate) fn convert_certificate_to_pki_types( + certificate: &Certificate, +) -> Result>, TlsError> { + rustls_pemfile::certs(&mut Cursor::new(certificate)) + .collect::, _>>() + .map_err(|_| TlsError::CertificateParseError) } -impl Identity { - pub(crate) fn parse( - &self, - ) -> Result<(Vec>, PrivateKeyDer<'static>), TlsError> { - let cert = self.cert.parse()?; - let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&self.key)) else { - return Err(TlsError::PrivateKeyParseError); - }; - Ok((cert, key)) - } +pub(crate) fn convert_identity_to_pki_types( + identity: &Identity, +) -> Result<(Vec>, PrivateKeyDer<'static>), TlsError> { + let cert = convert_certificate_to_pki_types(&identity.cert)?; + let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&identity.key)) else { + return Err(TlsError::PrivateKeyParseError); + }; + Ok((cert, key)) }