Properly load either RSA or PKCS8 formatted keys

Just my luck that a serious integration test ended up requiring PKCS8 formatted keys
2020-05-09 19:01:51 -07:00 · 2020-05-09 19:01:51 -07:00 · 961becb0be
parent 704b86316e
commit 961becb0be
4 changed files with 86 additions and 7 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -517,7 +517,7 @@ dependencies = [

 [[package]]
 name = "hotdog"
-version = "0.1.3"
+version = "0.1.4"
 dependencies = [
 "async-std",
 "async-tls",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,6 +1,6 @@
 [package]
 name = "hotdog"
-version = "0.1.3"
+version = "0.1.4"
 authors = ["R. Tyler Croy <rtyler+hotdog@brokenco.de>"]
 edition = "2018"

--- a/contrib/pkcs8-key.pem
+++ b/contrib/pkcs8-key.pem
@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDcHwdD3FKdlCHc
+wWkvnKx8YHayYBC3yC8kzzsLh/ze5nOgJRau7PfypKZ471IjMy9xZwF1Z9zM2LvM
+5ckmb9eSPfBmbFrGr5XuPTkJVvv9HJjdBJwFY8+R5uRKHNhADNCb0fVseCSQyJbW
+OH31cY7GHXqUVKDShIqeSRLkDYh/0pNIuwNA5ldz/Ih3h+Ws1XiAEA307GUfaPXc
+PsDuwp+3TPZbeGsoDiUYQyu/qjDyc/uGRFcdPtblYE3PO9Y2KFyv7nUXocqokS8k
+7G61oQcWXfWvmU8qUFmJ4UcO9RaTaxvz+JgmgoY1jZ1/bJ6qGAkG/9QWEq9TjRgf
+YhKAM377D/thhjFGwRAnQHIYpCuxeD2ayHGTgSE0xyztTTNI8RZdYeuRQn+gYfAG
+pxQT4Py6uLyQTAHIgRhljUKIO29Y0/8uefYzswh0+U9FHNwkvcMw1YkQE/9VuMyp
+oXjG3gw1EDk3Q0vv14V8liq/Mnql6piqxd8RynRy9EKxyBNN9xfS9lITf79fFyQ3
+1TGlL77O3hshM7rH35RhFmDWqX1dkRgLKL04ZbX429+V+Rkj+BrFyqCoCXoGi/Vk
+KnRcqblsr+3v9ukDbG5ucExTMH0cRMR5A7d3tgcp+Fy8Ohsqt/MCfcOS9Y7DZABT
+DBcE5tEkKl6sE34g+EILteyLGD+xQwIDAQABAoICABPpGpcgzrhCNe3p8MHFwjRd
+5V6tIdX93YXO2OBqJI1k+wB5WlvoQ2VHT2eQ/jUA5EG1t4QPKQG+eP5HqrI3W6B2
+yc/57Rwbtcwe7ZHStGhotcsIJ7S1GolwASZTBZyFjDkL/M8a7vPJsRsfcQVKiEeT
+UwsnvIROSNuYcIUAVGB7g6cIg3rTWwW6yf1F5ZiElqm+ygRlfaAhtlt9saXnJNtH
+suEDO24cGW7gZIypsFO9+fpjJB4ZGQcWdvNPzkiHzhp7z0ub7uDggQst97WmIyX6
+ycZgb7C8I90861iHAsvC3Hxs+BZDqDAf5ycnhBKOqgJgEacNeZ5tHMl57YJ7JfkU
+t88GO8rnQgkmBeLKg4aEX6A2zvtzQMfD6SaUBYvPG9gX+rJ4pFyEG006V4GgJS7v
+jo4usDevgyxiFnJbAO4vGPwbwOvXgzJMWAGxRETkFM++4Gmlo+NS995c2qfhpBLo
+IhMdSq/tYygC82lqjDIkIqJdMbg8/X4khvMhWrlIe3PSkbfaHe58IKq63Y8oRxK
+eTAWUw/khdpn0weSfQt/0XITci7+tn+HdNLulWyyf+/3LgwLp4l0+ss4lcoRO873
+OIm1Xy6SyUrFo6nvbbibhex0w4z+KuZNgN75DycikJqhwKGOsZCTMRYT+IYxQgv5
+qSe2JkhlXckHKa0DTuBBAoIBAQD2OtaVT20z4ctkId8OmhkIl/N61ofLxsDBlskO
+dXvdTWgoJQ+CM0Jww00R2Uppx3ZktL9K1BpY49GMvoyVNDXcEAoY1xpDiS46qnFm
+yZXYpYU+B4kZgmUbUG0Va3rUCQdVBqeFuKmTTLMhCQ1/Oh5XY/LeddyM8pNGo05d
+Rjn7fspENLCzKStkFXfpE3CPEVwnitg3ETezO44LntYXHRnBLQm5tJMF3r3jskyx
+MIdnNHDLKiHgp4XbEyltp10RiL2dgvdNQBOuo5T9Lbdf5jVxTq71kiiMib9u/ZEE
+ej9RHlYDjJLYktwyyVGyYtndfHUt7gwiGMIZOS6gtkafMNztAoIBAQDk2vum0/tG
+1eYMuN60vAt8Kh6PoHnR2Gw3/KQxx9PJLS5o/Eu2VG+Kk0ZLcCo3ABpSEOWBxAiv
+Kgun82GAxwEcPs8v2KObwpEK5SvA3tDdyY24qkVr6WDx/WNh3AjUo0jOZUrGUlvS
+M2rmbiUG3XGw3CRMUgvhfLzvQpx6/G8UQ5LVsgVycfbKijt0qbqramKqlKpu4UMm
+OccM8QNxWytrK4dEs41/YzmtBRuHzo8YeQ3eCY8RhT15E/hCdSHW0EleykiPBQJP
+75NdE5Jac1DVmK796G3V43wjfbkeN4o/dRjbJ0+aQhEiogyIZ2Darkg3/HwLDEy/
+rLCl2dgfaTDvAoIBAQCqrZZY4TmdIQLPYfswL/jyUAHiQBrZUegDSPYNI7q8aA+u
+5CGf6tA/QeGGYcyHDlAu9msy/1tUCncSzHK+afZ7mFKnbVMzRT/aQpNg4JMSHYoC
+uU57dDuJd3Jlyp7Vo3yFn5s3wg0poZz5ZUEJ08t8YDfVpHVA7lTQPhrv5OIERpsG
+NE/XoM4HDiqUUXlQcoQilMfTRAgMIVgRDgTw+KcFlKaNJ3JSO1f9IXavzCfPjjYx
+Xf8lrnnGpb2t2LlWkiZ9rG6oCaabA6Ee7jWSMA0TgasdZjbdVA5ybSm8pNCG9jRB
+OYwAu6wPOCV9NbA3KzI+qCeY6viAa3a6yB6j8kbxAoIBAQDiS7czi8GYlcHZKqTt
+SlSA/pUhqKlM2xiHdAZYQyQkdczCe1fSf0OcX2zPA6Z6pFtictq+qj18F7NW686q
+LB3o9CKjSTDewFHz2BCfsrQN21OMGrJytl7qaohvJ8iDmsJPdNGvsZiiDb3TBW8P
+jsDxBX3PCgI9gb7BR7i71AlynC8Bp/rC4/YI6Q9JmNvAzH2r9z1gTta7Yb52CYxB
+9sjEPFKRmIp+QHuznq1OaO4OYQVZXVJfHMVgiGKgNHq1k1g5pwSAh491w4yQKN47
+GnQAAe5nnAGf0kXaQmNegcTuYrelXQXVnyaafGqwJqkbE+LNmZh+xDbQAc7a8MJI
+rRd5AoIBAQCl5DW6gcnd7K/ippmLixMjxjluqyIjTzZjq/opD18BwkfNZgeKF9tn
+HG4QhwXwIw7UzVAKQuSW6ZWRgDCCYwAiQRjHul29XtX6NY5LuOnJJElnWAqk0O1e
+uKW3fL+vlAwfLQtZQMudVUTXz5xnXOTViSN9GTRlJn+ahM26tzGXmEqKDPtx64Fi
+NsiXjie/kDeeKpPwpDvVErnFezyHPfH2mgsBvNjytgJe5LvtAJqgR0dTJNUwxEOu
+VIG4AEnvAIR4c9BthxhkluBkpWetgt/ZWdwjDGZRGN1YxgXKlcCVOHtT6nLP04+W
+iAwAOku/DNYa9Kk8OnbvhKGgHYVn8huA
+-----END PRIVATE KEY-----
--- a/src/serve_tls.rs
+++ b/src/serve_tls.rs
@ -16,7 +16,7 @@ use async_tls::TlsAcceptor;
 use crossbeam::channel::bounded;
 use dipstick::*;
 use log::*;
-use rustls::internal::pemfile::{certs, rsa_private_keys};
+use rustls::internal::pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
 use rustls::{Certificate, NoClientAuth, PrivateKey, ServerConfig};
 use std::path::Path;

@ -27,11 +27,24 @@ fn load_certs(path: &Path) -> io::Result<Vec<Certificate>> {
        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid cert"))
 }

-/// Load the passed keys file
+/**
+ * Loads the keys file passed in, whether it is an RSA or PKCS8 formatted key
+ */
 fn load_keys(path: &Path) -> io::Result<Vec<PrivateKey>> {
    debug!("Loading TLS keys from: {}", path.display());
-    rsa_private_keys(&mut std::io::BufReader::new(std::fs::File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"))
+
+    let result = rsa_private_keys(&mut std::io::BufReader::new(std::fs::File::open(path)?))
+        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"));
+
+    if let Ok(keys) = result {
+        if keys.len() == 0 {
+            debug!("Failed to load key as RSA, trying PKCS8");
+            return pkcs8_private_keys(&mut std::io::BufReader::new(std::fs::File::open(path)?))
+                .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"));
+        }
+        return Ok(keys);
+    }
+    return result;
 }

 /// Configure the server using rusttls
@ -44,6 +57,10 @@ fn load_tls_config(settings: &Settings) -> io::Result<ServerConfig> {
            let certs = load_certs(cert.as_path())?;
            let mut keys = load_keys(key.as_path())?;

+            if keys.len() <= 0  {
+                panic!("TLS key could not be properly loaded! This is fatal!");
+            }
+
            // we don't use client authentication
            let mut config = ServerConfig::new(NoClientAuth::new());
            config
@ -172,7 +189,7 @@ mod tests {
    }

    #[test]
-    fn test_load_keys() {
+    fn test_load_keys_rsa() {
        let key_path = Path::new("./contrib/cert-key.pem");
        if let Ok(keys) = load_keys(&key_path) {
            assert_eq!(1, keys.len());
@ -180,4 +197,14 @@ mod tests {
            assert!(false);
        }
    }
+
+    #[test]
+    fn test_load_keys_pkcs8() {
+        let key_path = Path::new("./contrib/pkcs8-key.pem");
+        if let Ok(keys) = load_keys(&key_path) {
+            assert_eq!(1, keys.len());
+        } else {
+            assert!(false);
+        }
+    }
 }