rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity

deps: rcgen 0.12 -> 0.13 

This updates the project dev dependency on rcgen from 0.12 to 0.13,
fixing breaking API changes as appropriate.
This commit is contained in:
Daniel McCarney 2024-04-07 13:15:12 -04:00
parent 9444dcbc7b
commit 2b0e174be2
5 changed files with 80 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Cargo.lock generated
View File

@ -349,6 +349,7 @@ dependencies = [
"aws-lc-sys",
"mirai-annotations",
"paste",
"untrusted 0.7.1",
"zeroize",
]
@ -2006,12 +2007,14 @@ dependencies = [
[[package]]
name = "rcgen"
version = "0.12.1"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1"
checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
dependencies = [
"aws-lc-rs",
"pem",
"ring",
"rustls-pki-types",
"time",
"yasna",
]
@ -2085,7 +2088,7 @@ dependencies = [
"getrandom",
"libc",
"spin 0.9.8",
"untrusted",
"untrusted 0.9.0",
"windows-sys 0.52.0",
]
@ -2324,7 +2327,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
dependencies = [
"ring",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2336,7 +2339,7 @@ dependencies = [
"aws-lc-rs",
"ring",
"rustls-pki-types",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2364,7 +2367,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
dependencies = [
"ring",
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -2745,6 +2748,12 @@ dependencies = [
"subtle",
]
[[package]]
name = "untrusted"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]]
name = "untrusted"
version = "0.9.0"

2
examples/Cargo.toml
View File

@ -13,7 +13,7 @@ env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest
log = { version = "0.4.4" }
mio = { version = "0.8", features = ["net", "os-poll"] }
pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
rcgen = { version = "0.12", features = ["pem", "ring"], default-features = false }
rcgen = { version = "0.13", features = ["pem", "aws_lc_rs"], default-features = false }
rustls = { path = "../rustls", features = [ "logging" ]}
rustls-pemfile = "2"
serde = "1.0"

98
examples/src/bin/server_acceptor.rs
View File

@ -13,9 +13,8 @@ use std::time::Duration;
use std::{fs, thread};
use docopt::Docopt;
use rustls::pki_types::{
CertificateDer, CertificateRevocationListDer, PrivateKeyDer, PrivatePkcs8KeyDer,
};
use rcgen::KeyPair;
use rustls::pki_types::{CertificateRevocationListDer, PrivatePkcs8KeyDer};
use rustls::server::{Acceptor, ClientHello, ServerConfig, WebPkiClientVerifier};
use rustls::RootCertStore;
use serde_derive::Deserialize;
@ -58,19 +57,13 @@ fn main() {
&args
.flag_ca_path
.unwrap_or("ca-cert.pem".to_string()),
&test_pki
.ca_cert
.serialize_pem()
.unwrap(),
&test_pki.ca_cert.cert.pem(),
);
write_pem(
&args
.flag_client_cert_path
.unwrap_or("client-cert.pem".to_string()),
&test_pki
.client_cert
.serialize_pem_with_signer(&test_pki.ca_cert)
.unwrap(),
&test_pki.client_cert.cert.pem(),
);
write_pem(
&args
@ -78,7 +71,8 @@ fn main() {
.unwrap_or("client-key.pem".to_string()),
&test_pki
.client_cert
.serialize_private_key_pem(),
.key_pair
.serialize_pem(),
);
// Write out an initial DER CRL that has no revoked certificates.
@ -147,10 +141,9 @@ fn main() {
/// A test PKI with a CA certificate, server certificate, and client certificate.
struct TestPki {
roots: Arc<RootCertStore>,
ca_cert: rcgen::Certificate,
client_cert: rcgen::Certificate,
server_cert_der: CertificateDer<'static>,
server_key_der: PrivateKeyDer<'static>,
ca_cert: rcgen::CertifiedKey,
client_cert: rcgen::CertifiedKey,
server_cert: rcgen::CertifiedKey,
}
impl TestPki {
@ -158,7 +151,7 @@ impl TestPki {
fn new() -> Self {
// Create an issuer CA cert.
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
ca_params
.distinguished_name
.push(rcgen::DnType::OrganizationName, "Rustls Server Acceptor");
@ -171,44 +164,51 @@ impl TestPki {
rcgen::KeyUsagePurpose::DigitalSignature,
rcgen::KeyUsagePurpose::CrlSign,
];
ca_params.alg = alg;
let ca_cert = rcgen::Certificate::from_params(ca_params).unwrap();
let ca_key = KeyPair::generate_for(alg).unwrap();
let ca_cert = ca_params.self_signed(&ca_key).unwrap();
// Create a server end entity cert issued by the CA.
let mut server_ee_params = rcgen::CertificateParams::new(vec!["localhost".to_string()]);
let mut server_ee_params =
rcgen::CertificateParams::new(vec!["localhost".to_string()]).unwrap();
server_ee_params.is_ca = rcgen::IsCa::NoCa;
server_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
server_ee_params.alg = alg;
let server_cert = rcgen::Certificate::from_params(server_ee_params).unwrap();
let server_cert_der = CertificateDer::from(
server_cert
.serialize_der_with_signer(&ca_cert)
.unwrap(),
);
let server_key_der = PrivatePkcs8KeyDer::from(server_cert.serialize_private_key_der());
let ee_key = KeyPair::generate_for(alg).unwrap();
let server_cert = server_ee_params
.signed_by(&ee_key, &ca_cert, &ca_key)
.unwrap();
// Create a client end entity cert issued by the CA.
let mut client_ee_params = rcgen::CertificateParams::new(Vec::new());
let mut client_ee_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
client_ee_params
.distinguished_name
.push(rcgen::DnType::CommonName, "Example Client");
client_ee_params.is_ca = rcgen::IsCa::NoCa;
client_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ClientAuth];
client_ee_params.alg = alg;
client_ee_params.serial_number = Some(rcgen::SerialNumber::from(vec![0xC0, 0xFF, 0xEE]));
let client_cert = rcgen::Certificate::from_params(client_ee_params).unwrap();
let client_key = KeyPair::generate_for(alg).unwrap();
let client_cert = client_ee_params
.signed_by(&client_key, &ca_cert, &ca_key)
.unwrap();
// Create a root cert store that includes the CA certificate.
let mut roots = RootCertStore::empty();
roots
.add(CertificateDer::from(ca_cert.serialize_der().unwrap()))
.add(ca_cert.der().clone())
.unwrap();
Self {
roots: roots.into(),
ca_cert,
client_cert,
server_cert_der,
server_key_der: server_key_der.into(),
ca_cert: rcgen::CertifiedKey {
cert: ca_cert,
key_pair: ca_key,
},
client_cert: rcgen::CertifiedKey {
cert: client_cert,
key_pair: client_key,
},
server_cert: rcgen::CertifiedKey {
cert: server_cert,
key_pair: ee_key,
},
}
}
@ -238,11 +238,11 @@ impl TestPki {
let mut server_config = ServerConfig::builder()
.with_client_cert_verifier(verifier)
.with_single_cert(
vec![self.server_cert_der.clone()],
vec![self.server_cert.cert.der().clone()],
PrivatePkcs8KeyDer::from(
self.server_key_der
.secret_der()
.to_owned(),
self.server_cert
.key_pair
.serialize_der(),
)
.into(),
)
@ -256,7 +256,11 @@ impl TestPki {
/// Issue a certificate revocation list (CRL) for the revoked `serials` provided (may be empty).
/// The CRL will be signed by the test PKI CA and returned in DER serialized form.
fn crl(&self, serials: Vec<rcgen::SerialNumber>, next_update_seconds: u64) -> Vec<u8> {
fn crl(
&self,
serials: Vec<rcgen::SerialNumber>,
next_update_seconds: u64,
) -> CertificateRevocationListDer {
// In a real use-case you would want to set this to the current date/time.
let now = rcgen::date_time_ymd(2023, 1, 1);
@ -272,19 +276,18 @@ impl TestPki {
.collect();
// Create a new CRL signed by the CA cert.
let crl = rcgen::CertificateRevocationListParams {
let crl_params = rcgen::CertificateRevocationListParams {
this_update: now,
next_update: now.add(Duration::from_secs(next_update_seconds)),
crl_number: rcgen::SerialNumber::from(1234),
issuing_distribution_point: None,
revoked_certs,
key_identifier_method: rcgen::KeyIdMethod::Sha256,
alg: &rcgen::PKCS_ECDSA_P256_SHA256,
};
rcgen::CertificateRevocationList::from_params(crl)
.unwrap()
.serialize_der_with_signer(&self.ca_cert)
crl_params
.signed_by(&self.ca_cert.cert, &self.ca_cert.key_pair)
.unwrap()
.into()
}
}
@ -311,7 +314,8 @@ impl CrlUpdater {
vec![self
.pki
.client_cert
.get_params()
.cert
.params()
.serial_number
.clone()
.unwrap()]

2
provider-example/Cargo.toml
View File

@ -28,7 +28,7 @@ x25519-dalek = "2"
[dev-dependencies]
env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest features)
hex = "0.4.3"
rcgen = { version = "0.12", features = ["ring"] }
rcgen = { version = "0.13", features = ["aws_lc_rs"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
webpki-roots = "0.26"

27
provider-example/examples/server.rs
View File

@ -58,7 +58,7 @@ struct TestPki {
impl TestPki {
fn new() -> Self {
let alg = &rcgen::PKCS_ECDSA_P256_SHA256;
let mut ca_params = rcgen::CertificateParams::new(Vec::new());
let mut ca_params = rcgen::CertificateParams::new(Vec::new()).unwrap();
ca_params
.distinguished_name
.push(rcgen::DnType::OrganizationName, "Provider Server Example");
@ -70,25 +70,22 @@ impl TestPki {
rcgen::KeyUsagePurpose::KeyCertSign,
rcgen::KeyUsagePurpose::DigitalSignature,
];
ca_params.alg = alg;
let ca_cert = rcgen::Certificate::from_params(ca_params).unwrap();
let ca_key = rcgen::KeyPair::generate_for(alg).unwrap();
let ca_cert = ca_params.self_signed(&ca_key).unwrap();
// Create a server end entity cert issued by the CA.
let mut server_ee_params = rcgen::CertificateParams::new(vec!["localhost".to_string()]);
let mut server_ee_params =
rcgen::CertificateParams::new(vec!["localhost".to_string()]).unwrap();
server_ee_params.is_ca = rcgen::IsCa::NoCa;
server_ee_params.extended_key_usages = vec![rcgen::ExtendedKeyUsagePurpose::ServerAuth];
server_ee_params.alg = alg;
let server_cert = rcgen::Certificate::from_params(server_ee_params).unwrap();
let server_cert_der = CertificateDer::from(
server_cert
.serialize_der_with_signer(&ca_cert)
.unwrap(),
);
let server_key_der =
PrivatePkcs8KeyDer::from(server_cert.serialize_private_key_der()).into();
let server_key = rcgen::KeyPair::generate_for(alg).unwrap();
let server_cert = server_ee_params
.signed_by(&server_key, &ca_cert, &ca_key)
.unwrap();
Self {
server_cert_der,
server_key_der,
server_cert_der: server_cert.into(),
// TODO(XXX): update below once https://github.com/rustls/rcgen/issues/260 is resolved.
server_key_der: PrivatePkcs8KeyDer::from(server_key.serialize_der()).into(),
}
}