Skip to content

Commit

Permalink
chore(tls): Change method to convert certificate and identity to rust…
Browse files Browse the repository at this point in the history
…ls-pki-types type to independent function
  • Loading branch information
tottoto committed Sep 24, 2024
1 parent 9bc0bb3 commit 8a8e8e2
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 22 deletions.
8 changes: 5 additions & 3 deletions tonic/src/transport/channel/service/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ use tokio_rustls::{
};

use super::io::BoxedIo;
use crate::transport::service::tls::{TlsError, ALPN_H2};
use crate::transport::service::tls::{
convert_certificate_to_pki_types, convert_identity_to_pki_types, TlsError, ALPN_H2,
};
use crate::transport::tls::{Certificate, Identity};

#[derive(Clone)]
Expand Down Expand Up @@ -54,13 +56,13 @@ impl TlsConnector {
}

for cert in ca_certs {
roots.add_parsable_certificates(cert.parse()?);
roots.add_parsable_certificates(convert_certificate_to_pki_types(&cert)?);
}

let builder = builder.with_root_certificates(roots);
let mut config = match identity {
Some(identity) => {
let (client_cert, client_key) = identity.parse()?;
let (client_cert, client_key) = convert_identity_to_pki_types(&identity)?;
builder.with_client_auth_cert(client_cert, client_key)?
}
None => builder.with_no_client_auth(),
Expand Down
9 changes: 6 additions & 3 deletions tonic/src/transport/server/service/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ use tokio_rustls::{
TlsAcceptor as RustlsAcceptor,
};

use crate::transport::{service::tls::ALPN_H2, Certificate, Identity};
use crate::transport::{
service::tls::{convert_certificate_to_pki_types, convert_identity_to_pki_types, ALPN_H2},
Certificate, Identity,
};

#[derive(Clone)]
pub(crate) struct TlsAcceptor {
Expand All @@ -26,7 +29,7 @@ impl TlsAcceptor {
None => builder.with_no_client_auth(),
Some(cert) => {
let mut roots = RootCertStore::empty();
roots.add_parsable_certificates(cert.parse()?);
roots.add_parsable_certificates(convert_certificate_to_pki_types(&cert)?);
let verifier = if client_auth_optional {
WebPkiClientVerifier::builder(roots.into()).allow_unauthenticated()
} else {
Expand All @@ -37,7 +40,7 @@ impl TlsAcceptor {
}
};

let (cert, key) = identity.parse()?;
let (cert, key) = convert_identity_to_pki_types(&identity)?;
let mut config = builder.with_single_cert(cert, key)?;

config.alpn_protocols.push(ALPN_H2.into());
Expand Down
30 changes: 14 additions & 16 deletions tonic/src/transport/service/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -35,22 +35,20 @@ impl fmt::Display for TlsError {

impl std::error::Error for TlsError {}

impl Certificate {
pub(crate) fn parse(&self) -> Result<Vec<CertificateDer<'static>>, TlsError> {
rustls_pemfile::certs(&mut Cursor::new(&self.pem))
.collect::<Result<Vec<_>, _>>()
.map_err(|_| TlsError::CertificateParseError)
}
pub(crate) fn convert_certificate_to_pki_types(
certificate: &Certificate,
) -> Result<Vec<CertificateDer<'static>>, TlsError> {
rustls_pemfile::certs(&mut Cursor::new(certificate))
.collect::<Result<Vec<_>, _>>()
.map_err(|_| TlsError::CertificateParseError)
}

impl Identity {
pub(crate) fn parse(
&self,
) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), TlsError> {
let cert = self.cert.parse()?;
let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&self.key)) else {
return Err(TlsError::PrivateKeyParseError);
};
Ok((cert, key))
}
pub(crate) fn convert_identity_to_pki_types(
identity: &Identity,
) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), TlsError> {
let cert = convert_certificate_to_pki_types(&identity.cert)?;
let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&identity.key)) else {
return Err(TlsError::PrivateKeyParseError);
};
Ok((cert, key))
}

0 comments on commit 8a8e8e2

Please sign in to comment.