diff --git a/Cargo.toml b/Cargo.toml index 117ab4de4..c829d50e2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,3 +29,5 @@ members = [ ] resolver = "2" +[patch.crates-io] +rustls = { git = "https://github.com/rustls/rustls", package ="rustls", rev = "b57204daab48e46b216d2505d9007cbdde0a6460" } diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml index 7456b6556..a36bf5cd9 100644 --- a/tonic/Cargo.toml +++ b/tonic/Cargo.toml @@ -27,7 +27,7 @@ codegen = ["dep:async-trait"] gzip = ["dep:flate2"] default = ["transport", "codegen", "prost"] prost = ["dep:prost"] -tls = ["dep:rustls-pemfile", "transport", "dep:tokio-rustls", "tokio/rt", "tokio/macros"] +tls = ["dep:rustls-pki-types", "dep:rustls-pemfile", "transport", "dep:tokio-rustls", "tokio/rt", "tokio/macros"] tls-roots = ["tls-roots-common", "dep:rustls-native-certs"] tls-roots-common = ["tls"] tls-webpki-roots = ["tls-roots-common", "dep:webpki-roots"] @@ -77,10 +77,11 @@ axum = {version = "0.6.9", default_features = false, optional = true} # rustls async-stream = { version = "0.3", optional = true } -rustls-pemfile = { version = "1.0", optional = true } -rustls-native-certs = { version = "0.6.3", optional = true } -tokio-rustls = { version = "0.24", optional = true } -webpki-roots = { version = "0.25.0", optional = true } +rustls-pki-types = { version = "0.2", optional = true } +rustls-pemfile = { version = "2.0.0-alpha.1", optional = true } +rustls-native-certs = { git = "https://github.com/rustls/rustls-native-certs", optional = true } +tokio-rustls = { git = "https://github.com/rustls/tokio-rustls", optional = true } +webpki-roots = { version = "0.26.0-alpha.1", optional = true } # compression flate2 = {version = "1.0", optional = true} diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs index f956132fb..6d0b90d55 100644 --- a/tonic/src/transport/service/tls.rs +++ b/tonic/src/transport/service/tls.rs @@ -6,7 +6,10 @@ use crate::transport::{ use std::{fmt, sync::Arc}; use tokio::io::{AsyncRead, AsyncWrite}; use tokio_rustls::{ - rustls::{ClientConfig, RootCertStore, ServerConfig, ServerName}, + rustls::{ + crypto::ring::Ring, server::WebPkiClientVerifier, ClientConfig, RootCertStore, + ServerConfig, ServerName, + }, TlsAcceptor as RustlsAcceptor, TlsConnector as RustlsConnector, }; @@ -22,7 +25,7 @@ enum TlsError { #[derive(Clone)] pub(crate) struct TlsConnector { - config: Arc, + config: Arc>, domain: Arc, } @@ -36,16 +39,10 @@ impl TlsConnector { let mut roots = RootCertStore::empty(); #[cfg(feature = "tls-roots")] - roots.add_parsable_certificates(&rustls_native_certs::load_native_certs()?); + roots.add_parsable_certificates(rustls_native_certs::load_native_certs()?); #[cfg(feature = "tls-webpki-roots")] - roots.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| { - tokio_rustls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - })); + roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); if let Some(cert) = ca_cert { rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?; @@ -98,7 +95,7 @@ impl fmt::Debug for TlsConnector { #[derive(Clone)] pub(crate) struct TlsAcceptor { - inner: Arc, + inner: Arc>, } impl TlsAcceptor { @@ -112,18 +109,19 @@ impl TlsAcceptor { let builder = match (client_ca_root, client_auth_optional) { (None, _) => builder.with_no_client_auth(), (Some(cert), true) => { - use tokio_rustls::rustls::server::AllowAnyAnonymousOrAuthenticatedClient; let mut roots = RootCertStore::empty(); rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?; builder.with_client_cert_verifier( - AllowAnyAnonymousOrAuthenticatedClient::new(roots).boxed(), + WebPkiClientVerifier::builder(roots.into()) + .allow_unauthenticated() + .build()?, ) } (Some(cert), false) => { - use tokio_rustls::rustls::server::AllowAnyAuthenticatedClient; let mut roots = RootCertStore::empty(); rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?; - builder.with_client_cert_verifier(AllowAnyAuthenticatedClient::new(roots).boxed()) + builder + .with_client_cert_verifier(WebPkiClientVerifier::builder(roots.into()).build()?) } }; @@ -169,19 +167,21 @@ impl std::error::Error for TlsError {} mod rustls_keys { use std::io::Cursor; - use tokio_rustls::rustls::{Certificate, PrivateKey, RootCertStore}; + use rustls_pki_types::{CertificateDer, PrivateKeyDer}; + use tokio_rustls::rustls::RootCertStore; use crate::transport::service::tls::TlsError; use crate::transport::Identity; pub(super) fn load_rustls_private_key( mut cursor: std::io::Cursor<&[u8]>, - ) -> Result { + ) -> Result, crate::Error> { while let Ok(Some(item)) = rustls_pemfile::read_one(&mut cursor) { + use rustls_pemfile::Item; match item { - rustls_pemfile::Item::RSAKey(key) - | rustls_pemfile::Item::PKCS8Key(key) - | rustls_pemfile::Item::ECKey(key) => return Ok(PrivateKey(key)), + Item::Pkcs1Key(der) => return Ok(PrivateKeyDer::from(der)), + Item::Pkcs8Key(der) => return Ok(PrivateKeyDer::from(der)), + Item::Sec1Key(der) => return Ok(PrivateKeyDer::from(der)), _ => continue, } } @@ -192,11 +192,11 @@ mod rustls_keys { pub(crate) fn load_identity( identity: Identity, - ) -> Result<(Vec, PrivateKey), crate::Error> { - let cert = { + ) -> Result<(Vec>, PrivateKeyDer<'static>), crate::Error> { + let certs = { let mut cert = std::io::Cursor::new(identity.cert.as_ref()); - match rustls_pemfile::certs(&mut cert) { - Ok(certs) => certs.into_iter().map(Certificate).collect(), + match rustls_pemfile::certs(&mut cert).collect::, _>>() { + Ok(certs) => certs, Err(_) => return Err(Box::new(TlsError::CertificateParseError)), } }; @@ -211,14 +211,16 @@ mod rustls_keys { } }; - Ok((cert, key)) + Ok((certs, key)) } pub(crate) fn add_certs_from_pem( mut certs: Cursor<&[u8]>, roots: &mut RootCertStore, ) -> Result<(), crate::Error> { - let (_, ignored) = roots.add_parsable_certificates(&rustls_pemfile::certs(&mut certs)?); + let (_, ignored) = roots.add_parsable_certificates( + rustls_pemfile::certs(&mut certs).collect::, _>>()?, + ); match ignored == 0 { true => Ok(()), false => Err(Box::new(TlsError::CertificateParseError)),