chore: refactor rpxy-certs
This commit is contained in:
Jun Kurihara
parent
4c1c1afc30
commit
254b5c1bb1
2 changed files with 52 additions and 61 deletions
|
|
@ -75,9 +75,7 @@ impl SingleServerCertsKeys {
|
|||
/* ------------------------------------------------ */
|
||||
/// Parse the client CA certificates and return a hashmap of pairs of a subject key identifier (key) and a trust anchor (value)
|
||||
pub fn rustls_client_certs_trust_anchors(&self) -> Result<TrustAnchors, RpxyCertError> {
|
||||
let Some(certs) = self.client_ca_certs.as_ref() else {
|
||||
return Err(RpxyCertError::NoClientCert);
|
||||
};
|
||||
let certs = self.client_ca_certs.as_ref().ok_or(RpxyCertError::NoClientCert)?;
|
||||
let certs = certs.iter().map(|c| Certificate::from(c.to_vec())).collect::<Vec<_>>();
|
||||
|
||||
let trust_anchors = certs
|
||||
|
|
|
|||
|
|
@ -80,77 +80,70 @@ fn read_certs_and_keys(
|
|||
) -> Result<SingleServerCertsKeys, RpxyCertError> {
|
||||
debug!("Read TLS server certificates and private key");
|
||||
|
||||
// ------------------------
|
||||
// certificates
|
||||
let raw_certs = {
|
||||
let mut reader = BufReader::new(File::open(cert_path).map_err(|e| {
|
||||
let mut reader = BufReader::new(File::open(cert_path).map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!("Unable to load the certificates [{}]: {e}", cert_path.display()),
|
||||
)
|
||||
})?);
|
||||
let raw_certs = rustls_pemfile::certs(&mut reader)
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?;
|
||||
|
||||
// ------------------------
|
||||
// private keys
|
||||
let mut encoded_keys = vec![];
|
||||
File::open(cert_key_path)
|
||||
.map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!("Unable to load the certificates [{}]: {e}", cert_path.display()),
|
||||
format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()),
|
||||
)
|
||||
})?);
|
||||
rustls_pemfile::certs(&mut reader)
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?
|
||||
};
|
||||
|
||||
// private keys
|
||||
let raw_cert_keys = {
|
||||
let encoded_keys = {
|
||||
let mut encoded_keys = vec![];
|
||||
File::open(cert_key_path)
|
||||
.map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()),
|
||||
)
|
||||
})?
|
||||
.read_to_end(&mut encoded_keys)?;
|
||||
encoded_keys
|
||||
};
|
||||
let mut reader = Cursor::new(encoded_keys);
|
||||
let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
|
||||
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
.map_err(|_| {
|
||||
io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"Unable to parse the certificates private keys (PKCS8)",
|
||||
)
|
||||
})?;
|
||||
reader.set_position(0);
|
||||
let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
|
||||
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
let mut keys = pkcs8_keys;
|
||||
keys.append(&mut rsa_keys);
|
||||
if keys.is_empty() {
|
||||
return Err(RpxyCertError::IoError(io::Error::new(
|
||||
})?
|
||||
.read_to_end(&mut encoded_keys)?;
|
||||
let mut reader = Cursor::new(encoded_keys);
|
||||
let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
|
||||
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
.map_err(|_| {
|
||||
io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"No private keys found - Make sure that they are in PKCS#8/PEM format",
|
||||
)));
|
||||
}
|
||||
keys
|
||||
};
|
||||
"Unable to parse the certificates private keys (PKCS8)",
|
||||
)
|
||||
})?;
|
||||
reader.set_position(0);
|
||||
let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
|
||||
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
|
||||
.collect::<Result<Vec<_>, _>>()?;
|
||||
let mut raw_cert_keys = pkcs8_keys;
|
||||
raw_cert_keys.append(&mut rsa_keys);
|
||||
if raw_cert_keys.is_empty() {
|
||||
return Err(RpxyCertError::IoError(io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"No private keys found - Make sure that they are in PKCS#8/PEM format",
|
||||
)));
|
||||
}
|
||||
|
||||
// ------------------------
|
||||
// client ca certificates
|
||||
let client_ca_certs = if let Some(path) = client_ca_cert_path {
|
||||
debug!("Read CA certificates for client authentication");
|
||||
// Reads client certificate and returns client
|
||||
let certs = {
|
||||
let mut reader = BufReader::new(File::open(path).map_err(|e| {
|
||||
let client_ca_certs = client_ca_cert_path
|
||||
.map(|path| {
|
||||
debug!("Read CA certificates for client authentication");
|
||||
// Reads client certificate and returns client
|
||||
let inner = File::open(path).map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!("Unable to load the client certificates [{}]: {e}", path.display()),
|
||||
)
|
||||
})?);
|
||||
})?;
|
||||
let mut reader = BufReader::new(inner);
|
||||
rustls_pemfile::certs(&mut reader)
|
||||
.collect::<Result<Vec<_>, _>>()
|
||||
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))?
|
||||
};
|
||||
Some(certs)
|
||||
} else {
|
||||
None
|
||||
};
|
||||
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))
|
||||
})
|
||||
.transpose()?;
|
||||
|
||||
Ok(SingleServerCertsKeys::new(
|
||||
&raw_certs,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue