chore: refactor rpxy-certs

This commit is contained in:
Jun Kurihara 2025-06-30 17:37:06 +09:00
commit 254b5c1bb1
No known key found for this signature in database
GPG key ID: 9C5AF0A526862FEF
2 changed files with 52 additions and 61 deletions

View file

@ -75,9 +75,7 @@ impl SingleServerCertsKeys {
/* ------------------------------------------------ */ /* ------------------------------------------------ */
/// Parse the client CA certificates and return a hashmap of pairs of a subject key identifier (key) and a trust anchor (value) /// Parse the client CA certificates and return a hashmap of pairs of a subject key identifier (key) and a trust anchor (value)
pub fn rustls_client_certs_trust_anchors(&self) -> Result<TrustAnchors, RpxyCertError> { pub fn rustls_client_certs_trust_anchors(&self) -> Result<TrustAnchors, RpxyCertError> {
let Some(certs) = self.client_ca_certs.as_ref() else { let certs = self.client_ca_certs.as_ref().ok_or(RpxyCertError::NoClientCert)?;
return Err(RpxyCertError::NoClientCert);
};
let certs = certs.iter().map(|c| Certificate::from(c.to_vec())).collect::<Vec<_>>(); let certs = certs.iter().map(|c| Certificate::from(c.to_vec())).collect::<Vec<_>>();
let trust_anchors = certs let trust_anchors = certs

View file

@ -80,77 +80,70 @@ fn read_certs_and_keys(
) -> Result<SingleServerCertsKeys, RpxyCertError> { ) -> Result<SingleServerCertsKeys, RpxyCertError> {
debug!("Read TLS server certificates and private key"); debug!("Read TLS server certificates and private key");
// ------------------------
// certificates // certificates
let raw_certs = { let mut reader = BufReader::new(File::open(cert_path).map_err(|e| {
let mut reader = BufReader::new(File::open(cert_path).map_err(|e| { io::Error::new(
e.kind(),
format!("Unable to load the certificates [{}]: {e}", cert_path.display()),
)
})?);
let raw_certs = rustls_pemfile::certs(&mut reader)
.collect::<Result<Vec<_>, _>>()
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?;
// ------------------------
// private keys
let mut encoded_keys = vec![];
File::open(cert_key_path)
.map_err(|e| {
io::Error::new( io::Error::new(
e.kind(), e.kind(),
format!("Unable to load the certificates [{}]: {e}", cert_path.display()), format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()),
) )
})?); })?
rustls_pemfile::certs(&mut reader) .read_to_end(&mut encoded_keys)?;
.collect::<Result<Vec<_>, _>>() let mut reader = Cursor::new(encoded_keys);
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))? let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
}; .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
.collect::<Result<Vec<_>, _>>()
// private keys .map_err(|_| {
let raw_cert_keys = { io::Error::new(
let encoded_keys = {
let mut encoded_keys = vec![];
File::open(cert_key_path)
.map_err(|e| {
io::Error::new(
e.kind(),
format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()),
)
})?
.read_to_end(&mut encoded_keys)?;
encoded_keys
};
let mut reader = Cursor::new(encoded_keys);
let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
.collect::<Result<Vec<_>, _>>()
.map_err(|_| {
io::Error::new(
io::ErrorKind::InvalidInput,
"Unable to parse the certificates private keys (PKCS8)",
)
})?;
reader.set_position(0);
let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
.collect::<Result<Vec<_>, _>>()?;
let mut keys = pkcs8_keys;
keys.append(&mut rsa_keys);
if keys.is_empty() {
return Err(RpxyCertError::IoError(io::Error::new(
io::ErrorKind::InvalidInput, io::ErrorKind::InvalidInput,
"No private keys found - Make sure that they are in PKCS#8/PEM format", "Unable to parse the certificates private keys (PKCS8)",
))); )
} })?;
keys reader.set_position(0);
}; let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
.map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
.collect::<Result<Vec<_>, _>>()?;
let mut raw_cert_keys = pkcs8_keys;
raw_cert_keys.append(&mut rsa_keys);
if raw_cert_keys.is_empty() {
return Err(RpxyCertError::IoError(io::Error::new(
io::ErrorKind::InvalidInput,
"No private keys found - Make sure that they are in PKCS#8/PEM format",
)));
}
// ------------------------
// client ca certificates // client ca certificates
let client_ca_certs = if let Some(path) = client_ca_cert_path { let client_ca_certs = client_ca_cert_path
debug!("Read CA certificates for client authentication"); .map(|path| {
// Reads client certificate and returns client debug!("Read CA certificates for client authentication");
let certs = { // Reads client certificate and returns client
let mut reader = BufReader::new(File::open(path).map_err(|e| { let inner = File::open(path).map_err(|e| {
io::Error::new( io::Error::new(
e.kind(), e.kind(),
format!("Unable to load the client certificates [{}]: {e}", path.display()), format!("Unable to load the client certificates [{}]: {e}", path.display()),
) )
})?); })?;
let mut reader = BufReader::new(inner);
rustls_pemfile::certs(&mut reader) rustls_pemfile::certs(&mut reader)
.collect::<Result<Vec<_>, _>>() .collect::<Result<Vec<_>, _>>()
.map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))? .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))
}; })
Some(certs) .transpose()?;
} else {
None
};
Ok(SingleServerCertsKeys::new( Ok(SingleServerCertsKeys::new(
&raw_certs, &raw_certs,