chore: refactor rpxy-certs
This commit is contained in:
		
					parent
					
						
							
								4c1c1afc30
							
						
					
				
			
			
				commit
				
					
						254b5c1bb1
					
				
			
		
					 2 changed files with 52 additions and 61 deletions
				
			
		|  | @ -75,9 +75,7 @@ impl SingleServerCertsKeys { | ||||||
|   /* ------------------------------------------------ */ |   /* ------------------------------------------------ */ | ||||||
|   /// Parse the client CA certificates and return a hashmap of pairs of a subject key identifier (key) and a trust anchor (value)
 |   /// Parse the client CA certificates and return a hashmap of pairs of a subject key identifier (key) and a trust anchor (value)
 | ||||||
|   pub fn rustls_client_certs_trust_anchors(&self) -> Result<TrustAnchors, RpxyCertError> { |   pub fn rustls_client_certs_trust_anchors(&self) -> Result<TrustAnchors, RpxyCertError> { | ||||||
|     let Some(certs) = self.client_ca_certs.as_ref() else { |     let certs = self.client_ca_certs.as_ref().ok_or(RpxyCertError::NoClientCert)?; | ||||||
|       return Err(RpxyCertError::NoClientCert); |  | ||||||
|     }; |  | ||||||
|     let certs = certs.iter().map(|c| Certificate::from(c.to_vec())).collect::<Vec<_>>(); |     let certs = certs.iter().map(|c| Certificate::from(c.to_vec())).collect::<Vec<_>>(); | ||||||
| 
 | 
 | ||||||
|     let trust_anchors = certs |     let trust_anchors = certs | ||||||
|  |  | ||||||
|  | @ -80,77 +80,70 @@ fn read_certs_and_keys( | ||||||
| ) -> Result<SingleServerCertsKeys, RpxyCertError> { | ) -> Result<SingleServerCertsKeys, RpxyCertError> { | ||||||
|   debug!("Read TLS server certificates and private key"); |   debug!("Read TLS server certificates and private key"); | ||||||
| 
 | 
 | ||||||
|  |   // ------------------------
 | ||||||
|   // certificates
 |   // certificates
 | ||||||
|   let raw_certs = { |   let mut reader = BufReader::new(File::open(cert_path).map_err(|e| { | ||||||
|     let mut reader = BufReader::new(File::open(cert_path).map_err(|e| { |     io::Error::new( | ||||||
|  |       e.kind(), | ||||||
|  |       format!("Unable to load the certificates [{}]: {e}", cert_path.display()), | ||||||
|  |     ) | ||||||
|  |   })?); | ||||||
|  |   let raw_certs = rustls_pemfile::certs(&mut reader) | ||||||
|  |     .collect::<Result<Vec<_>, _>>() | ||||||
|  |     .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?; | ||||||
|  | 
 | ||||||
|  |   // ------------------------
 | ||||||
|  |   // private keys
 | ||||||
|  |   let mut encoded_keys = vec![]; | ||||||
|  |   File::open(cert_key_path) | ||||||
|  |     .map_err(|e| { | ||||||
|       io::Error::new( |       io::Error::new( | ||||||
|         e.kind(), |         e.kind(), | ||||||
|         format!("Unable to load the certificates [{}]: {e}", cert_path.display()), |         format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()), | ||||||
|       ) |       ) | ||||||
|     })?); |     })? | ||||||
|     rustls_pemfile::certs(&mut reader) |     .read_to_end(&mut encoded_keys)?; | ||||||
|       .collect::<Result<Vec<_>, _>>() |   let mut reader = Cursor::new(encoded_keys); | ||||||
|       .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))? |   let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader) | ||||||
|   }; |     .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8)) | ||||||
| 
 |     .collect::<Result<Vec<_>, _>>() | ||||||
|   // private keys
 |     .map_err(|_| { | ||||||
|   let raw_cert_keys = { |       io::Error::new( | ||||||
|     let encoded_keys = { |  | ||||||
|       let mut encoded_keys = vec![]; |  | ||||||
|       File::open(cert_key_path) |  | ||||||
|         .map_err(|e| { |  | ||||||
|           io::Error::new( |  | ||||||
|             e.kind(), |  | ||||||
|             format!("Unable to load the certificate keys [{}]: {e}", cert_key_path.display()), |  | ||||||
|           ) |  | ||||||
|         })? |  | ||||||
|         .read_to_end(&mut encoded_keys)?; |  | ||||||
|       encoded_keys |  | ||||||
|     }; |  | ||||||
|     let mut reader = Cursor::new(encoded_keys); |  | ||||||
|     let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader) |  | ||||||
|       .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8)) |  | ||||||
|       .collect::<Result<Vec<_>, _>>() |  | ||||||
|       .map_err(|_| { |  | ||||||
|         io::Error::new( |  | ||||||
|           io::ErrorKind::InvalidInput, |  | ||||||
|           "Unable to parse the certificates private keys (PKCS8)", |  | ||||||
|         ) |  | ||||||
|       })?; |  | ||||||
|     reader.set_position(0); |  | ||||||
|     let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader) |  | ||||||
|       .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1)) |  | ||||||
|       .collect::<Result<Vec<_>, _>>()?; |  | ||||||
|     let mut keys = pkcs8_keys; |  | ||||||
|     keys.append(&mut rsa_keys); |  | ||||||
|     if keys.is_empty() { |  | ||||||
|       return Err(RpxyCertError::IoError(io::Error::new( |  | ||||||
|         io::ErrorKind::InvalidInput, |         io::ErrorKind::InvalidInput, | ||||||
|         "No private keys found - Make sure that they are in PKCS#8/PEM format", |         "Unable to parse the certificates private keys (PKCS8)", | ||||||
|       ))); |       ) | ||||||
|     } |     })?; | ||||||
|     keys |   reader.set_position(0); | ||||||
|   }; |   let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader) | ||||||
|  |     .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1)) | ||||||
|  |     .collect::<Result<Vec<_>, _>>()?; | ||||||
|  |   let mut raw_cert_keys = pkcs8_keys; | ||||||
|  |   raw_cert_keys.append(&mut rsa_keys); | ||||||
|  |   if raw_cert_keys.is_empty() { | ||||||
|  |     return Err(RpxyCertError::IoError(io::Error::new( | ||||||
|  |       io::ErrorKind::InvalidInput, | ||||||
|  |       "No private keys found - Make sure that they are in PKCS#8/PEM format", | ||||||
|  |     ))); | ||||||
|  |   } | ||||||
| 
 | 
 | ||||||
|  |   // ------------------------
 | ||||||
|   // client ca certificates
 |   // client ca certificates
 | ||||||
|   let client_ca_certs = if let Some(path) = client_ca_cert_path { |   let client_ca_certs = client_ca_cert_path | ||||||
|     debug!("Read CA certificates for client authentication"); |     .map(|path| { | ||||||
|     // Reads client certificate and returns client
 |       debug!("Read CA certificates for client authentication"); | ||||||
|     let certs = { |       // Reads client certificate and returns client
 | ||||||
|       let mut reader = BufReader::new(File::open(path).map_err(|e| { |       let inner = File::open(path).map_err(|e| { | ||||||
|         io::Error::new( |         io::Error::new( | ||||||
|           e.kind(), |           e.kind(), | ||||||
|           format!("Unable to load the client certificates [{}]: {e}", path.display()), |           format!("Unable to load the client certificates [{}]: {e}", path.display()), | ||||||
|         ) |         ) | ||||||
|       })?); |       })?; | ||||||
|  |       let mut reader = BufReader::new(inner); | ||||||
|       rustls_pemfile::certs(&mut reader) |       rustls_pemfile::certs(&mut reader) | ||||||
|         .collect::<Result<Vec<_>, _>>() |         .collect::<Result<Vec<_>, _>>() | ||||||
|         .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))? |         .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates")) | ||||||
|     }; |     }) | ||||||
|     Some(certs) |     .transpose()?; | ||||||
|   } else { |  | ||||||
|     None |  | ||||||
|   }; |  | ||||||
| 
 | 
 | ||||||
|   Ok(SingleServerCertsKeys::new( |   Ok(SingleServerCertsKeys::new( | ||||||
|     &raw_certs, |     &raw_certs, | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Jun Kurihara
				Jun Kurihara