use hot_reload to update certificates

2023-07-10 22:57:31 +09:00 · 2023-07-10 22:57:31 +09:00 · 6b8b7784f8
commit 6b8b7784f8
parent 1f98b69c7e
9 changed files with 399 additions and 312 deletions
--- a/src/cert_reader.rs
+++ b/src/cert_reader.rs
@ -0,0 +1,93 @@
+use crate::{log::*, proxy::CertsAndKeys};
+use rustls::{Certificate, PrivateKey};
+use std::{
+  fs::File,
+  io::{self, BufReader, Cursor, Read},
+  path::PathBuf,
+};
+
+/// Read certificates and private keys from file
+pub(crate) fn read_certs_and_keys(
+  cert_path: &PathBuf,
+  cert_key_path: &PathBuf,
+  client_ca_cert_path: Option<&PathBuf>,
+) -> Result<CertsAndKeys, io::Error> {
+  debug!("Read TLS server certificates and private key");
+
+  let certs: Vec<_> = {
+    let certs_path_str = cert_path.display().to_string();
+    let mut reader = BufReader::new(File::open(cert_path).map_err(|e| {
+      io::Error::new(
+        e.kind(),
+        format!("Unable to load the certificates [{certs_path_str}]: {e}"),
+      )
+    })?);
+    rustls_pemfile::certs(&mut reader)
+      .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?
+  }
+  .drain(..)
+  .map(Certificate)
+  .collect();
+
+  let cert_keys: Vec<_> = {
+    let cert_key_path_str = cert_key_path.display().to_string();
+    let encoded_keys = {
+      let mut encoded_keys = vec![];
+      File::open(cert_key_path)
+        .map_err(|e| {
+          io::Error::new(
+            e.kind(),
+            format!("Unable to load the certificate keys [{cert_key_path_str}]: {e}"),
+          )
+        })?
+        .read_to_end(&mut encoded_keys)?;
+      encoded_keys
+    };
+    let mut reader = Cursor::new(encoded_keys);
+    let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader).map_err(|_| {
+      io::Error::new(
+        io::ErrorKind::InvalidInput,
+        "Unable to parse the certificates private keys (PKCS8)",
+      )
+    })?;
+    reader.set_position(0);
+    let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)?;
+    let mut keys = pkcs8_keys;
+    keys.append(&mut rsa_keys);
+    if keys.is_empty() {
+      return Err(io::Error::new(
+        io::ErrorKind::InvalidInput,
+        "No private keys found - Make sure that they are in PKCS#8/PEM format",
+      ));
+    }
+    keys.drain(..).map(PrivateKey).collect()
+  };
+
+  let client_ca_certs = if let Some(path) = client_ca_cert_path {
+    debug!("Read CA certificates for client authentication");
+    // Reads client certificate and returns client
+    let certs: Vec<_> = {
+      let certs_path_str = path.display().to_string();
+      let mut reader = BufReader::new(File::open(path).map_err(|e| {
+        io::Error::new(
+          e.kind(),
+          format!("Unable to load the client certificates [{certs_path_str}]: {e}"),
+        )
+      })?);
+      rustls_pemfile::certs(&mut reader)
+        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))?
+    }
+    .drain(..)
+    .map(Certificate)
+    .collect();
+    Some(certs)
+  } else {
+    None
+  };
+
+  Ok(CertsAndKeys {
+    certs,
+    cert_keys,
+    client_ca_certs,
+  })
+}