From e2bfdd909d73d87617fb0262732d197e3a44927b Mon Sep 17 00:00:00 2001 From: muji Date: Thu, 11 Jan 2024 10:53:34 +0800 Subject: [PATCH 01/13] Initial update of rustls and axum-server. --- Cargo.toml | 6 +++--- src/acme.rs | 11 +++++++---- src/https_helper.rs | 2 +- src/state.rs | 12 +++++++----- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 3d37e50..042d6d7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,14 +25,14 @@ x509-parser = "0.15" chrono = { version = "0.4.24", default-features = false, features = ["clock"] } url = "2.2.2" async-trait = "0.1.53" -rustls = "0.21" +rustls = "0.22" tokio = { version = "1.20.1", default-features = false } -tokio-rustls = { version = "0.24" } +tokio-rustls = { version = "0.25" } reqwest = { version = "0.11.19", default-features = false, features = ["rustls-tls"] } # Axum -axum-server = { version = "0.5", features = ["tls-rustls"], optional = true } +axum-server = { version = "0.6", features = ["tls-rustls"], optional = true } [dev-dependencies] simple_logger = "4.1" diff --git a/src/acme.rs b/src/acme.rs index 92d7f7a..d51bcda 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -8,8 +8,8 @@ use rcgen::{Certificate, CustomExtension, RcgenError, PKCS_ECDSA_P256_SHA256}; use ring::error::{KeyRejected, Unspecified}; use ring::rand::SystemRandom; use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING}; -use rustls::sign::{any_ecdsa_type, CertifiedKey}; -use rustls::{ClientConfig, PrivateKey}; +use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; +use rustls::{ClientConfig, pki_types::PrivateKeyDer}; use serde::{Deserialize, Serialize}; use serde_json::json; use thiserror::Error; @@ -178,8 +178,11 @@ impl Account { params.alg = &PKCS_ECDSA_P256_SHA256; params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())]; let cert = Certificate::from_params(params)?; - let pk = any_ecdsa_type(&PrivateKey(cert.serialize_private_key_der())).unwrap(); - let certified_key = CertifiedKey::new(vec![rustls::Certificate(cert.serialize_der()?)], pk); + let pk_bytes = cert.serialize_private_key_der(); + let pk_der: PrivateKeyDer = pk_bytes.into(); + let pk = any_ecdsa_type(&pk_der).unwrap(); + let cert_bytes = cert.serialize_der()?; + let certified_key = CertifiedKey::new(vec![cert_bytes.into()], pk); Ok((challenge, certified_key)) } } diff --git a/src/https_helper.rs b/src/https_helper.rs index ccf1b4b..a1b06d0 100644 --- a/src/https_helper.rs +++ b/src/https_helper.rs @@ -1,4 +1,4 @@ -use rustls::client::InvalidDnsNameError; +use rustls::pki_types::InvalidDnsNameError; use rustls::ClientConfig; use std::sync::Arc; use thiserror::Error; diff --git a/src/state.rs b/src/state.rs index 9dfdff3..c5800a6 100644 --- a/src/state.rs +++ b/src/state.rs @@ -7,9 +7,9 @@ use chrono::{DateTime, TimeZone, Utc}; use futures::future::try_join_all; use futures::{ready, FutureExt, Stream}; use rcgen::{CertificateParams, DistinguishedName, RcgenError, PKCS_ECDSA_P256_SHA256}; -use rustls::sign::{any_ecdsa_type, CertifiedKey}; -use rustls::Certificate as RustlsCertificate; -use rustls::PrivateKey; +use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; +use rustls::pki_types::CertificateDer as RustlsCertificate; +use rustls::pki_types::PrivateKeyDer; use std::convert::Infallible; use std::fmt::Debug; use std::future::Future; @@ -159,13 +159,15 @@ impl AcmeState { if pems.len() < 2 { return Err(CertParseError::TooFewPem(pems.len())); } - let pk = match any_ecdsa_type(&PrivateKey(pems.remove(0).into_contents())) { + let pk_bytes = pems.remove(0).into_contents(); + let pk: PrivateKeyDer = pk_bytes.into(); + let pk = match any_ecdsa_type(&pk) { Ok(pk) => pk, Err(_) => return Err(CertParseError::InvalidPrivateKey), }; let cert_chain: Vec = pems .into_iter() - .map(|p| RustlsCertificate(p.into_contents())) + .map(|p| p.into_contents().into()) .collect(); let validity = match parse_x509_certificate(cert_chain[0].0.as_slice()) { Ok((_, cert)) => { From 586b2d4c795a6e31e054ebb7fca621e0555efd3b Mon Sep 17 00:00:00 2001 From: muji Date: Thu, 11 Jan 2024 12:20:11 +0800 Subject: [PATCH 02/13] Update webpki-roots, replace OwnedTrustAnchor. Use rustls::pki_types::TrustAnchor instead. --- Cargo.toml | 2 +- src/acceptor.rs | 1 - src/config.rs | 13 ++++++------- src/incoming.rs | 1 - src/resolver.rs | 2 ++ 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 042d6d7..a6c481f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,7 +18,7 @@ serde = { version = "1.0.137", features = ["derive"] } ring = { version = "0.16.20", features = ["std"] } base64 = "0.21.0" log = "0.4.17" -webpki-roots = "0.25.2" +webpki-roots = "0.26" pem = "2.0" thiserror = "1.0.31" x509-parser = "0.15" diff --git a/src/acceptor.rs b/src/acceptor.rs index c2162dc..ceb0f1b 100644 --- a/src/acceptor.rs +++ b/src/acceptor.rs @@ -18,7 +18,6 @@ pub struct AcmeAcceptor { impl AcmeAcceptor { pub(crate) fn new(resolver: Arc) -> Self { let mut config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_cert_resolver(resolver); config.alpn_protocols.push(ACME_TLS_ALPN_NAME.to_vec()); diff --git a/src/config.rs b/src/config.rs index 625f468..6661c40 100644 --- a/src/config.rs +++ b/src/config.rs @@ -50,16 +50,15 @@ impl AcmeConfig { /// pub fn new(domains: impl IntoIterator>) -> Self { let mut root_store = RootCertStore::empty(); - root_store.add_trust_anchors(TLS_SERVER_ROOTS.iter().map(|ta| { - rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) + root_store.extend(TLS_SERVER_ROOTS.iter().map(|ta| { + rustls::pki_types::TrustAnchor { + subject: ta.subject, + subject_public_key_info: ta.subject_public_key_info, + name_constraints: ta.name_constraints, + } })); let client_config = Arc::new( ClientConfig::builder() - .with_safe_defaults() .with_root_certificates(root_store) .with_no_client_auth(), ); diff --git a/src/incoming.rs b/src/incoming.rs index 5062f24..94070e9 100644 --- a/src/incoming.rs +++ b/src/incoming.rs @@ -50,7 +50,6 @@ impl< alpn_protocols: Vec>, ) -> Self { let mut config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_cert_resolver(state.resolver()); config.alpn_protocols = alpn_protocols; diff --git a/src/resolver.rs b/src/resolver.rs index 89acdf2..ae57156 100644 --- a/src/resolver.rs +++ b/src/resolver.rs @@ -5,10 +5,12 @@ use std::collections::BTreeMap; use std::sync::Arc; use std::sync::Mutex; +#[derive(Debug)] pub struct ResolvesServerCertAcme { inner: Mutex, } +#[derive(Debug)] struct Inner { cert: Option>, auth_keys: BTreeMap>, From 5307c9cdac690f7bd8196a2c07e026f24af70978 Mon Sep 17 00:00:00 2001 From: muji Date: Thu, 11 Jan 2024 12:33:44 +0800 Subject: [PATCH 03/13] Update axum, code compiles. --- Cargo.toml | 2 +- examples/low_level_axum.rs | 1 - src/acme.rs | 5 +++-- src/config.rs | 6 +++--- src/state.rs | 7 ++++--- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index a6c481f..99886f2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -38,7 +38,7 @@ axum-server = { version = "0.6", features = ["tls-rustls"], optional = true } simple_logger = "4.1" structopt = "0.3.26" clap = { version = "4", features = ["derive"] } -axum = "0.6" +axum = "0.7" tokio = { version="1.19.2", features = ["full"] } tokio-stream = { version="0.1.9", features = ["net"] } tokio-util = { version="0.7.3", features = ["compat"] } diff --git a/examples/low_level_axum.rs b/examples/low_level_axum.rs index 12c991d..769a879 100644 --- a/examples/low_level_axum.rs +++ b/examples/low_level_axum.rs @@ -42,7 +42,6 @@ async fn main() { .directory_lets_encrypt(args.prod) .state(); let rustls_config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_cert_resolver(state.resolver()); let acceptor = state.axum_acceptor(Arc::new(rustls_config)); diff --git a/src/acme.rs b/src/acme.rs index d51bcda..b5aa040 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -9,7 +9,7 @@ use ring::error::{KeyRejected, Unspecified}; use ring::rand::SystemRandom; use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING}; use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; -use rustls::{ClientConfig, pki_types::PrivateKeyDer}; +use rustls::{ClientConfig, pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}}; use serde::{Deserialize, Serialize}; use serde_json::json; use thiserror::Error; @@ -179,7 +179,8 @@ impl Account { params.custom_extensions = vec![CustomExtension::new_acme_identifier(key_auth.as_ref())]; let cert = Certificate::from_params(params)?; let pk_bytes = cert.serialize_private_key_der(); - let pk_der: PrivateKeyDer = pk_bytes.into(); + let pk_der: PrivatePkcs8KeyDer = pk_bytes.into(); + let pk_der: PrivateKeyDer = pk_der.into(); let pk = any_ecdsa_type(&pk_der).unwrap(); let cert_bytes = cert.serialize_der()?; let certified_key = CertifiedKey::new(vec![cert_bytes.into()], pk); diff --git a/src/config.rs b/src/config.rs index 6661c40..9e10d8c 100644 --- a/src/config.rs +++ b/src/config.rs @@ -52,9 +52,9 @@ impl AcmeConfig { let mut root_store = RootCertStore::empty(); root_store.extend(TLS_SERVER_ROOTS.iter().map(|ta| { rustls::pki_types::TrustAnchor { - subject: ta.subject, - subject_public_key_info: ta.subject_public_key_info, - name_constraints: ta.name_constraints, + subject: ta.subject.clone(), + subject_public_key_info: ta.subject_public_key_info.clone(), + name_constraints: ta.name_constraints.clone(), } })); let client_config = Arc::new( diff --git a/src/state.rs b/src/state.rs index c5800a6..086a601 100644 --- a/src/state.rs +++ b/src/state.rs @@ -9,7 +9,7 @@ use futures::{ready, FutureExt, Stream}; use rcgen::{CertificateParams, DistinguishedName, RcgenError, PKCS_ECDSA_P256_SHA256}; use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; use rustls::pki_types::CertificateDer as RustlsCertificate; -use rustls::pki_types::PrivateKeyDer; +use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; use std::convert::Infallible; use std::fmt::Debug; use std::future::Future; @@ -160,7 +160,8 @@ impl AcmeState { return Err(CertParseError::TooFewPem(pems.len())); } let pk_bytes = pems.remove(0).into_contents(); - let pk: PrivateKeyDer = pk_bytes.into(); + let pk_der: PrivatePkcs8KeyDer = pk_bytes.into(); + let pk: PrivateKeyDer = pk_der.into(); let pk = match any_ecdsa_type(&pk) { Ok(pk) => pk, Err(_) => return Err(CertParseError::InvalidPrivateKey), @@ -169,7 +170,7 @@ impl AcmeState { .into_iter() .map(|p| p.into_contents().into()) .collect(); - let validity = match parse_x509_certificate(cert_chain[0].0.as_slice()) { + let validity = match parse_x509_certificate(cert_chain[0].as_ref()) { Ok((_, cert)) => { let validity = cert.validity(); [validity.not_before, validity.not_after] From 6f623dd66e82ab482d874e7f4bc38c3e74a0a33e Mon Sep 17 00:00:00 2001 From: muji Date: Thu, 11 Jan 2024 12:54:40 +0800 Subject: [PATCH 04/13] Replace use_preconfigured_tls() with use_rustls_tls(). We can't share the ClientConfig anymore as reqwest has yet to be updated to rustls@0.22 so instead we just let the client use it's own rustls configuration. --- src/acme.rs | 11 +++++------ src/https_helper.rs | 6 +----- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/src/acme.rs b/src/acme.rs index b5aa040..70c1d60 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -72,7 +72,6 @@ impl Account { &payload, )?; let response = https( - client_config, &directory.new_account, Method::Post, Some(body), @@ -98,7 +97,7 @@ impl Account { url.as_ref(), payload, )?; - let response = https(client_config, url.as_ref(), Method::Post, Some(body)).await?; + let response = https(url.as_ref(), Method::Post, Some(body)).await?; let location = get_header(&response, "Location").ok(); let body = response.text().await.map_err(HttpsRequestError::from)?; log::debug!("response: {:?}", body); @@ -198,16 +197,16 @@ pub struct Directory { impl Directory { pub async fn discover( - client_config: &Arc, + _client_config: &Arc, url: impl AsRef, ) -> Result { - let response = https(client_config, url, Method::Get, None).await?; + let response = https(url, Method::Get, None).await?; let body = response.bytes().await.map_err(HttpsRequestError::from)?; Ok(serde_json::from_slice(&body)?) } - pub async fn nonce(&self, client_config: &Arc) -> Result { - let response = &https(client_config, &self.new_nonce.as_str(), Method::Head, None).await?; + pub async fn nonce(&self, _client_config: &Arc) -> Result { + let response = &https(&self.new_nonce.as_str(), Method::Head, None).await?; get_header(response, "replay-nonce") } } diff --git a/src/https_helper.rs b/src/https_helper.rs index a1b06d0..3e8e6ac 100644 --- a/src/https_helper.rs +++ b/src/https_helper.rs @@ -1,6 +1,4 @@ use rustls::pki_types::InvalidDnsNameError; -use rustls::ClientConfig; -use std::sync::Arc; use thiserror::Error; pub use reqwest::{Request, Response}; @@ -23,15 +21,13 @@ impl From for reqwest::Method { } pub(crate) async fn https( - client_config: &Arc, url: impl AsRef, method: Method, body: Option, ) -> Result { let method: reqwest::Method = method.into(); - let client_config: ClientConfig = client_config.as_ref().clone(); let client = reqwest::ClientBuilder::new() - .use_preconfigured_tls(client_config) + .use_rustls_tls() .build()?; let mut request = client.request(method, url.as_ref()); if let Some(body) = body { From ea7a9c64246096fa03c779d551942dde940fee4d Mon Sep 17 00:00:00 2001 From: muji Date: Sun, 7 Apr 2024 09:27:32 +0800 Subject: [PATCH 05/13] Update to reqwest@0.12 and restore use_preconfigured_tls(). --- Cargo.toml | 2 +- src/acme.rs | 11 ++++++----- src/https_helper.rs | 6 ++++-- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 99886f2..9041454 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,7 +29,7 @@ rustls = "0.22" tokio = { version = "1.20.1", default-features = false } tokio-rustls = { version = "0.25" } -reqwest = { version = "0.11.19", default-features = false, features = ["rustls-tls"] } +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] } # Axum axum-server = { version = "0.6", features = ["tls-rustls"], optional = true } diff --git a/src/acme.rs b/src/acme.rs index 70c1d60..b5aa040 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -72,6 +72,7 @@ impl Account { &payload, )?; let response = https( + client_config, &directory.new_account, Method::Post, Some(body), @@ -97,7 +98,7 @@ impl Account { url.as_ref(), payload, )?; - let response = https(url.as_ref(), Method::Post, Some(body)).await?; + let response = https(client_config, url.as_ref(), Method::Post, Some(body)).await?; let location = get_header(&response, "Location").ok(); let body = response.text().await.map_err(HttpsRequestError::from)?; log::debug!("response: {:?}", body); @@ -197,16 +198,16 @@ pub struct Directory { impl Directory { pub async fn discover( - _client_config: &Arc, + client_config: &Arc, url: impl AsRef, ) -> Result { - let response = https(url, Method::Get, None).await?; + let response = https(client_config, url, Method::Get, None).await?; let body = response.bytes().await.map_err(HttpsRequestError::from)?; Ok(serde_json::from_slice(&body)?) } - pub async fn nonce(&self, _client_config: &Arc) -> Result { - let response = &https(&self.new_nonce.as_str(), Method::Head, None).await?; + pub async fn nonce(&self, client_config: &Arc) -> Result { + let response = &https(client_config, &self.new_nonce.as_str(), Method::Head, None).await?; get_header(response, "replay-nonce") } } diff --git a/src/https_helper.rs b/src/https_helper.rs index 3e8e6ac..c150eac 100644 --- a/src/https_helper.rs +++ b/src/https_helper.rs @@ -1,5 +1,6 @@ -use rustls::pki_types::InvalidDnsNameError; +use rustls::{pki_types::InvalidDnsNameError, ClientConfig}; use thiserror::Error; +use std::sync::Arc; pub use reqwest::{Request, Response}; @@ -21,13 +22,14 @@ impl From for reqwest::Method { } pub(crate) async fn https( + client_config: &Arc, url: impl AsRef, method: Method, body: Option, ) -> Result { let method: reqwest::Method = method.into(); let client = reqwest::ClientBuilder::new() - .use_rustls_tls() + .use_preconfigured_tls(Arc::clone(client_config)) .build()?; let mut request = client.request(method, url.as_ref()); if let Some(body) = body { From d51d68ccb267861dbe91d7294a4b4f23c65540f4 Mon Sep 17 00:00:00 2001 From: Floris Bruynooghe Date: Tue, 11 Jun 2024 18:14:34 +0100 Subject: [PATCH 06/13] Additional changes to upgrade to rustls 0.23 --- Cargo.toml | 4 ++-- examples/high_level.rs | 2 +- examples/low_level.rs | 3 +-- src/https_helper.rs | 4 ++-- src/state.rs | 9 ++++----- 5 files changed, 10 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9041454..736d14a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,10 +25,10 @@ x509-parser = "0.15" chrono = { version = "0.4.24", default-features = false, features = ["clock"] } url = "2.2.2" async-trait = "0.1.53" -rustls = "0.22" +rustls = { version = "0.23", default-features = false, features = ["ring"] } tokio = { version = "1.20.1", default-features = false } -tokio-rustls = { version = "0.25" } +tokio-rustls = { version = "0.26" } reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] } # Axum diff --git a/examples/high_level.rs b/examples/high_level.rs index 12b4603..7bdf7e3 100644 --- a/examples/high_level.rs +++ b/examples/high_level.rs @@ -56,7 +56,7 @@ async fn main() { unreachable!() } -const HELLO: &'static [u8] = br#"HTTP/1.1 200 OK +const HELLO: &[u8] = br#"HTTP/1.1 200 OK Content-Length: 10 Content-Type: text/plain; charset=utf-8 diff --git a/examples/low_level.rs b/examples/low_level.rs index 7202e2e..5971744 100644 --- a/examples/low_level.rs +++ b/examples/low_level.rs @@ -42,7 +42,6 @@ async fn main() { .directory_lets_encrypt(args.prod) .state(); let rustls_config = ServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() .with_cert_resolver(state.resolver()); let acceptor = state.acceptor(); @@ -81,7 +80,7 @@ async fn serve(acceptor: AcmeAcceptor, rustls_config: Arc, port: u } } -const HELLO: &'static [u8] = br#"HTTP/1.1 200 OK +const HELLO: &[u8] = br#"HTTP/1.1 200 OK Content-Length: 10 Content-Type: text/plain; charset=utf-8 diff --git a/src/https_helper.rs b/src/https_helper.rs index c150eac..a6ba20c 100644 --- a/src/https_helper.rs +++ b/src/https_helper.rs @@ -1,8 +1,8 @@ use rustls::{pki_types::InvalidDnsNameError, ClientConfig}; -use thiserror::Error; use std::sync::Arc; +use thiserror::Error; -pub use reqwest::{Request, Response}; +pub use reqwest::Response; #[derive(Copy, Clone)] pub enum Method { diff --git a/src/state.rs b/src/state.rs index 086a601..79b251a 100644 --- a/src/state.rs +++ b/src/state.rs @@ -7,9 +7,9 @@ use chrono::{DateTime, TimeZone, Utc}; use futures::future::try_join_all; use futures::{ready, FutureExt, Stream}; use rcgen::{CertificateParams, DistinguishedName, RcgenError, PKCS_ECDSA_P256_SHA256}; -use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; use rustls::pki_types::CertificateDer as RustlsCertificate; use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; +use rustls::{crypto::ring::sign::any_ecdsa_type, sign::CertifiedKey}; use std::convert::Infallible; use std::fmt::Debug; use std::future::Future; @@ -28,6 +28,7 @@ pub fn after(d: std::time::Duration) -> Timer { Box::pin(tokio::time::sleep(d)) } +#[allow(clippy::type_complexity)] pub struct AcmeState { config: Arc>, resolver: Arc, @@ -166,10 +167,8 @@ impl AcmeState { Ok(pk) => pk, Err(_) => return Err(CertParseError::InvalidPrivateKey), }; - let cert_chain: Vec = pems - .into_iter() - .map(|p| p.into_contents().into()) - .collect(); + let cert_chain: Vec = + pems.into_iter().map(|p| p.into_contents().into()).collect(); let validity = match parse_x509_certificate(cert_chain[0].as_ref()) { Ok((_, cert)) => { let validity = cert.validity(); From 996ae78b70b1d2cc338cfc2bf36a37caefc8bf2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Thu, 1 Aug 2024 14:41:16 +0200 Subject: [PATCH 07/13] Update to `axum-server` version 0.7 --- Cargo.toml | 2 +- src/lib.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 2fd94c8..1495be8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,7 +32,7 @@ tokio-rustls = { version = "0.26" } reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] } # Axum -axum-server = { version = "0.6", features = ["tls-rustls"], optional = true } +axum-server = { version = "0.7", features = ["tls-rustls"], optional = true } [dependencies.proc-macro2] # This is a transitive dependency, we specify it to make sure we have diff --git a/src/lib.rs b/src/lib.rs index 242d400..f9c19d5 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -108,7 +108,7 @@ //! [rustls](https://github.com/ctz/rustls), //! [tokio-rustls](https://github.com/tokio-rs/tls/tree/master/tokio-rustls) and many others. -#![cfg_attr(doc_auto_cfg, feature(doc_auto_cfg))] +#![cfg_attr(docsrs, feature(doc_auto_cfg))] mod acceptor; pub mod acme; From 463902fe113bfb982ddeb965fdf90aa43a3d1e38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 12:03:56 +0200 Subject: [PATCH 08/13] chore: Run `cargo fmt --all` --- src/acme.rs | 7 +++++-- src/config.rs | 16 +++++++++------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/acme.rs b/src/acme.rs index f2431ed..653ef33 100644 --- a/src/acme.rs +++ b/src/acme.rs @@ -8,8 +8,11 @@ use rcgen::{Certificate, CustomExtension, Error as RcgenError, PKCS_ECDSA_P256_S use ring::error::{KeyRejected, Unspecified}; use ring::rand::SystemRandom; use ring::signature::{EcdsaKeyPair, EcdsaSigningAlgorithm, ECDSA_P256_SHA256_FIXED_SIGNING}; -use rustls::{sign::CertifiedKey, crypto::ring::sign::any_ecdsa_type}; -use rustls::{ClientConfig, pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}}; +use rustls::{crypto::ring::sign::any_ecdsa_type, sign::CertifiedKey}; +use rustls::{ + pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}, + ClientConfig, +}; use serde::{Deserialize, Serialize}; use serde_json::json; use thiserror::Error; diff --git a/src/config.rs b/src/config.rs index 9e10d8c..40a70c6 100644 --- a/src/config.rs +++ b/src/config.rs @@ -50,13 +50,15 @@ impl AcmeConfig { /// pub fn new(domains: impl IntoIterator>) -> Self { let mut root_store = RootCertStore::empty(); - root_store.extend(TLS_SERVER_ROOTS.iter().map(|ta| { - rustls::pki_types::TrustAnchor { - subject: ta.subject.clone(), - subject_public_key_info: ta.subject_public_key_info.clone(), - name_constraints: ta.name_constraints.clone(), - } - })); + root_store.extend( + TLS_SERVER_ROOTS + .iter() + .map(|ta| rustls::pki_types::TrustAnchor { + subject: ta.subject.clone(), + subject_public_key_info: ta.subject_public_key_info.clone(), + name_constraints: ta.name_constraints.clone(), + }), + ); let client_config = Arc::new( ClientConfig::builder() .with_root_certificates(root_store) From bd439a6b377ef4fee300d1f7bf7de7835231d1de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 12:22:46 +0200 Subject: [PATCH 09/13] chore: Avoid depending on `aws-lc-rs` accidentally --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 1495be8..2203323 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ async-trait = "0.1.53" rustls = { version = "0.23", default-features = false, features = ["ring"] } tokio = { version = "1.20.1", default-features = false } -tokio-rustls = { version = "0.26" } +tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] } reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] } # Axum From c5e3751851b2d2e6175164b2f9eacd9816ced04e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 12:27:10 +0200 Subject: [PATCH 10/13] chore: Avoid depending on time version `0.1.0` --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 2203323..ecc183f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -54,7 +54,7 @@ axum = "0.7" tokio = { version="1.19.2", features = ["full"] } tokio-stream = { version="0.1.9", features = ["net"] } tokio-util = { version="0.7.3", features = ["compat"] } -warp = "0.3.4" +warp = "0.3.7" [package.metadata.docs.rs] all-features = true From 586065653a59f50230c4411b70fe9d4eb303cb9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 12:30:31 +0200 Subject: [PATCH 11/13] Avoid depending on `aws-lc-rs` even with `--all-features` --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index ecc183f..00af089 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,7 +32,7 @@ tokio-rustls = { version = "0.26", default-features = false, features = ["tls12" reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] } # Axum -axum-server = { version = "0.7", features = ["tls-rustls"], optional = true } +axum-server = { version = "0.7", features = ["tokio-rustls"], optional = true } [dependencies.proc-macro2] # This is a transitive dependency, we specify it to make sure we have From 08470a7cd3140cff907ed13991e76e115c6e31f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 12:35:34 +0200 Subject: [PATCH 12/13] chore: Try to fix `minimal build` with forcing a newer transitive `time` dep --- Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/Cargo.toml b/Cargo.toml index 00af089..08f6037 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,6 +26,7 @@ chrono = { version = "0.4.24", default-features = false, features = ["clock"] } url = "2.2.2" async-trait = "0.1.53" rustls = { version = "0.23", default-features = false, features = ["ring"] } +time = "0.3.36" # force the transitive dependency to a more recent minimal version. The build fails with 0.3.20 tokio = { version = "1.20.1", default-features = false } tokio-rustls = { version = "0.26", default-features = false, features = ["tls12"] } From a24232ce8e42f785364052895440c779abca8b81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philipp=20Kr=C3=BCger?= Date: Tue, 6 Aug 2024 18:01:53 +0200 Subject: [PATCH 13/13] fix: Pass the correct `Any` type to `use_preconfigured_tls` --- src/https_helper.rs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/https_helper.rs b/src/https_helper.rs index a6ba20c..0f5e508 100644 --- a/src/https_helper.rs +++ b/src/https_helper.rs @@ -1,5 +1,4 @@ use rustls::{pki_types::InvalidDnsNameError, ClientConfig}; -use std::sync::Arc; use thiserror::Error; pub use reqwest::Response; @@ -22,14 +21,14 @@ impl From for reqwest::Method { } pub(crate) async fn https( - client_config: &Arc, + client_config: &ClientConfig, url: impl AsRef, method: Method, body: Option, ) -> Result { let method: reqwest::Method = method.into(); let client = reqwest::ClientBuilder::new() - .use_preconfigured_tls(Arc::clone(client_config)) + .use_preconfigured_tls(client_config.clone()) .build()?; let mut request = client.request(method, url.as_ref()); if let Some(body) = body {