Track the latest changes from upstream rustls and tokio-rustls

Cargo.toml

@@ -15,20 +15,21 @@ http = "0.2"
 hyper = { version = "0.14", default-features = false, features = ["client"] }
 log = { version = "0.4.4", optional = true }
 rustls-native-certs = { version = "0.6", optional = true }
-rustls = { version = "0.21.6", default-features = false }
+rustls = { version = "0.22.0-alpha.3", default-features = false }
 tokio = "1.0"
-tokio-rustls = { version = "0.24.0", default-features = false }
-webpki-roots = { version = "0.25", optional = true }
+tokio-rustls = { version = "0.24.1", default-features = false }
+webpki-roots = { version = "0.26.0-alpha.1", optional = true }
 futures-util = { version = "0.3", default-features = false }
+pki-types = { package = "rustls-pki-types", version = "0.2.1" }
 
 [dev-dependencies]
 hyper = { version = "0.14", features = ["full"] }
-rustls = { version = "0.21.0", default-features = false, features = ["tls12"] }
+rustls = { version = "0.22.0-alpha.3", default-features = false, features = ["tls12"] }
 rustls-pemfile = "1.0.0"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 
 [features]
-default = ["native-tokio", "http1", "tls12", "logging", "acceptor"]
+default = ["native-tokio", "http1", "tls12", "logging", "acceptor", "ring"]
 acceptor = ["hyper/server", "tokio-runtime"]
 http1 = ["hyper/http1"]
 http2 = ["hyper/http2"]
@@ -37,6 +38,7 @@ native-tokio = ["tokio-runtime", "rustls-native-certs"]
 tokio-runtime =  ["hyper/runtime"]
 tls12 = ["tokio-rustls/tls12", "rustls/tls12"]
 logging = ["log", "tokio-rustls/logging", "rustls/logging"]
+ring = ["rustls/ring"]
 
 [[example]]
 name = "client"
@@ -51,3 +53,6 @@ required-features = ["tokio-runtime", "acceptor"]
 [package.metadata.docs.rs]
 all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
+
+[patch.crates-io]
+tokio-rustls = { git = 'https://github.com/rustls/tokio-rustls' }

examples/client.rs

@@ -48,9 +48,11 @@ async fn run_client() -> io::Result<()> {
         Some(ref mut rd) => {
             // Read trust roots
             let certs = rustls_pemfile::certs(rd)
-                .map_err(|_| error("failed to load custom CA store".into()))?;
+                .map_err(|_| error("failed to load custom CA store".into()))?
+                .into_iter()
+                .map(Into::into);
             let mut roots = RootCertStore::empty();
-            roots.add_parsable_certificates(&certs);
+            roots.add_parsable_certificates(certs);
             // TLS client config using the custom CA store for lookups
             rustls::ClientConfig::builder()
                 .with_safe_defaults()

examples/server.rs

@@ -14,6 +14,8 @@ use hyper::server::conn::AddrIncoming;
 use hyper::service::{make_service_fn, service_fn};
 use hyper::{Body, Method, Request, Response, Server, StatusCode};
 use hyper_rustls::TlsAcceptor;
+use pki_types::CertificateDer;
+use pki_types::PrivateKeyDer;
 
 fn main() {
     // Serve an echo service over HTTPS, with proper error handling.
@@ -80,7 +82,7 @@ async fn echo(req: Request<Body>) -> Result<Response<Body>, hyper::Error> {
 }
 
 // Load public certificate from file.
-fn load_certs(filename: &str) -> io::Result<Vec<rustls::Certificate>> {
+fn load_certs(filename: &str) -> io::Result<Vec<CertificateDer>> {
     // Open certificate file.
     let certfile = fs::File::open(filename)
         .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?;
@@ -91,12 +93,12 @@ fn load_certs(filename: &str) -> io::Result<Vec<rustls::Certificate>> {
         .map_err(|_| error("failed to load certificate".into()))?;
     Ok(certs
         .into_iter()
-        .map(rustls::Certificate)
+        .map(Into::into)
         .collect())
 }
 
 // Load private key from file.
-fn load_private_key(filename: &str) -> io::Result<rustls::PrivateKey> {
+fn load_private_key(filename: &str) -> io::Result<PrivateKeyDer> {
     // Open keyfile.
     let keyfile = fs::File::open(filename)
         .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?;
@@ -109,5 +111,6 @@ fn load_private_key(filename: &str) -> io::Result<rustls::PrivateKey> {
         return Err(error("expected a single private key".into()));
     }
 
-    Ok(rustls::PrivateKey(keys[0].clone()))
+    // TODO: should PKCS#8 be supported?
+    Ok(PrivateKeyDer::Pkcs1(keys[0].clone().into()))
 }

src/acceptor/builder.rs

@@ -3,6 +3,9 @@ use std::sync::Arc;
 use hyper::server::conn::AddrIncoming;
 use rustls::ServerConfig;
 
+#[cfg(feature = "ring")]
+use pki_types::{CertificateDer, PrivateKeyDer};
+
 use super::TlsAcceptor;
 /// Builder for [`TlsAcceptor`]
 pub struct AcceptorBuilder<State>(State);
@@ -25,10 +28,11 @@ impl AcceptorBuilder<WantsTlsConfig> {
     ///
     /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
     /// [with_no_client_auth]: rustls::ConfigBuilder::with_no_client_auth
+    #[cfg(feature = "ring")]
     pub fn with_single_cert(
         self,
-        cert_chain: Vec<rustls::Certificate>,
-        key_der: rustls::PrivateKey,
+        cert_chain: Vec<CertificateDer<'static>>,
+        key_der: PrivateKeyDer<'static>,
     ) -> Result<AcceptorBuilder<WantsAlpn>, rustls::Error> {
         Ok(AcceptorBuilder(WantsAlpn(
             ServerConfig::builder()

src/config.rs

@@ -1,4 +1,4 @@
-use rustls::client::WantsTransparencyPolicyOrClientCert;
+use rustls::client::WantsClientCert;
 use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 
 /// Methods for configuring roots
@@ -8,30 +8,29 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 pub trait ConfigBuilderExt {
     /// This configures the platform's trusted certs, as implemented by
     /// rustls-native-certs
-    #[cfg(feature = "rustls-native-certs")]
+    #[cfg(all(feature = "rustls-native-certs", feature = "ring"))]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
-    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>;
+    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;
 
     /// This configures the webpki roots, which are Mozilla's set of
     /// trusted roots as packaged by webpki-roots.
-    #[cfg(feature = "webpki-roots")]
+    #[cfg(all(feature = "webpki-roots", feature = "ring"))]
     #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
-    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert>;
+    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;
 }
 
 impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
-    #[cfg(feature = "rustls-native-certs")]
+    #[cfg(all(feature = "rustls-native-certs", feature = "ring"))]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
     #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
-    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
+    fn with_native_roots(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
         let mut roots = rustls::RootCertStore::empty();
         let mut valid_count = 0;
         let mut invalid_count = 0;
 
         for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
         {
-            let cert = rustls::Certificate(cert.0);
-            match roots.add(&cert) {
+            match roots.add(cert.0.clone().into()) {
                 Ok(_) => valid_count += 1,
                 Err(err) => {
                     crate::log::trace!("invalid cert der {:?}", cert.0);
@@ -50,20 +49,14 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
         self.with_root_certificates(roots)
     }
 
-    #[cfg(feature = "webpki-roots")]
+    #[cfg(all(feature = "webpki-roots", feature = "ring"))]
     #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
-    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
+    fn with_webpki_roots(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
         let mut roots = rustls::RootCertStore::empty();
-        roots.add_trust_anchors(
+        roots.extend(
             webpki_roots::TLS_SERVER_ROOTS
                 .iter()
-                .map(|ta| {
-                    rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-                        ta.subject,
-                        ta.spki,
-                        ta.name_constraints,
-                    )
-                }),
+                .cloned(),
         );
         self.with_root_certificates(roots)
     }

src/connector/builder.rs

@@ -1,7 +1,10 @@
 use rustls::ClientConfig;
 
 use super::HttpsConnector;
-#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
+#[cfg(all(
+    any(feature = "rustls-native-certs", feature = "webpki-roots"),
+    feature = "ring"
+))]
 use crate::config::ConfigBuilderExt;
 
 #[cfg(feature = "tokio-runtime")]
@@ -57,7 +60,7 @@ impl ConnectorBuilder<WantsTlsConfig> {
     /// See [`ConfigBuilderExt::with_native_roots`]
     ///
     /// [with_safe_defaults]: rustls::ConfigBuilder::with_safe_defaults
-    #[cfg(feature = "rustls-native-certs")]
+    #[cfg(all(feature = "rustls-native-certs", feature = "ring"))]
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
     pub fn with_native_roots(self) -> ConnectorBuilder<WantsSchemes> {
         self.with_tls_config(

src/lib.rs

@@ -48,15 +48,15 @@
 //!
 //! // Load and return certificate.
 //! let certs = rustls_pemfile::certs(&mut reader).unwrap();
-//! let certs = certs.into_iter().map(rustls::Certificate).collect();
+//! let certs = certs.into_iter().map(Into::into).collect();
 //!
 //! // Load private key. (see `examples/server.rs`)
 //! let keyfile = File::open("examples/sample.rsa").unwrap();
 //! let mut reader = io::BufReader::new(keyfile);
 //!
 //! // Load and return a single private key.
 //! let keys = rustls_pemfile::rsa_private_keys(&mut reader).unwrap();
-//! let key = rustls::PrivateKey(keys[0].clone());
+//! let key = pki_types::PrivateKeyDer::Pkcs1(keys[0].clone().into());
 //! let https = hyper_rustls::HttpsConnectorBuilder::new()
 //!     .with_native_roots()
 //!     .https_only()
@@ -82,6 +82,7 @@
 #[cfg(feature = "acceptor")]
 /// TLS acceptor implementing hyper's `Accept` trait.
 pub mod acceptor;
+#[cfg(feature = "ring")]
 mod config;
 mod connector;
 mod stream;
@@ -100,6 +101,7 @@ mod log {
 
 #[cfg(feature = "acceptor")]
 pub use crate::acceptor::{AcceptorBuilder, TlsAcceptor};
+#[cfg(feature = "ring")]
 pub use crate::config::ConfigBuilderExt;
 pub use crate::connector::builder::ConnectorBuilder as HttpsConnectorBuilder;
 pub use crate::connector::HttpsConnector;