From 0918fb3fe49d14568e946fac5d62026795986afd Mon Sep 17 00:00:00 2001 From: sigoden Date: Tue, 2 Aug 2022 09:32:11 +0800 Subject: [PATCH] feat: support ecdsa tls cert (#119) --- src/tls.rs | 13 +++++++------ tests/data/cert_ecdsa.pem | 11 +++++++++++ tests/data/generate_tls_certs.sh | 2 ++ tests/data/key_ecdsa.pem | 5 +++++ tests/tls.rs | 4 ++++ 5 files changed, 29 insertions(+), 6 deletions(-) create mode 100644 tests/data/cert_ecdsa.pem create mode 100644 tests/data/key_ecdsa.pem diff --git a/src/tls.rs b/src/tls.rs index b29353e..92b0caa 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -125,9 +125,9 @@ impl Accept for TlsAcceptor { // Load public certificate from file. pub fn load_certs(filename: &str) -> Result, Box> { // Open certificate file. - let certfile = fs::File::open(&filename) + let cert_file = fs::File::open(&filename) .map_err(|e| format!("Failed to access `{}`, {}", &filename, e))?; - let mut reader = io::BufReader::new(certfile); + let mut reader = io::BufReader::new(cert_file); // Load and return certificate. let certs = rustls_pemfile::certs(&mut reader).map_err(|_| "Failed to load certificate")?; @@ -139,17 +139,18 @@ pub fn load_certs(filename: &str) -> Result, Box Result> { - // Open keyfile. - let keyfile = fs::File::open(&filename) + let key_file = fs::File::open(&filename) .map_err(|e| format!("Failed to access `{}`, {}", &filename, e))?; - let mut reader = io::BufReader::new(keyfile); + let mut reader = io::BufReader::new(key_file); // Load and return a single private key. let keys = rustls_pemfile::read_all(&mut reader) .map_err(|e| format!("There was a problem with reading private key: {:?}", e))? .into_iter() .find_map(|item| match item { - rustls_pemfile::Item::RSAKey(key) | rustls_pemfile::Item::PKCS8Key(key) => Some(key), + rustls_pemfile::Item::RSAKey(key) + | rustls_pemfile::Item::PKCS8Key(key) + | rustls_pemfile::Item::ECKey(key) => Some(key), _ => None, }) .ok_or("No supported private key in file")?; diff --git a/tests/data/cert_ecdsa.pem b/tests/data/cert_ecdsa.pem new file mode 100644 index 0000000..1f381c7 --- /dev/null +++ b/tests/data/cert_ecdsa.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBfTCCASOgAwIBAgIUfrAUHXIfeM54OLnTIUD9xT6FIwkwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDgwMjAxMjQ1NFoXDTMyMDczMDAx +MjQ1NFowFDESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEW4tBe0jF2wYSLCvdreb0izR/8sgKNKkbe4xPyA9uNEbtTk58eoO3944R +JPT6S5wRTHFpF0BJhQRfiuW4K2EUcaNTMFEwHQYDVR0OBBYEFEebUDkiMJoV2d5W +8o+6p4DauHFFMB8GA1UdIwQYMBaAFEebUDkiMJoV2d5W8o+6p4DauHFFMA8GA1Ud +EwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAPJvmzqaq/S5yYxeB4se8k2z +6pnVNxrTT2CqdPD8Z+7rAiBZAyU+5+KbQq3aZsmuNUx+YOqTDMkaUR/nd/tjnnOX +gA== +-----END CERTIFICATE----- diff --git a/tests/data/generate_tls_certs.sh b/tests/data/generate_tls_certs.sh index ed23639..e8590de 100755 --- a/tests/data/generate_tls_certs.sh +++ b/tests/data/generate_tls_certs.sh @@ -1,3 +1,5 @@ #!/usr/bin/env bash openssl req -subj '/CN=localhost' -x509 -newkey rsa:4096 -keyout key_pkcs8.pem -out cert.pem -nodes -days 3650 openssl rsa -in key_pkcs8.pem -out key_pkcs1.pem +openssl ecparam -name prime256v1 -genkey -noout -out key_ecdsa.pem +openssl req -subj '/CN=localhost' -x509 -key key_ecdsa.pem -out cert_ecdsa.pem -nodes -days 3650 \ No newline at end of file diff --git a/tests/data/key_ecdsa.pem b/tests/data/key_ecdsa.pem new file mode 100644 index 0000000..8eec7ad --- /dev/null +++ b/tests/data/key_ecdsa.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEILOQ44lHqD4w12HJKlZJ+Y3u91eUKjabu3UKPSahhC89oAoGCCqGSM49 +AwEHoUQDQgAEW4tBe0jF2wYSLCvdreb0izR/8sgKNKkbe4xPyA9uNEbtTk58eoO3 +944RJPT6S5wRTHFpF0BJhQRfiuW4K2EUcQ== +-----END EC PRIVATE KEY----- diff --git a/tests/tls.rs b/tests/tls.rs index ca4c65c..4f83c90 100644 --- a/tests/tls.rs +++ b/tests/tls.rs @@ -17,6 +17,10 @@ use rstest::rstest; "--tls-cert", "tests/data/cert.pem", "--tls-key", "tests/data/key_pkcs1.pem", ]))] +#[case(server(&[ + "--tls-cert", "tests/data/cert_ecdsa.pem", + "--tls-key", "tests/data/key_ecdsa.pem", +]))] fn tls_works(#[case] server: TestServer) -> Result<(), Error> { let client = ClientBuilder::new() .danger_accept_invalid_certs(true)