refactor(meshtls-rustls): use generalized key type
This commit is contained in:
Oliver Gould
parent
2bb9b8980c
commit
53def53c32
|
|
@ -115,7 +115,6 @@ prost = { version = "0.13" }
|
|||
prost-build = { version = "0.13", default-features = false }
|
||||
prost-types = { version = "0.13" }
|
||||
tokio-rustls = { version = "0.26", default-features = false, features = [
|
||||
"ring",
|
||||
"logging",
|
||||
] }
|
||||
tonic = { version = "0.12", default-features = false }
|
||||
|
|
|
|||
|
|
@ -8,17 +8,12 @@ pub use self::{receiver::Receiver, store::Store};
|
|||
use linkerd_dns_name as dns;
|
||||
use linkerd_error::Result;
|
||||
use linkerd_identity as id;
|
||||
use ring::error::KeyRejected;
|
||||
use std::sync::Arc;
|
||||
use thiserror::Error;
|
||||
use tokio::sync::watch;
|
||||
use tokio_rustls::rustls::{self, crypto::CryptoProvider};
|
||||
use tracing::warn;
|
||||
|
||||
#[derive(Debug, Error)]
|
||||
#[error("{0}")]
|
||||
pub struct InvalidKey(#[source] KeyRejected);
|
||||
|
||||
#[derive(Debug, Error)]
|
||||
#[error("invalid trust roots")]
|
||||
pub struct InvalidTrustRoots(());
|
||||
|
|
@ -118,12 +113,8 @@ mod params {
|
|||
use tokio_rustls::rustls::{self, crypto::WebPkiSupportedAlgorithms};
|
||||
|
||||
// These must be kept in sync:
|
||||
pub static SIGNATURE_ALG_RING_SIGNING: &ring::signature::EcdsaSigningAlgorithm =
|
||||
&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING;
|
||||
pub const SIGNATURE_ALG_RUSTLS_SCHEME: rustls::SignatureScheme =
|
||||
rustls::SignatureScheme::ECDSA_NISTP256_SHA256;
|
||||
pub const SIGNATURE_ALG_RUSTLS_ALGORITHM: rustls::SignatureAlgorithm =
|
||||
rustls::SignatureAlgorithm::ECDSA;
|
||||
pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = backend::SUPPORTED_SIG_ALGS;
|
||||
pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
|
||||
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
|
||||
|
|
|
|||
|
|
@ -1,12 +1,16 @@
|
|||
use super::{default_provider, params::*, InvalidKey};
|
||||
use super::{default_provider, params::*};
|
||||
use linkerd_dns_name as dns;
|
||||
use linkerd_error::Result;
|
||||
use linkerd_identity as id;
|
||||
use linkerd_meshtls_verifier as verifier;
|
||||
use ring::{rand, signature::EcdsaKeyPair};
|
||||
use std::{convert::TryFrom, sync::Arc};
|
||||
use tokio::sync::watch;
|
||||
use tokio_rustls::rustls::{self, pki_types::UnixTime, server::WebPkiClientVerifier};
|
||||
use tokio_rustls::rustls::{
|
||||
self,
|
||||
pki_types::{PrivatePkcs8KeyDer, UnixTime},
|
||||
server::WebPkiClientVerifier,
|
||||
sign::CertifiedKey,
|
||||
};
|
||||
use tracing::debug;
|
||||
|
||||
pub struct Store {
|
||||
|
|
@ -16,12 +20,8 @@ pub struct Store {
|
|||
server_name: dns::Name,
|
||||
client_tx: watch::Sender<Arc<rustls::ClientConfig>>,
|
||||
server_tx: watch::Sender<Arc<rustls::ServerConfig>>,
|
||||
random: ring::rand::SystemRandom,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug)]
|
||||
struct Key(Arc<EcdsaKeyPair>);
|
||||
|
||||
#[derive(Clone, Debug)]
|
||||
struct CertResolver(Arc<rustls::sign::CertifiedKey>);
|
||||
|
||||
|
|
@ -90,7 +90,6 @@ impl Store {
|
|||
server_name,
|
||||
client_tx,
|
||||
server_tx,
|
||||
random: ring::rand::SystemRandom::new(),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -147,13 +146,11 @@ impl id::Credentials for Store {
|
|||
// Use the client's verifier to validate the certificate for our local name.
|
||||
self.validate(&chain)?;
|
||||
|
||||
let key = EcdsaKeyPair::from_pkcs8(SIGNATURE_ALG_RING_SIGNING, &key, &self.random)
|
||||
.map_err(InvalidKey)?;
|
||||
|
||||
let resolver = Arc::new(CertResolver(Arc::new(rustls::sign::CertifiedKey::new(
|
||||
chain,
|
||||
Arc::new(Key(Arc::new(key))),
|
||||
))));
|
||||
let key_der = PrivatePkcs8KeyDer::from(key);
|
||||
let provider = rustls::crypto::CryptoProvider::get_default()
|
||||
.expect("Failed to get default crypto provider");
|
||||
let key = CertifiedKey::from_der(chain, key_der.into(), provider)?;
|
||||
let resolver = Arc::new(CertResolver(Arc::new(key)));
|
||||
|
||||
// Build new client and server TLS configs.
|
||||
let client = self.client_config(resolver.clone());
|
||||
|
|
@ -167,39 +164,6 @@ impl id::Credentials for Store {
|
|||
}
|
||||
}
|
||||
|
||||
// === impl Key ===
|
||||
|
||||
impl rustls::sign::SigningKey for Key {
|
||||
fn choose_scheme(
|
||||
&self,
|
||||
offered: &[rustls::SignatureScheme],
|
||||
) -> Option<Box<dyn rustls::sign::Signer>> {
|
||||
if !offered.contains(&SIGNATURE_ALG_RUSTLS_SCHEME) {
|
||||
return None;
|
||||
}
|
||||
|
||||
Some(Box::new(self.clone()))
|
||||
}
|
||||
|
||||
fn algorithm(&self) -> rustls::SignatureAlgorithm {
|
||||
SIGNATURE_ALG_RUSTLS_ALGORITHM
|
||||
}
|
||||
}
|
||||
|
||||
impl rustls::sign::Signer for Key {
|
||||
fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
|
||||
let rng = rand::SystemRandom::new();
|
||||
self.0
|
||||
.sign(&rng, message)
|
||||
.map(|signature| signature.as_ref().to_owned())
|
||||
.map_err(|ring::error::Unspecified| rustls::Error::General("Signing Failed".to_owned()))
|
||||
}
|
||||
|
||||
fn scheme(&self) -> rustls::SignatureScheme {
|
||||
SIGNATURE_ALG_RUSTLS_SCHEME
|
||||
}
|
||||
}
|
||||
|
||||
// === impl CertResolver ===
|
||||
|
||||
impl CertResolver {
|
||||
|
|
|
|||
Loading…
Reference in New Issue