refactor(meshtls-rustls): use generalized key type
This commit is contained in:
Oliver Gould
parent
2bb9b8980c
commit
53def53c32
|
|
@ -115,7 +115,6 @@ prost = { version = "0.13" }
|
||||||
prost-build = { version = "0.13", default-features = false }
|
prost-build = { version = "0.13", default-features = false }
|
||||||
prost-types = { version = "0.13" }
|
prost-types = { version = "0.13" }
|
||||||
tokio-rustls = { version = "0.26", default-features = false, features = [
|
tokio-rustls = { version = "0.26", default-features = false, features = [
|
||||||
"ring",
|
|
||||||
"logging",
|
"logging",
|
||||||
] }
|
] }
|
||||||
tonic = { version = "0.12", default-features = false }
|
tonic = { version = "0.12", default-features = false }
|
||||||
|
|
|
||||||
|
|
@ -8,17 +8,12 @@ pub use self::{receiver::Receiver, store::Store};
|
||||||
use linkerd_dns_name as dns;
|
use linkerd_dns_name as dns;
|
||||||
use linkerd_error::Result;
|
use linkerd_error::Result;
|
||||||
use linkerd_identity as id;
|
use linkerd_identity as id;
|
||||||
use ring::error::KeyRejected;
|
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use thiserror::Error;
|
use thiserror::Error;
|
||||||
use tokio::sync::watch;
|
use tokio::sync::watch;
|
||||||
use tokio_rustls::rustls::{self, crypto::CryptoProvider};
|
use tokio_rustls::rustls::{self, crypto::CryptoProvider};
|
||||||
use tracing::warn;
|
use tracing::warn;
|
||||||
|
|
||||||
#[derive(Debug, Error)]
|
|
||||||
#[error("{0}")]
|
|
||||||
pub struct InvalidKey(#[source] KeyRejected);
|
|
||||||
|
|
||||||
#[derive(Debug, Error)]
|
#[derive(Debug, Error)]
|
||||||
#[error("invalid trust roots")]
|
#[error("invalid trust roots")]
|
||||||
pub struct InvalidTrustRoots(());
|
pub struct InvalidTrustRoots(());
|
||||||
|
|
@ -118,12 +113,8 @@ mod params {
|
||||||
use tokio_rustls::rustls::{self, crypto::WebPkiSupportedAlgorithms};
|
use tokio_rustls::rustls::{self, crypto::WebPkiSupportedAlgorithms};
|
||||||
|
|
||||||
// These must be kept in sync:
|
// These must be kept in sync:
|
||||||
pub static SIGNATURE_ALG_RING_SIGNING: &ring::signature::EcdsaSigningAlgorithm =
|
|
||||||
&ring::signature::ECDSA_P256_SHA256_ASN1_SIGNING;
|
|
||||||
pub const SIGNATURE_ALG_RUSTLS_SCHEME: rustls::SignatureScheme =
|
pub const SIGNATURE_ALG_RUSTLS_SCHEME: rustls::SignatureScheme =
|
||||||
rustls::SignatureScheme::ECDSA_NISTP256_SHA256;
|
rustls::SignatureScheme::ECDSA_NISTP256_SHA256;
|
||||||
pub const SIGNATURE_ALG_RUSTLS_ALGORITHM: rustls::SignatureAlgorithm =
|
|
||||||
rustls::SignatureAlgorithm::ECDSA;
|
|
||||||
pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = backend::SUPPORTED_SIG_ALGS;
|
pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = backend::SUPPORTED_SIG_ALGS;
|
||||||
pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
|
pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
|
||||||
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
|
pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,16 @@
|
||||||
use super::{default_provider, params::*, InvalidKey};
|
use super::{default_provider, params::*};
|
||||||
use linkerd_dns_name as dns;
|
use linkerd_dns_name as dns;
|
||||||
use linkerd_error::Result;
|
use linkerd_error::Result;
|
||||||
use linkerd_identity as id;
|
use linkerd_identity as id;
|
||||||
use linkerd_meshtls_verifier as verifier;
|
use linkerd_meshtls_verifier as verifier;
|
||||||
use ring::{rand, signature::EcdsaKeyPair};
|
|
||||||
use std::{convert::TryFrom, sync::Arc};
|
use std::{convert::TryFrom, sync::Arc};
|
||||||
use tokio::sync::watch;
|
use tokio::sync::watch;
|
||||||
use tokio_rustls::rustls::{self, pki_types::UnixTime, server::WebPkiClientVerifier};
|
use tokio_rustls::rustls::{
|
||||||
|
self,
|
||||||
|
pki_types::{PrivatePkcs8KeyDer, UnixTime},
|
||||||
|
server::WebPkiClientVerifier,
|
||||||
|
sign::CertifiedKey,
|
||||||
|
};
|
||||||
use tracing::debug;
|
use tracing::debug;
|
||||||
|
|
||||||
pub struct Store {
|
pub struct Store {
|
||||||
|
|
@ -16,12 +20,8 @@ pub struct Store {
|
||||||
server_name: dns::Name,
|
server_name: dns::Name,
|
||||||
client_tx: watch::Sender<Arc<rustls::ClientConfig>>,
|
client_tx: watch::Sender<Arc<rustls::ClientConfig>>,
|
||||||
server_tx: watch::Sender<Arc<rustls::ServerConfig>>,
|
server_tx: watch::Sender<Arc<rustls::ServerConfig>>,
|
||||||
random: ring::rand::SystemRandom,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone, Debug)]
|
|
||||||
struct Key(Arc<EcdsaKeyPair>);
|
|
||||||
|
|
||||||
#[derive(Clone, Debug)]
|
#[derive(Clone, Debug)]
|
||||||
struct CertResolver(Arc<rustls::sign::CertifiedKey>);
|
struct CertResolver(Arc<rustls::sign::CertifiedKey>);
|
||||||
|
|
||||||
|
|
@ -90,7 +90,6 @@ impl Store {
|
||||||
server_name,
|
server_name,
|
||||||
client_tx,
|
client_tx,
|
||||||
server_tx,
|
server_tx,
|
||||||
random: ring::rand::SystemRandom::new(),
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -147,13 +146,11 @@ impl id::Credentials for Store {
|
||||||
// Use the client's verifier to validate the certificate for our local name.
|
// Use the client's verifier to validate the certificate for our local name.
|
||||||
self.validate(&chain)?;
|
self.validate(&chain)?;
|
||||||
|
|
||||||
let key = EcdsaKeyPair::from_pkcs8(SIGNATURE_ALG_RING_SIGNING, &key, &self.random)
|
let key_der = PrivatePkcs8KeyDer::from(key);
|
||||||
.map_err(InvalidKey)?;
|
let provider = rustls::crypto::CryptoProvider::get_default()
|
||||||
|
.expect("Failed to get default crypto provider");
|
||||||
let resolver = Arc::new(CertResolver(Arc::new(rustls::sign::CertifiedKey::new(
|
let key = CertifiedKey::from_der(chain, key_der.into(), provider)?;
|
||||||
chain,
|
let resolver = Arc::new(CertResolver(Arc::new(key)));
|
||||||
Arc::new(Key(Arc::new(key))),
|
|
||||||
))));
|
|
||||||
|
|
||||||
// Build new client and server TLS configs.
|
// Build new client and server TLS configs.
|
||||||
let client = self.client_config(resolver.clone());
|
let client = self.client_config(resolver.clone());
|
||||||
|
|
@ -167,39 +164,6 @@ impl id::Credentials for Store {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// === impl Key ===
|
|
||||||
|
|
||||||
impl rustls::sign::SigningKey for Key {
|
|
||||||
fn choose_scheme(
|
|
||||||
&self,
|
|
||||||
offered: &[rustls::SignatureScheme],
|
|
||||||
) -> Option<Box<dyn rustls::sign::Signer>> {
|
|
||||||
if !offered.contains(&SIGNATURE_ALG_RUSTLS_SCHEME) {
|
|
||||||
return None;
|
|
||||||
}
|
|
||||||
|
|
||||||
Some(Box::new(self.clone()))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn algorithm(&self) -> rustls::SignatureAlgorithm {
|
|
||||||
SIGNATURE_ALG_RUSTLS_ALGORITHM
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
impl rustls::sign::Signer for Key {
|
|
||||||
fn sign(&self, message: &[u8]) -> Result<Vec<u8>, rustls::Error> {
|
|
||||||
let rng = rand::SystemRandom::new();
|
|
||||||
self.0
|
|
||||||
.sign(&rng, message)
|
|
||||||
.map(|signature| signature.as_ref().to_owned())
|
|
||||||
.map_err(|ring::error::Unspecified| rustls::Error::General("Signing Failed".to_owned()))
|
|
||||||
}
|
|
||||||
|
|
||||||
fn scheme(&self) -> rustls::SignatureScheme {
|
|
||||||
SIGNATURE_ALG_RUSTLS_SCHEME
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// === impl CertResolver ===
|
// === impl CertResolver ===
|
||||||
|
|
||||||
impl CertResolver {
|
impl CertResolver {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue