Merge pull request #639 from swimos/dependabot/cargo/tokio-rustls-0.26

Update tokio-rustls requirement from 0.23 to 0.26

.github/workflows/ci.yml

@@ -24,6 +24,20 @@ jobs:
         with:
           toolchain: ${{ env.latest_version }}
       - uses: Swatinem/rust-cache@v2
+      - name: Install NASM for aws-lc-rs on Windows
+        if: runner.os == 'Windows'
+        uses: ilammy/setup-nasm@v1
+
+      - name: Install ninja-build tool for aws-lc-fips-sys on Windows
+        if: runner.os == 'Windows'
+        uses: seanmiddleditch/gha-setup-ninja@v5
+
+      - name: Install golang for aws-lc-fips-sys on macos
+        if: runner.os == 'MacOS'
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.22.2"
+
       - run: cargo test --all-features --workspace --lib --tests --profile "ci"
 
   # Check step to ensure that all targets are valid as the test step doesn't run them.

Cargo.toml

@@ -95,11 +95,11 @@ flate2 = "1.0.22"
 bitflags = "2.5"
 rocksdb = "0.22"
 integer-encoding = "4.0.0"
-rustls = "0.20"
+rustls = "0.23.10"
 webpki = "0.22"
-webpki-roots = "0.22"
-tokio-rustls = "0.23"
-rustls-pemfile = "1.0.0"
+webpki-roots = "0.26.3"
+tokio-rustls = "0.26"
+rustls-pemfile = "2.1.2"
 trust-dns-resolver = "0.23.2"
 clap = "4.1"
 crossbeam-queue = { version = "0.3" }

runtime/swimos_remote/src/tls/config/mod.rs

@@ -12,6 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use rustls::crypto::CryptoProvider;
+use std::sync::Arc;
+
 /// Supported certificate formats for TLS connections.
 pub enum CertFormat {
     Pem,
@@ -60,9 +63,11 @@ impl PrivateKey {
         Self::new(CertFormat::Pem, body)
     }
 }
-/// Combined TLS configuration (both server and client)/
+/// Combined TLS configuration (both server and client).
 pub struct TlsConfig {
+    /// Configuration parameters for a TLS client.
     pub client: ClientConfig,
+    /// Configuration parameters for a TLS server.
     pub server: ServerConfig,
 }
 
@@ -74,17 +79,26 @@ impl TlsConfig {
 
 /// Configuration parameters for a TLS server.
 pub struct ServerConfig {
+    /// A chain of TLS certificates (starting with the server certificate and ending with the CA).
     pub chain: CertChain,
+    /// An unvalidated private key for a server.
     pub key: PrivateKey,
+    /// Whether to enable a [`rustls::KeyLog`] implementation that opens a file whose name is given by the
+    /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled,
+    /// if `SSLKEYLOGFILE` is not set, it will do nothing.
     pub enable_log_file: bool,
+    /// Process-wide [`CryptoProvider`] that must already have been installed as the default
+    /// provider.
+    pub provider: Arc<CryptoProvider>,
 }
 
 impl ServerConfig {
-    pub fn new(chain: CertChain, key: PrivateKey) -> Self {
+    pub fn new(chain: CertChain, key: PrivateKey, provider: Arc<CryptoProvider>) -> Self {
         ServerConfig {
             chain,
             key,
             enable_log_file: false,
+            provider,
         }
     }
 }

runtime/swimos_remote/src/tls/errors.rs

@@ -25,7 +25,7 @@ pub enum TlsError {
     InvalidPrivateKey,
     /// Certificate validation failed.
     #[error("Invalid certificate: {0}")]
-    BadCertificate(#[from] webpki::Error),
+    BadCertificate(#[from] rustls::Error),
     /// The provided host name was invalid.
     #[error("Invalid DNS host name.")]
     BadHostName,

runtime/swimos_remote/src/tls/net/client.rs

@@ -15,7 +15,8 @@
 use std::{net::SocketAddr, sync::Arc};
 
 use futures::{future::BoxFuture, FutureExt};
-use rustls::{OwnedTrustAnchor, RootCertStore, ServerName};
+use rustls::pki_types::ServerName;
+use rustls::RootCertStore;
 
 use crate::dns::{BoxDnsResolver, DnsResolver, Resolver};
 use crate::net::{ClientConnections, ConnectionError, ConnectionResult, Scheme};
@@ -49,25 +50,16 @@ impl RustlsClientNetworking {
         } = config;
         let mut root_store = RootCertStore::empty();
         if use_webpki_roots {
-            root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(
-                |ta| {
-                    OwnedTrustAnchor::from_subject_spki_name_constraints(
-                        ta.subject,
-                        ta.spki,
-                        ta.name_constraints,
-                    )
-                },
-            ));
+            root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned())
         }
 
         for cert in custom_roots {
             for c in super::load_cert_file(cert)? {
-                root_store.add(&c)?;
+                root_store.add(c)?;
             }
         }
 
         let config = rustls::ClientConfig::builder()
-            .with_safe_defaults()
             .with_root_certificates(root_store)
             .with_no_client_auth();
 
@@ -93,10 +85,10 @@ impl ClientConnections for RustlsClientNetworking {
             .boxed(),
             Scheme::Wss => {
                 let domain = if let Some(host_name) = host {
-                    ServerName::try_from(host_name)
+                    ServerName::try_from(host_name.to_string())
                         .map_err(|err| ConnectionError::BadParameter(err.to_string()))
                 } else {
-                    Ok(ServerName::IpAddress(addr.ip()))
+                    Ok(ServerName::IpAddress(addr.ip().into()))
                 };
                 async move {
                     let stream = TcpStream::connect(addr).await?;

runtime/swimos_remote/src/tls/net/mod.rs

@@ -26,6 +26,7 @@ pub use client::RustlsClientNetworking;
 use futures::future::Either;
 use futures::TryFutureExt;
 use futures::{future::BoxFuture, FutureExt};
+use rustls::pki_types::CertificateDer;
 pub use server::{RustlsListener, RustlsServerNetworking};
 
 use crate::tls::{
@@ -36,16 +37,17 @@ use crate::tls::{
 
 use self::server::MaybeRustTlsListener;
 
-fn load_cert_file(file: CertificateFile) -> Result<Vec<rustls::Certificate>, TlsError> {
+fn load_cert_file(file: CertificateFile) -> Result<Vec<CertificateDer<'static>>, TlsError> {
     let CertificateFile { format, body } = file;
-    let certs = match format {
+    match format {
         CertFormat::Pem => {
             let mut body_ref = body.as_ref();
-            rustls_pemfile::certs(&mut body_ref).map_err(TlsError::InvalidPem)?
+            rustls_pemfile::certs(&mut body_ref)
+                .map(|r| r.map_err(TlsError::InvalidPem))
+                .collect()
         }
-        CertFormat::Der => vec![body],
-    };
-    Ok(certs.into_iter().map(rustls::Certificate).collect())
+        CertFormat::Der => Ok(vec![CertificateDer::from(body)]),
+    }
 }
 
 /// Combined implementation of [`ClientConnections`] and [`ServerConnections`] that wraps

runtime/swimos_remote/src/tls/net/server.rs

@@ -22,6 +22,7 @@ use futures::{
     stream::{unfold, BoxStream, FuturesUnordered},
     Future, FutureExt, Stream, StreamExt, TryStreamExt,
 };
+use rustls::pki_types::PrivateKeyDer;
 use rustls::KeyLogFile;
 use rustls_pemfile::Item;
 use tokio::net::{TcpListener, TcpStream};
@@ -73,6 +74,7 @@ impl TryFrom<ServerConfig> for RustlsServerNetworking {
             chain: CertChain(certs),
             key,
             enable_log_file,
+            provider,
         } = config;
 
         let mut chain = vec![];
@@ -85,19 +87,19 @@ impl TryFrom<ServerConfig> for RustlsServerNetworking {
             CertFormat::Pem => {
                 let mut body_ref = body.as_ref();
                 match rustls_pemfile::read_one(&mut body_ref).map_err(TlsError::InvalidPem)? {
-                    Some(Item::ECKey(body) | Item::PKCS8Key(body) | Item::RSAKey(body)) => {
-                        rustls::PrivateKey(body)
-                    }
-                    _ => {
-                        return Err(TlsError::InvalidPrivateKey);
-                    }
+                    Some(Item::Sec1Key(body)) => PrivateKeyDer::from(body),
+                    Some(Item::Pkcs8Key(body)) => PrivateKeyDer::from(body),
+                    Some(Item::Pkcs1Key(body)) => PrivateKeyDer::from(body),
+                    _ => return Err(TlsError::InvalidPrivateKey),
                 }
             }
-            CertFormat::Der => rustls::PrivateKey(body),
+            CertFormat::Der => {
+                PrivateKeyDer::try_from(body).map_err(|_| TlsError::InvalidPrivateKey)?
+            }
         };
 
-        let mut config = rustls::ServerConfig::builder()
-            .with_safe_defaults()
+        let mut config = rustls::ServerConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()?
             .with_no_client_auth()
             .with_single_cert(chain, server_key)
             .expect("Invalid certs or private key.");

runtime/swimos_remote/src/tls/net/tests.rs

@@ -46,11 +46,18 @@ fn make_server_config() -> ServerConfig {
         CertificateFile::der(ca_cert),
     ]);
 
+    let provider = rustls::crypto::aws_lc_rs::default_provider();
+    provider
+        .clone()
+        .install_default()
+        .expect("Crypto Provider has already been initialised elsewhere.");
+
     let key = PrivateKey::der(server_key);
     ServerConfig {
         chain,
         key,
         enable_log_file: false,
+        provider: Arc::new(provider),
     }
 }