berkus
/
actix-web
mirror of https://github.com/fafhrd91/actix-web
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(*): replace rustls-pemfile (#3855)

This commit is contained in:
Yuki Okushi 2025-12-12 08:11:24 +09:00 committed by GitHub
parent 917b5f2048
commit 41f99b0ddd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 35 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Cargo.lock generated
View File

@ -113,7 +113,7 @@ dependencies = [
"rcgen", "rcgen",
"regex", "regex",
"rustls 0.23.35", "rustls 0.23.35",
"rustls-pemfile", "rustls-pki-types",
"rustversion", "rustversion",
"serde", "serde",
"serde_json", "serde_json",
@ -388,7 +388,7 @@ dependencies = [
"regex", "regex",
"regex-lite", "regex-lite",
"rustls 0.23.35", "rustls 0.23.35",
"rustls-pemfile", "rustls-pki-types",
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
@ -649,7 +649,7 @@ dependencies = [
"rustls 0.21.12", "rustls 0.21.12",
"rustls 0.22.4", "rustls 0.22.4",
"rustls 0.23.35", "rustls 0.23.35",
"rustls-pemfile", "rustls-pki-types",
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
@ -2531,20 +2531,11 @@ dependencies = [
"security-framework", "security-framework",
] ]
[[package]]
name = "rustls-pemfile"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
dependencies = [
"rustls-pki-types",
]
[[package]] [[package]]
name = "rustls-pki-types" name = "rustls-pki-types"
version = "1.13.0" version = "1.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "94182ad936a0c91c324cd46c6511b9510ed16af436d7b5bab34beab0afd55f7a" checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c"
dependencies = [ dependencies = [
"zeroize", "zeroize",
] ]

2
actix-http/Cargo.toml
View File

@ -149,7 +149,7 @@ memchr = "2.4"
once_cell = "1.21" once_cell = "1.21"
rcgen = "0.13" rcgen = "0.13"
regex = "1.3" regex = "1.3"
rustls-pemfile = "2" rustls-pki-types = "1.13.1"
rustversion = "1" rustversion = "1"
serde = { version = "1", features = ["derive"] } serde = { version = "1", features = ["derive"] }
serde_json = "1.0" serde_json = "1.0"

21
actix-http/examples/tls_rustls.rs
View File

@ -45,25 +45,14 @@ async fn main() -> io::Result<()> {
fn rustls_config() -> rustls::ServerConfig { fn rustls_config() -> rustls::ServerConfig {
let rcgen::CertifiedKey { cert, key_pair } = let rcgen::CertifiedKey { cert, key_pair } =
rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
let cert_file = cert.pem(); let cert_chain = vec![cert.der().clone()];
let key_file = key_pair.serialize_pem(); let key_der = rustls_pki_types::PrivateKeyDer::Pkcs8(
rustls_pki_types::PrivatePkcs8KeyDer::from(key_pair.serialize_der()),
let cert_file = &mut io::BufReader::new(cert_file.as_bytes()); );
let key_file = &mut io::BufReader::new(key_file.as_bytes());
let cert_chain = rustls_pemfile::certs(cert_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
let mut keys = rustls_pemfile::pkcs8_private_keys(key_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
let mut config = rustls::ServerConfig::builder() let mut config = rustls::ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert( .with_single_cert(cert_chain, key_der)
cert_chain,
rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)),
)
.unwrap(); .unwrap();
const H1_ALPN: &[u8] = b"http/1.1"; const H1_ALPN: &[u8] = b"http/1.1";

23
actix-http/examples/ws.rs
View File

@ -82,29 +82,16 @@ impl Stream for Heartbeat {
} }
fn tls_config() -> rustls::ServerConfig { fn tls_config() -> rustls::ServerConfig {
use std::io::BufReader;
use rustls_pemfile::{certs, pkcs8_private_keys};
let rcgen::CertifiedKey { cert, key_pair } = let rcgen::CertifiedKey { cert, key_pair } =
rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
let cert_file = cert.pem(); let cert_chain = vec![cert.der().clone()];
let key_file = key_pair.serialize_pem(); let key_der = rustls_pki_types::PrivateKeyDer::Pkcs8(
rustls_pki_types::PrivatePkcs8KeyDer::from(key_pair.serialize_der()),
let cert_file = &mut BufReader::new(cert_file.as_bytes()); );
let key_file = &mut BufReader::new(key_file.as_bytes());
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let mut keys = pkcs8_private_keys(key_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
let mut config = rustls::ServerConfig::builder() let mut config = rustls::ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert( .with_single_cert(cert_chain, key_der)
cert_chain,
rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)),
)
.unwrap(); .unwrap();
config.alpn_protocols.push(b"http/1.1".to_vec()); config.alpn_protocols.push(b"http/1.1".to_vec());

21
actix-http/tests/test_rustls.rs
View File

@ -4,7 +4,7 @@ extern crate tls_rustls_023 as rustls;
use std::{ use std::{
convert::Infallible, convert::Infallible,
io::{self, BufReader, Write}, io::{self, Write},
net::{SocketAddr, TcpStream as StdTcpStream}, net::{SocketAddr, TcpStream as StdTcpStream},
sync::Arc, sync::Arc,
task::Poll, task::Poll,
@ -27,7 +27,7 @@ use derive_more::{Display, Error};
use futures_core::{ready, Stream}; use futures_core::{ready, Stream};
use futures_util::stream::once; use futures_util::stream::once;
use rustls::{pki_types::ServerName, ServerConfig as RustlsServerConfig}; use rustls::{pki_types::ServerName, ServerConfig as RustlsServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys}; use rustls_pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
async fn load_body<S>(stream: S) -> Result<BytesMut, PayloadError> async fn load_body<S>(stream: S) -> Result<BytesMut, PayloadError>
where where
@ -54,23 +54,12 @@ where
fn tls_config() -> RustlsServerConfig { fn tls_config() -> RustlsServerConfig {
let rcgen::CertifiedKey { cert, key_pair } = let rcgen::CertifiedKey { cert, key_pair } =
rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
let cert_file = cert.pem(); let cert_chain = vec![cert.der().clone()];
let key_file = key_pair.serialize_pem(); let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));
let cert_file = &mut BufReader::new(cert_file.as_bytes());
let key_file = &mut BufReader::new(key_file.as_bytes());
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let mut keys = pkcs8_private_keys(key_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
let mut config = RustlsServerConfig::builder() let mut config = RustlsServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert( .with_single_cert(cert_chain, key_der)
cert_chain,
rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)),
)
.unwrap(); .unwrap();
config.alpn_protocols.push(HTTP1_1_ALPN_PROTOCOL.to_vec()); config.alpn_protocols.push(HTTP1_1_ALPN_PROTOCOL.to_vec());

2
actix-web/Cargo.toml
View File

@ -179,7 +179,7 @@ flate2 = "1.0.13"
futures-util = { version = "0.3.17", default-features = false, features = ["std"] } futures-util = { version = "0.3.17", default-features = false, features = ["std"] }
rand = "0.9" rand = "0.9"
rcgen = "0.13" rcgen = "0.13"
rustls-pemfile = "2" rustls-pki-types = "1.13.1"
serde = { version = "1", features = ["derive"] } serde = { version = "1", features = ["derive"] }
static_assertions = "1" static_assertions = "1"
tls-openssl = { package = "openssl", version = "0.10.55" } tls-openssl = { package = "openssl", version = "0.10.55" }

18
actix-web/tests/test_server.rs
View File

@ -688,30 +688,20 @@ async fn test_brotli_encoding_large_openssl() {
#[cfg(feature = "rustls-0_23")] #[cfg(feature = "rustls-0_23")]
mod plus_rustls { mod plus_rustls {
use std::io::BufReader;
use rustls::{pki_types::PrivateKeyDer, ServerConfig as RustlsServerConfig}; use rustls::{pki_types::PrivateKeyDer, ServerConfig as RustlsServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys}; use rustls_pki_types::PrivatePkcs8KeyDer;
use super::*; use super::*;
fn tls_config() -> RustlsServerConfig { fn tls_config() -> RustlsServerConfig {
let rcgen::CertifiedKey { cert, key_pair } = let rcgen::CertifiedKey { cert, key_pair } =
rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
let cert_file = cert.pem(); let cert_chain = vec![cert.der().clone()];
let key_file = key_pair.serialize_pem(); let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));
let cert_file = &mut BufReader::new(cert_file.as_bytes());
let key_file = &mut BufReader::new(key_file.as_bytes());
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let mut keys = pkcs8_private_keys(key_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
RustlsServerConfig::builder() RustlsServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0))) .with_single_cert(cert_chain, key_der)
.unwrap() .unwrap()
} }

2
awc/Cargo.toml
View File

@ -149,7 +149,7 @@ flate2 = "1.0.13"
futures-util = { version = "0.3.17", default-features = false } futures-util = { version = "0.3.17", default-features = false }
static_assertions = "1.1" static_assertions = "1.1"
rcgen = "0.13" rcgen = "0.13"
rustls-pemfile = "2" rustls-pki-types = "1.13.1"
tokio = { version = "1.38.2", features = ["rt-multi-thread", "macros"] } tokio = { version = "1.38.2", features = ["rt-multi-thread", "macros"] }
zstd = "0.13" zstd = "0.13"
tls-rustls-0_23 = { package = "rustls", version = "0.23" } # add rustls 0.23 with default features to make aws_lc_rs work in tests tls-rustls-0_23 = { package = "rustls", version = "0.23" } # add rustls 0.23 with default features to make aws_lc_rs work in tests

26
awc/tests/test_rustls_client.rs
View File

@ -2,12 +2,9 @@
extern crate tls_rustls_0_23 as rustls; extern crate tls_rustls_0_23 as rustls;
use std::{ use std::sync::{
io::BufReader,
sync::{
atomic::{AtomicUsize, Ordering}, atomic::{AtomicUsize, Ordering},
Arc, Arc,
},
}; };
use actix_http::HttpService; use actix_http::HttpService;
@ -16,29 +13,18 @@ use actix_service::{fn_service, map_config, ServiceFactoryExt};
use actix_tls::connect::rustls_0_23::webpki_roots_cert_store; use actix_tls::connect::rustls_0_23::webpki_roots_cert_store;
use actix_utils::future::ok; use actix_utils::future::ok;
use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse}; use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse};
use rustls::{ use rustls::{pki_types::ServerName, ClientConfig, ServerConfig};
pki_types::{CertificateDer, PrivateKeyDer, ServerName}, use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
ClientConfig, ServerConfig,
};
use rustls_pemfile::{certs, pkcs8_private_keys};
fn tls_config() -> ServerConfig { fn tls_config() -> ServerConfig {
let rcgen::CertifiedKey { cert, key_pair } = let rcgen::CertifiedKey { cert, key_pair } =
rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
let cert_file = cert.pem(); let cert_chain = vec![cert.der().clone()];
let key_file = key_pair.serialize_pem(); let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der()));
let cert_file = &mut BufReader::new(cert_file.as_bytes());
let key_file = &mut BufReader::new(key_file.as_bytes());
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
let mut keys = pkcs8_private_keys(key_file)
.collect::<Result<Vec<_>, _>>()
.unwrap();
ServerConfig::builder() ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0))) .with_single_cert(cert_chain, key_der)
.unwrap() .unwrap()
} }