cherry-pick rustls upgrade work

ultimately not sufficient without also upgrading hyper-rustls Signed-off-by: clux <[email protected]>
kube-rs · Mar 5, 2024 · 8e9b9a1 · 8e9b9a1
1 parent cc06ea4
commit 8e9b9a1
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 21 deletions.
diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml
@@ -51,7 +51,7 @@ thiserror = "1.0.29"
 futures = { version = "0.3.17", optional = true }
 pem = { version = "3.0.1", optional = true }
 openssl = { version = "0.10.36", optional = true }
-rustls = { version = "0.23.1", features = ["dangerous_configuration"], optional = true }
+rustls = { version = "0.23.1", optional = true }
 rustls-pemfile = { version = "2.1.1", optional = true }
 bytes = { version = "1.1.0", optional = true }
 tokio = { version = "1.14.0", features = ["time", "signal", "sync"], optional = true }

diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs
@@ -3,8 +3,9 @@ pub mod rustls_tls {
     use hyper_rustls::ConfigBuilderExt;
     use rustls::{
         self,
-        client::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-        Certificate, ClientConfig, DigitallySignedStruct, PrivateKey,
+        client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+        pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+        ClientConfig, DigitallySignedStruct, SignatureScheme,
     };
     use thiserror::Error;
 
@@ -27,6 +28,10 @@ pub mod rustls_tls {
         #[error("invalid private key: {0}")]
         InvalidPrivateKey(#[source] rustls::Error),
 
+        /// Invalid native roots
+        #[error("invalid native roots: {0}")]
+        InvalidNativeRoots(#[source] std::io::Error),
+
         /// Unknown private key format
         #[error("unknown private key format")]
         UnknownPrivateKeyFormat,
@@ -44,11 +49,11 @@ pub mod rustls_tls {
         accept_invalid: bool,
     ) -> Result<ClientConfig, Error> {
         let config_builder = if let Some(certs) = root_certs {
-            ClientConfig::builder()
-                .with_safe_defaults()
-                .with_root_certificates(root_store(certs)?)
+            ClientConfig::builder().with_root_certificates(root_store(certs)?)
         } else {
-            ClientConfig::builder().with_safe_defaults().with_native_roots()
+            ClientConfig::builder()
+                .with_native_roots()
+                .map_err(Error::InvalidNativeRoots)?
         };
 
         let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? {
@@ -71,26 +76,27 @@ pub mod rustls_tls {
         let mut root_store = rustls::RootCertStore::empty();
         for der in root_certs {
             root_store
-                .add(&Certificate(der.clone()))
+                .add(CertificateDer::from(der.clone()))
                 .map_err(|e| Error::AddRootCertificate(Box::new(e)))?;
         }
         Ok(root_store)
     }
 
-    fn client_auth(data: &[u8]) -> Result<(Vec<Certificate>, PrivateKey), Error> {
+    fn client_auth(data: &[u8]) -> Result<(Vec<CertificateDer>, PrivateKeyDer), Error> {
         use rustls_pemfile::Item;
 
         let mut cert_chain = Vec::new();
         let mut pkcs8_key = None;
         let mut rsa_key = None;
         let mut ec_key = None;
         let mut reader = std::io::Cursor::new(data);
-        for item in rustls_pemfile::read_all(&mut reader).map_err(Error::InvalidIdentityPem)? {
+        for res in rustls_pemfile::read_all(&mut reader) {
+            let item = res.map_err(Error::InvalidIdentityPem)?;
             match item {
-                Item::X509Certificate(cert) => cert_chain.push(Certificate(cert)),
-                Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKey(key)),
-                Item::RSAKey(key) => rsa_key = Some(PrivateKey(key)),
-                Item::ECKey(key) => ec_key = Some(PrivateKey(key)),
+                Item::X509Certificate(cert) => cert_chain.push(CertificateDer::from(cert)),
+                Item::Pkcs8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)),
+                Item::Pkcs1Key(key) => rsa_key = Some(PrivateKeyDer::Pkcs1(key)),
+                Item::Sec1Key(key) => ec_key = Some(PrivateKeyDer::Sec1(key)),
                 _ => return Err(Error::UnknownPrivateKeyFormat),
             }
         }
@@ -102,17 +108,17 @@ pub mod rustls_tls {
         Ok((cert_chain, private_key))
     }
 
+    #[derive(Debug)]
     struct NoCertificateVerification {}
 
     impl ServerCertVerifier for NoCertificateVerification {
         fn verify_server_cert(
             &self,
-            _end_entity: &Certificate,
-            _intermediates: &[Certificate],
-            _server_name: &rustls::client::ServerName,
-            _scts: &mut dyn Iterator<Item = &[u8]>,
+            _end_entity: &CertificateDer<'_>,
+            _intermediates: &[CertificateDer<'_>],
+            _server_name: &ServerName,
             _ocsp_response: &[u8],
-            _now: std::time::SystemTime,
+            _now: UnixTime,
         ) -> Result<ServerCertVerified, rustls::Error> {
             tracing::warn!("Server cert bypassed");
             Ok(ServerCertVerified::assertion())
@@ -121,7 +127,7 @@ pub mod rustls_tls {
         fn verify_tls13_signature(
             &self,
             _message: &[u8],
-            _cert: &Certificate,
+            _cert: &CertificateDer,
             _dss: &DigitallySignedStruct,
         ) -> Result<HandshakeSignatureValid, rustls::Error> {
             Ok(HandshakeSignatureValid::assertion())
@@ -130,11 +136,15 @@ pub mod rustls_tls {
         fn verify_tls12_signature(
             &self,
             _message: &[u8],
-            _cert: &Certificate,
+            _cert: &CertificateDer,
             _dss: &DigitallySignedStruct,
         ) -> Result<HandshakeSignatureValid, rustls::Error> {
             Ok(HandshakeSignatureValid::assertion())
         }
+
+        fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+            vec![]
+        }
     }
 }