From 8e9b9a18a702af7f364508297bf69829a8253f8b Mon Sep 17 00:00:00 2001 From: clux Date: Tue, 5 Mar 2024 21:10:42 +0000 Subject: [PATCH] cherry-pick rustls upgrade work ultimately not sufficient without also upgrading hyper-rustls Signed-off-by: clux --- kube-client/Cargo.toml | 2 +- kube-client/src/client/tls.rs | 50 +++++++++++++++++++++-------------- 2 files changed, 31 insertions(+), 21 deletions(-) diff --git a/kube-client/Cargo.toml b/kube-client/Cargo.toml index 47ef5c0f8..09f59ce49 100644 --- a/kube-client/Cargo.toml +++ b/kube-client/Cargo.toml @@ -51,7 +51,7 @@ thiserror = "1.0.29" futures = { version = "0.3.17", optional = true } pem = { version = "3.0.1", optional = true } openssl = { version = "0.10.36", optional = true } -rustls = { version = "0.23.1", features = ["dangerous_configuration"], optional = true } +rustls = { version = "0.23.1", optional = true } rustls-pemfile = { version = "2.1.1", optional = true } bytes = { version = "1.1.0", optional = true } tokio = { version = "1.14.0", features = ["time", "signal", "sync"], optional = true } diff --git a/kube-client/src/client/tls.rs b/kube-client/src/client/tls.rs index 45785a8c9..ddf42f0e0 100644 --- a/kube-client/src/client/tls.rs +++ b/kube-client/src/client/tls.rs @@ -3,8 +3,9 @@ pub mod rustls_tls { use hyper_rustls::ConfigBuilderExt; use rustls::{ self, - client::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, - Certificate, ClientConfig, DigitallySignedStruct, PrivateKey, + client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, + pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime}, + ClientConfig, DigitallySignedStruct, SignatureScheme, }; use thiserror::Error; @@ -27,6 +28,10 @@ pub mod rustls_tls { #[error("invalid private key: {0}")] InvalidPrivateKey(#[source] rustls::Error), + /// Invalid native roots + #[error("invalid native roots: {0}")] + InvalidNativeRoots(#[source] std::io::Error), + /// Unknown private key format #[error("unknown private key format")] UnknownPrivateKeyFormat, @@ -44,11 +49,11 @@ pub mod rustls_tls { accept_invalid: bool, ) -> Result { let config_builder = if let Some(certs) = root_certs { - ClientConfig::builder() - .with_safe_defaults() - .with_root_certificates(root_store(certs)?) + ClientConfig::builder().with_root_certificates(root_store(certs)?) } else { - ClientConfig::builder().with_safe_defaults().with_native_roots() + ClientConfig::builder() + .with_native_roots() + .map_err(Error::InvalidNativeRoots)? }; let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? { @@ -71,13 +76,13 @@ pub mod rustls_tls { let mut root_store = rustls::RootCertStore::empty(); for der in root_certs { root_store - .add(&Certificate(der.clone())) + .add(CertificateDer::from(der.clone())) .map_err(|e| Error::AddRootCertificate(Box::new(e)))?; } Ok(root_store) } - fn client_auth(data: &[u8]) -> Result<(Vec, PrivateKey), Error> { + fn client_auth(data: &[u8]) -> Result<(Vec, PrivateKeyDer), Error> { use rustls_pemfile::Item; let mut cert_chain = Vec::new(); @@ -85,12 +90,13 @@ pub mod rustls_tls { let mut rsa_key = None; let mut ec_key = None; let mut reader = std::io::Cursor::new(data); - for item in rustls_pemfile::read_all(&mut reader).map_err(Error::InvalidIdentityPem)? { + for res in rustls_pemfile::read_all(&mut reader) { + let item = res.map_err(Error::InvalidIdentityPem)?; match item { - Item::X509Certificate(cert) => cert_chain.push(Certificate(cert)), - Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKey(key)), - Item::RSAKey(key) => rsa_key = Some(PrivateKey(key)), - Item::ECKey(key) => ec_key = Some(PrivateKey(key)), + Item::X509Certificate(cert) => cert_chain.push(CertificateDer::from(cert)), + Item::Pkcs8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)), + Item::Pkcs1Key(key) => rsa_key = Some(PrivateKeyDer::Pkcs1(key)), + Item::Sec1Key(key) => ec_key = Some(PrivateKeyDer::Sec1(key)), _ => return Err(Error::UnknownPrivateKeyFormat), } } @@ -102,17 +108,17 @@ pub mod rustls_tls { Ok((cert_chain, private_key)) } + #[derive(Debug)] struct NoCertificateVerification {} impl ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, - _end_entity: &Certificate, - _intermediates: &[Certificate], - _server_name: &rustls::client::ServerName, - _scts: &mut dyn Iterator, + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName, _ocsp_response: &[u8], - _now: std::time::SystemTime, + _now: UnixTime, ) -> Result { tracing::warn!("Server cert bypassed"); Ok(ServerCertVerified::assertion()) @@ -121,7 +127,7 @@ pub mod rustls_tls { fn verify_tls13_signature( &self, _message: &[u8], - _cert: &Certificate, + _cert: &CertificateDer, _dss: &DigitallySignedStruct, ) -> Result { Ok(HandshakeSignatureValid::assertion()) @@ -130,11 +136,15 @@ pub mod rustls_tls { fn verify_tls12_signature( &self, _message: &[u8], - _cert: &Certificate, + _cert: &CertificateDer, _dss: &DigitallySignedStruct, ) -> Result { Ok(HandshakeSignatureValid::assertion()) } + + fn supported_verify_schemes(&self) -> Vec { + vec![] + } } }