Skip to content

Commit

Permalink
partially work through long list of rustls breaking changes..
Browse files Browse the repository at this point in the history 
Signed-off-by: clux <[email protected]>
  • Loading branch information
@clux
clux committed Jan 21, 2024
1 parent 434a48d commit bed6462
Showing 1 changed file with 22 additions and 19 deletions.
41 changes: 22 additions & 19 deletions kube-client/src/client/tls.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ pub mod rustls_tls {
use hyper_rustls::ConfigBuilderExt;
use rustls::{
self,
client::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
Certificate, ClientConfig, DigitallySignedStruct, PrivateKey,
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
CertificateError, ClientConfig, DigitallySignedStruct, SignatureScheme,

Check warning on line 8 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

unused import: `CertificateError` 

warning: unused import: `CertificateError`
 --> kube-client/src/client/tls.rs:8:9
  |
8 |         CertificateError, ClientConfig, DigitallySignedStruct, SignatureScheme,
  |         ^^^^^^^^^^^^^^^^

Check warning on line 8 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / msrv 

unused import: `CertificateError`
};
use thiserror::Error;

Expand Down Expand Up @@ -44,11 +45,9 @@ pub mod rustls_tls {
accept_invalid: bool,
) -> Result<ClientConfig, Error> {
let config_builder = if let Some(certs) = root_certs {
ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_store(certs)?)
ClientConfig::builder().with_root_certificates(root_store(certs)?)
} else {
ClientConfig::builder().with_safe_defaults().with_native_roots()
ClientConfig::builder().with_native_roots()

Check failure on line 50 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

`if` and `else` have incompatible types 

error[E0308]: `if` and `else` have incompatible types
  --> kube-client/src/client/tls.rs:50:13
   |
47 |           let config_builder = if let Some(certs) = root_certs {
   |  ______________________________-
48 | |             ClientConfig::builder().with_root_certificates(root_store(certs)?)
   | |             ------------------------------------------------------------------ expected because of this
49 | |         } else {
50 | |             ClientConfig::builder().with_native_roots()
   | |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ expected `ConfigBuilder<ClientConfig, ...>`, found `Result<ConfigBuilder<..., ...>, ...>`
51 | |         };
   | |_________- `if` and `else` have incompatible types
   |
   = note: expected struct `rustls::ConfigBuilder<_, _>`
                found enum `std::result::Result<rustls::ConfigBuilder<_, _>, std::io::Error>`
help: use the `?` operator to extract the `std::result::Result<rustls::ConfigBuilder<rustls::ClientConfig, rustls::client::WantsClientCert>, std::io::Error>` value, propagating a `Result::Err` value to the caller
   |
51 |         }?;
   |          +
};

let mut client_config = if let Some((chain, pkey)) = identity_pem.map(client_auth).transpose()? {
Expand All @@ -71,13 +70,13 @@ pub mod rustls_tls {
let mut root_store = rustls::RootCertStore::empty();
for der in root_certs {
root_store
.add(&Certificate(der.clone()))
.add(CertificateDer::from(der.clone()))
.map_err(|e| Error::AddRootCertificate(Box::new(e)))?;
}
Ok(root_store)
}

fn client_auth(data: &[u8]) -> Result<(Vec<Certificate>, PrivateKey), Error> {
fn client_auth(data: &[u8]) -> Result<(Vec<CertificateDer>, PrivateKeyDer), Error> {
use rustls_pemfile::Item;

let mut cert_chain = Vec::new();
Expand All @@ -87,10 +86,10 @@ pub mod rustls_tls {
let mut reader = std::io::Cursor::new(data);
for item in rustls_pemfile::read_all(&mut reader).map_err(Error::InvalidIdentityPem)? {

Check failure on line 87 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

no method named `map_err` found for opaque type `impl std::iter::Iterator<Item = std::result::Result<rustls_pemfile::Item, std::io::Error>> + '_` in the current scope 

error[E0599]: no method named `map_err` found for opaque type `impl std::iter::Iterator<Item = std::result::Result<rustls_pemfile::Item, std::io::Error>> + '_` in the current scope
  --> kube-client/src/client/tls.rs:87:59
   |
87 |         for item in rustls_pemfile::read_all(&mut reader).map_err(Error::InvalidIdentityPem)? {
   |                                                           ^^^^^^^ method not found in `impl Iterator<Item = Result<Item, Error>>`
match item {
Item::X509Certificate(cert) => cert_chain.push(Certificate(cert)),
Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKey(key)),
Item::RSAKey(key) => rsa_key = Some(PrivateKey(key)),
Item::ECKey(key) => ec_key = Some(PrivateKey(key)),
Item::X509Certificate(cert) => cert_chain.push(CertificateDer::from(cert)),
Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)),

Check failure on line 90 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

no variant or associated item named `PKCS8Key` found for enum `rustls_pemfile::Item` in the current scope 

error[E0599]: no variant or associated item named `PKCS8Key` found for enum `rustls_pemfile::Item` in the current scope
  --> kube-client/src/client/tls.rs:90:23
   |
90 |                 Item::PKCS8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)),
   |                       ^^^^^^^^
   |                       |
   |                       variant or associated item not found in `Item`
   |                       help: there is a variant with a similar name (notice the capitalization): `Pkcs8Key`
Item::RSAKey(key) => rsa_key = Some(PrivateKeyDer::Pkcs1(key)),

Check failure on line 91 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

no variant or associated item named `RSAKey` found for enum `rustls_pemfile::Item` in the current scope 

error[E0599]: no variant or associated item named `RSAKey` found for enum `rustls_pemfile::Item` in the current scope
  --> kube-client/src/client/tls.rs:91:23
   |
91 |                 Item::RSAKey(key) => rsa_key = Some(PrivateKeyDer::Pkcs1(key)),
   |                       ^^^^^^ variant or associated item not found in `Item`
Item::ECKey(key) => ec_key = Some(PrivateKeyDer::Sec1(key)),

Check failure on line 92 in kube-client/src/client/tls.rs

View workflow job for this annotation

GitHub Actions / clippy

no variant or associated item named `ECKey` found for enum `rustls_pemfile::Item` in the current scope 

error[E0599]: no variant or associated item named `ECKey` found for enum `rustls_pemfile::Item` in the current scope
  --> kube-client/src/client/tls.rs:92:23
   |
92 |                 Item::ECKey(key) => ec_key = Some(PrivateKeyDer::Sec1(key)),
   |                       ^^^^^ variant or associated item not found in `Item`
_ => return Err(Error::UnknownPrivateKeyFormat),
}
}
Expand All @@ -102,17 +101,17 @@ pub mod rustls_tls {
Ok((cert_chain, private_key))
}

#[derive(Debug)]
struct NoCertificateVerification {}

impl ServerCertVerifier for NoCertificateVerification {
fn verify_server_cert(
&self,
_end_entity: &Certificate,
_intermediates: &[Certificate],
_server_name: &rustls::client::ServerName,
_scts: &mut dyn Iterator<Item = &[u8]>,
_end_entity: &CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>],
_server_name: &ServerName,
_ocsp_response: &[u8],
_now: std::time::SystemTime,
_now: UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
tracing::warn!("Server cert bypassed");
Ok(ServerCertVerified::assertion())
Expand All @@ -121,7 +120,7 @@ pub mod rustls_tls {
fn verify_tls13_signature(
&self,
_message: &[u8],
_cert: &Certificate,
_cert: &CertificateDer,
_dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
Ok(HandshakeSignatureValid::assertion())
Expand All @@ -130,11 +129,15 @@ pub mod rustls_tls {
fn verify_tls12_signature(
&self,
_message: &[u8],
_cert: &Certificate,
_cert: &CertificateDer,
_dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
Ok(HandshakeSignatureValid::assertion())
}

fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
vec![]
}
}
}

Expand Down

0 comments on commit bed6462

Please sign in to comment.