summaryrefslogtreecommitdiff
path: root/src/certs.rs
blob: 27aab51e82840f7a5494ea3b55076e7b42effff8 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

use anyhow::{anyhow, Context, Result};
use log::debug;
use rustls::{
    crypto::CryptoProvider,
    pki_types::{CertificateDer, PrivateKeyDer},
    server::{ClientHello, ResolvesServerCert},
    sign::CertifiedKey,
};
use std::{
    collections::HashMap,
    fs::File,
    io::BufReader,
    path::{Path, PathBuf},
    sync::Arc,
};
use webpki::EndEntityCert;

#[derive(Debug)]
pub struct CertPool {
    provider: &'static Arc<CryptoProvider>,
    domains: HashMap<String, Arc<CertifiedKey>>,
}

impl Default for CertPool {
    fn default() -> Self {
        Self {
            provider: CryptoProvider::get_default().unwrap(),
            domains: Default::default(),
        }
    }
}

impl CertPool {
    pub fn load(roots: &[PathBuf]) -> Result<Self> {
        let mut s = Self::default();
        for r in roots {
            s.load_recursive(&r)?;
        }
        Ok(s)
    }

    fn load_recursive(&mut self, path: &Path) -> Result<()> {
        if !path.is_dir() {
            return Ok(());
        }
        for e in path.read_dir()? {
            let p = e?.path();
            if p.is_dir() {
                self.load_recursive(&p)?;
            }
        }
        let keypath = path.join("privkey.pem");
        let certpath = if path.join("fullchain.pem").exists() {
            path.join("fullchain.pem")
        } else {
            path.join("cert.pem")
        };
        if keypath.exists() && certpath.exists() {
            let certs = load_certs(&certpath)?;
            let key = load_private_key(&keypath)?;
            let skey = self.provider.key_provider.load_private_key(key)?;
            for c in &certs {
                let eec = EndEntityCert::try_from(c).unwrap();
                for name in eec.valid_dns_names() {
                    debug!("loaded key for {name:?}");
                    let ck = CertifiedKey::new(certs.clone(), skey.clone());
                    self.domains.insert(name.to_owned(), Arc::new(ck));
                }
            }
        }
        Ok(())
    }
}

impl ResolvesServerCert for CertPool {
    fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
        Some(self.domains.get(client_hello.server_name()?)?.clone())
    }
}

fn load_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>> {
    let mut reader = BufReader::new(File::open(path).context("reading tls certs")?);
    let certs = rustls_pemfile::certs(&mut reader)
        .try_collect::<Vec<_>>()
        .context("parsing tls certs")?;
    Ok(certs)
}
fn load_private_key(path: &Path) -> Result<PrivateKeyDer<'static>> {
    let mut reader = BufReader::new(File::open(path).context("reading tls private key")?);
    let keys = rustls_pemfile::private_key(&mut reader).context("parsing tls private key")?;
    keys.ok_or(anyhow!("no private key found"))
}
generated by cgit v1.2.3-70-g09d2 (git 2.51.0) at 2025-10-08 08:10:28 +0000