1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
/*
This file is part of gnix (https://codeberg.org/metamuffin/gnix)
which is licensed under the GNU Affero General Public License (version 3); see /COPYING.
Copyright (C) 2025 metamuffin <metamuffin.org>
*/
use anyhow::{anyhow, Context, Result};
use log::debug;
use rustls::{
crypto::CryptoProvider,
pki_types::{CertificateDer, PrivateKeyDer},
server::{ClientHello, ResolvesServerCert},
sign::CertifiedKey,
};
use std::{
collections::HashMap,
fs::File,
io::BufReader,
path::{Path, PathBuf},
sync::Arc,
};
use webpki::EndEntityCert;
#[derive(Debug)]
pub struct CertPool {
provider: &'static Arc<CryptoProvider>,
domains: HashMap<String, Arc<CertifiedKey>>,
wildcards: HashMap<String, Arc<CertifiedKey>>,
fallback: Option<Arc<CertifiedKey>>,
}
impl Default for CertPool {
fn default() -> Self {
Self {
provider: CryptoProvider::get_default().unwrap(),
domains: Default::default(),
wildcards: Default::default(),
fallback: None,
}
}
}
impl CertPool {
pub fn load(roots: &[PathBuf], fallback: Option<PathBuf>) -> Result<Self> {
let mut s = Self::default();
for r in roots {
s.load_recursive(r)?;
}
if let Some(path) = fallback {
let keypath = path.join("privkey.pem");
let certpath = if path.join("fullchain.pem").exists() {
path.join("fullchain.pem")
} else {
path.join("cert.pem")
};
let certs = load_certs(&certpath)?;
let key = load_private_key(&keypath)?;
let skey = s.provider.key_provider.load_private_key(key)?;
let ck = CertifiedKey::new(certs.clone(), skey.clone());
s.fallback = Some(Arc::new(ck))
}
Ok(s)
}
fn load_recursive(&mut self, path: &Path) -> Result<()> {
if !path.is_dir() {
return Ok(());
}
for e in path.read_dir()? {
let p = e?.path();
if p.is_dir() {
self.load_recursive(&p)?;
}
}
let keypath = path.join("privkey.pem");
let certpath = if path.join("fullchain.pem").exists() {
path.join("fullchain.pem")
} else {
path.join("cert.pem")
};
if keypath.exists() && certpath.exists() {
let certs = load_certs(&certpath)?;
let key = load_private_key(&keypath)?;
let skey = self.provider.key_provider.load_private_key(key)?;
for c in &certs {
let eec = EndEntityCert::try_from(c).unwrap();
for name in eec.valid_dns_names() {
let ck = CertifiedKey::new(certs.clone(), skey.clone());
if let Some(name) = name.strip_prefix("*.") {
debug!("loaded wildcard key for {name:?}");
self.wildcards.insert(name.to_owned(), Arc::new(ck));
} else {
debug!("loaded key for {name:?}");
self.domains.insert(name.to_owned(), Arc::new(ck));
}
}
}
}
Ok(())
}
}
impl ResolvesServerCert for CertPool {
fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
let sname = client_hello.server_name()?;
Some(
self.domains
.get(sname)
.or_else(|| {
// Removing first label seems fine since wildcards are not recursive.
sname
.split_once(".")
.and_then(|(_, sname)| self.wildcards.get(sname))
})
.or(self.fallback.as_ref())?
.clone(),
)
}
}
fn load_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>> {
let mut reader = BufReader::new(File::open(path).context("reading tls certs")?);
let certs = rustls_pemfile::certs(&mut reader)
.try_collect::<Vec<_>>()
.context("parsing tls certs")?;
Ok(certs)
}
fn load_private_key(path: &Path) -> Result<PrivateKeyDer<'static>> {
let mut reader = BufReader::new(File::open(path).context("reading tls private key")?);
let keys = rustls_pemfile::private_key(&mut reader).context("parsing tls private key")?;
keys.ok_or(anyhow!("no private key found"))
}
|
