1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
use anyhow::{anyhow, Context, Result};
use log::debug;
use rustls::{
crypto::CryptoProvider,
pki_types::{CertificateDer, PrivateKeyDer},
server::{ClientHello, ResolvesServerCert},
sign::CertifiedKey,
};
use std::{
collections::HashMap,
fs::File,
io::BufReader,
path::{Path, PathBuf},
sync::Arc,
};
use webpki::EndEntityCert;
#[derive(Debug)]
pub struct CertPool {
provider: &'static Arc<CryptoProvider>,
domains: HashMap<String, Arc<CertifiedKey>>,
wildcards: HashMap<String, Arc<CertifiedKey>>,
fallback: Option<Arc<CertifiedKey>>,
}
impl Default for CertPool {
fn default() -> Self {
Self {
provider: CryptoProvider::get_default().unwrap(),
domains: Default::default(),
wildcards: Default::default(),
fallback: None,
}
}
}
impl CertPool {
pub fn load(roots: &[PathBuf], fallback: Option<PathBuf>) -> Result<Self> {
let mut s = Self::default();
for r in roots {
s.load_recursive(r)?;
}
if let Some(path) = fallback {
let keypath = path.join("privkey.pem");
let certpath = if path.join("fullchain.pem").exists() {
path.join("fullchain.pem")
} else {
path.join("cert.pem")
};
let certs = load_certs(&certpath)?;
let key = load_private_key(&keypath)?;
let skey = s.provider.key_provider.load_private_key(key)?;
let ck = CertifiedKey::new(certs.clone(), skey.clone());
s.fallback = Some(Arc::new(ck))
}
Ok(s)
}
fn load_recursive(&mut self, path: &Path) -> Result<()> {
if !path.is_dir() {
return Ok(());
}
for e in path.read_dir()? {
let p = e?.path();
if p.is_dir() {
self.load_recursive(&p)?;
}
}
let keypath = path.join("privkey.pem");
let certpath = if path.join("fullchain.pem").exists() {
path.join("fullchain.pem")
} else {
path.join("cert.pem")
};
if keypath.exists() && certpath.exists() {
let certs = load_certs(&certpath)?;
let key = load_private_key(&keypath)?;
let skey = self.provider.key_provider.load_private_key(key)?;
for c in &certs {
let eec = EndEntityCert::try_from(c).unwrap();
for name in eec.valid_dns_names() {
let ck = CertifiedKey::new(certs.clone(), skey.clone());
if let Some(name) = name.strip_prefix("*.") {
debug!("loaded wildcard key for {name:?}");
self.wildcards.insert(name.to_owned(), Arc::new(ck));
} else {
debug!("loaded key for {name:?}");
self.domains.insert(name.to_owned(), Arc::new(ck));
}
}
}
}
Ok(())
}
}
impl ResolvesServerCert for CertPool {
fn resolve(&self, client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
let sname = client_hello.server_name()?;
Some(
self.domains
.get(sname)
.or_else(|| {
// Removing first label seems fine since wildcards are not recursive.
sname
.split_once(".")
.and_then(|(_, sname)| self.wildcards.get(sname))
})
.or(self.fallback.as_ref())?
.clone(),
)
}
}
fn load_certs(path: &Path) -> Result<Vec<CertificateDer<'static>>> {
let mut reader = BufReader::new(File::open(path).context("reading tls certs")?);
let certs = rustls_pemfile::certs(&mut reader)
.try_collect::<Vec<_>>()
.context("parsing tls certs")?;
Ok(certs)
}
fn load_private_key(path: &Path) -> Result<PrivateKeyDer<'static>> {
let mut reader = BufReader::new(File::open(path).context("reading tls private key")?);
let keys = rustls_pemfile::private_key(&mut reader).context("parsing tls private key")?;
keys.ok_or(anyhow!("no private key found"))
}
|
