ExternalVendorCode/chirpstack
1
0
Fork 0
mirror of https://github.com/chirpstack/chirpstack.git synced 2025-06-23 09:25:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update rustls / tls functions.

Browse Source
This commit is contained in:
Orne Brocaar
2024-03-13 16:23:49 +00:00
parent b118ab56be
commit 26cef0b2ca
10 changed files with 236 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
chirpstack/Cargo.toml
View File

@ -35,9 +35,9 @@ diesel = { version = "2.1", features = [
diesel_migrations = { version = "2.1" }
diesel-async = { version = "0.4", features = ["deadpool", "postgres", "async-connection-wrapper"] }
tokio-postgres = "0.7"
tokio-postgres-rustls = "0.10.0"
tokio-postgres-rustls = "0.11"
bigdecimal = "0.4"
redis = { version = "0.24", features = [ "tls-rustls", "tokio-rustls-comp"] }
redis = { version = "0.25.1", features = [ "tls-rustls", "tokio-rustls-comp"] }
deadpool-redis = { version = "0.14", features = ["cluster"] }
# Logging
@ -101,16 +101,16 @@ anyhow = "1.0"
pbkdf2 = { version = "0.12", features = ["simple"] }
rand_core = { version = "0.6", features = ["std"] }
jsonwebtoken = "9.2"
rustls = "0.21"
rustls-native-certs = "0.6"
rustls-pemfile = "1.0"
rustls = "0.22"
rustls-native-certs = "0.7"
rustls-pemfile = "2.0"
rsa = "0.9"
rcgen = { version = "0.12", features = [ "x509-parser" ] }
openidconnect = { version = "3.3", features = ["accept-rfc3339-timestamps"] }
oauth2 = "4.4"
# MQTT
rumqttc = { version = "0.23", features = ["url"] }
rumqttc = { version = "0.24", features = ["url"] }
hex = "0.4"
# Codecs

2
chirpstack/src/gateway/backend/mqtt.rs
View File

@ -143,12 +143,10 @@ impl<'a> MqttBackend<'a> {
let client_conf = if conf.tls_cert.is_empty() && conf.tls_key.is_empty() {
rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs.clone())
.with_no_client_auth()
} else {
rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs.clone())
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
};

50
chirpstack/src/helpers/tls.rs
View File

@ -2,48 +2,52 @@ use std::fs::File;
use std::io::BufReader;
use anyhow::{Context, Result};
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
// Return root certificates, optionally with the provided ca_file appended.
pub fn get_root_certs(ca_file: Option<String>) -> Result<rustls::RootCertStore> {
let mut roots = rustls::RootCertStore::empty();
let certs = rustls_native_certs::load_native_certs()?;
let certs: Vec<_> = certs.into_iter().map(|cert| cert.0).collect();
roots.add_parsable_certificates(&certs);
for cert in rustls_native_certs::load_native_certs()? {
roots.add(cert)?;
}
if let Some(ca_file) = &ca_file {
let f = File::open(ca_file).context("Open CA certificate")?;
let mut reader = BufReader::new(f);
let certs = rustls_pemfile::certs(&mut reader)?;
for cert in certs
.into_iter()
.map(rustls::Certificate)
.collect::<Vec<_>>()
{
roots.add(&cert)?;
let certs = rustls_pemfile::certs(&mut reader);
for cert in certs {
if let Ok(cert) = cert {
roots.add(cert)?;
}
}
}
Ok(roots)
}
pub fn load_cert(cert_file: &str) -> Result<Vec<rustls::Certificate>> {
pub fn load_cert(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
let f = File::open(cert_file).context("Open TLS certificate")?;
let mut reader = BufReader::new(f);
let certs = rustls_pemfile::certs(&mut reader)?;
let certs = certs
.into_iter()
.map(rustls::Certificate)
.collect::<Vec<_>>();
Ok(certs)
let certs = rustls_pemfile::certs(&mut reader);
let mut out = Vec::new();
for cert in certs {
out.push(cert?.into_owned());
}
Ok(out)
}
pub fn load_key(key_file: &str) -> Result<rustls::PrivateKey> {
pub fn load_key(key_file: &str) -> Result<PrivateKeyDer<'static>> {
let f = File::open(key_file).context("Open private key")?;
let mut reader = BufReader::new(f);
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader)?;
match keys.len() {
0 => Err(anyhow!("No private key found")),
1 => Ok(rustls::PrivateKey(keys.remove(0))),
_ => Err(anyhow!("More than one private key found")),
let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader);
if let Some(key) = keys.next() {
match key {
Ok(v) => return Ok(PrivateKeyDer::Pkcs8(v.clone_key())),
Err(e) => {
return Err(anyhow!("Error parsing private key, error: {}", e));
}
}
}
Err(anyhow!("No private key found"))
}

2
chirpstack/src/integration/mqtt.rs
View File

@ -110,12 +110,10 @@ impl<'a> Integration<'a> {
let client_conf = if conf.tls_cert.is_empty() && conf.tls_key.is_empty() {
rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs.clone())
.with_no_client_auth()
} else {
rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs.clone())
.with_client_auth_cert(load_cert(&conf.tls_cert)?, load_key(&conf.tls_key)?)?
};

1
chirpstack/src/integration/postgresql/mod.rs
View File

@ -240,7 +240,6 @@ fn pg_establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgCo
})
.map_err(|e| ConnectionError::BadConnection(e.to_string()))?;
let rustls_config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs)
.with_no_client_auth();
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);

1
chirpstack/src/storage/mod.rs
View File

@ -167,7 +167,6 @@ fn pg_establish_connection(config: &str) -> BoxFuture<ConnectionResult<AsyncPgCo
})
.map_err(|e| ConnectionError::BadConnection(e.to_string()))?;
let rustls_config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs)
.with_no_client_auth();
let tls = tokio_postgres_rustls::MakeRustlsConnect::new(rustls_config);