1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
//! Provides a TLS 1.3 stream with SNI and LE root cert only.
use std::{
io::{self, ErrorKind},
pin::Pin,
sync::Arc,
task::{self, Poll},
};
use hyper_util::client::legacy::connect::{Connected, Connection};
use std::sync::LazyLock;
use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
use tokio_rustls::{
TlsConnector,
rustls::{self, ClientConfig, pki_types::ServerName},
};
const LE_ROOT_CERT: &[u8] = include_bytes!("../le_root_cert.pem");
pub struct TlsStream<S: AsyncRead + AsyncWrite + Unpin> {
stream: tokio_rustls::client::TlsStream<S>,
}
impl<S> TlsStream<S>
where
S: AsyncRead + AsyncWrite + Unpin,
{
pub async fn connect_https(stream: S, domain: &str) -> io::Result<TlsStream<S>> {
static TLS_CONFIG: LazyLock<Arc<ClientConfig>> = LazyLock::new(|| {
let config = ClientConfig::builder_with_provider(Arc::new(
rustls::crypto::ring::default_provider(),
))
.with_protocol_versions(&[&rustls::version::TLS13])
.expect("ring crypt-prover should support TLS 1.3")
.with_root_certificates(read_cert_store())
.with_no_client_auth();
Arc::new(config)
});
let connector = TlsConnector::from(TLS_CONFIG.clone());
let host = match ServerName::try_from(domain.to_owned()) {
Ok(n) => n,
Err(_) => {
return Err(io::Error::new(
ErrorKind::InvalidInput,
format!("invalid hostname \"{domain}\""),
));
}
};
let stream = connector.connect(host, stream).await?;
Ok(TlsStream { stream })
}
}
fn read_cert_store() -> rustls::RootCertStore {
let mut cert_store = rustls::RootCertStore::empty();
let certs = rustls_pemfile::certs(&mut std::io::BufReader::new(LE_ROOT_CERT))
.collect::<Result<Vec<_>, _>>()
.expect("Failed to parse pem file");
let (num_certs_added, num_failures) = cert_store.add_parsable_certificates(certs);
if num_failures > 0 || num_certs_added != 1 {
panic!("Failed to add root cert");
}
cert_store
}
impl<S> AsyncRead for TlsStream<S>
where
S: AsyncRead + AsyncWrite + Unpin,
{
fn poll_read(
mut self: Pin<&mut Self>,
cx: &mut task::Context<'_>,
buf: &mut ReadBuf<'_>,
) -> Poll<io::Result<()>> {
Pin::new(&mut self.stream).poll_read(cx, buf)
}
}
impl<S> AsyncWrite for TlsStream<S>
where
S: AsyncRead + AsyncWrite + Unpin,
{
fn poll_write(
mut self: Pin<&mut Self>,
cx: &mut task::Context<'_>,
buf: &[u8],
) -> Poll<io::Result<usize>> {
Pin::new(&mut self.stream).poll_write(cx, buf)
}
fn poll_flush(mut self: Pin<&mut Self>, cx: &mut task::Context<'_>) -> Poll<io::Result<()>> {
Pin::new(&mut self.stream).poll_flush(cx)
}
fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut task::Context<'_>) -> Poll<io::Result<()>> {
Pin::new(&mut self.stream).poll_shutdown(cx)
}
}
impl<S> Connection for TlsStream<S>
where
S: AsyncRead + AsyncWrite + Unpin,
{
fn connected(&self) -> Connected {
Connected::new()
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_cert_loading() {
let _certs = read_cert_store();
}
}
|
