🔧 Fix SSL certificate loading and aarch64 build

ismoilovdevml · claude · ismoilovdevml · commit f0d822de6c7c · 2025-10-05T16:16:28.000+05:00
**SSL Certificate Improvements:** - Add support for PKCS8 private keys (ECDSA, Ed25519, etc.) - Fallback from RSA to PKCS8 format automatically - Prevent panic on empty key files with proper error messages - Fixes Let's Encrypt certificate loading issues **ARM64 Build Fix:** - Replace gcc-aarch64-linux-gnu with cross-rs tool for MUSL builds - Fixes `__memcpy_chk` undefined reference errors - Proper static linking for aarch64-unknown-linux-musl target **Changes:** - [src/tls.rs](src/tls.rs): Enhanced private key loading with multi-format support - [.github/workflows/release.yml](.github/workflows/release.yml): Use cross-rs for ARM64 cross-compilation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -77,26 +77,16 @@ jobs:
         with:
           targets: ${{ matrix.target }}
 
-      - name: Install MUSL tools
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install MUSL tools (x86_64)
+        if: matrix.target == 'x86_64-unknown-linux-musl'
         run: |
           sudo apt-get update
           sudo apt-get install -y musl-tools
 
-      - name: Install cross-compilation tools (ARM64 MUSL)
+      - name: Install cross tool for ARM64 MUSL
         if: matrix.cross && matrix.os == 'ubuntu-latest'
         run: |
-          sudo apt-get install -y gcc-aarch64-linux-gnu
-          rustup target add aarch64-unknown-linux-musl
-
-      - name: Configure cross-compilation (ARM64 MUSL)
-        if: matrix.cross && matrix.os == 'ubuntu-latest'
-        run: |
-          mkdir -p .cargo
-          cat >> .cargo/config.toml <<EOF
-          [target.aarch64-unknown-linux-musl]
-          linker = "aarch64-linux-gnu-gcc"
-          EOF
+          cargo install cross --git https://github.com/cross-rs/cross
 
       - name: Rust Cache
         uses: Swatinem/rust-cache@v2
@@ -105,9 +95,14 @@ jobs:
           shared-key: "release"
           cache-on-failure: true
 
-      - name: Build release binary
+      - name: Build release binary (native)
+        if: ${{ !matrix.cross }}
         run: cargo build --release --target ${{ matrix.target }}
 
+      - name: Build release binary (cross-compile)
+        if: matrix.cross
+        run: cross build --release --target ${{ matrix.target }}
+
       - name: Strip binary (Linux)
         if: matrix.os == 'ubuntu-latest' && !matrix.cross
         run: strip target/${{ matrix.target }}/release/rust-strom
diff --git a/src/tls.rs b/src/tls.rs
@@ -1,9 +1,9 @@
 use arc_swap::access::Access;
-use rustls_pemfile::{certs, rsa_private_keys};
+use rustls_pemfile::{certs, pkcs8_private_keys, rsa_private_keys};
 use std::{
     collections::HashMap,
     fs::File,
-    io::{self, BufReader, ErrorKind::InvalidData},
+    io::{self, BufReader, ErrorKind::InvalidData, Seek},
     path::Path,
     sync::Arc,
 };
@@ -71,7 +71,13 @@ fn load_key<P>(path: P) -> io::Result<PrivateKey>
 where
     P: AsRef<Path>,
 {
-    let mut keys = load_keys(path)?;
+    let mut keys = load_keys(&path)?;
+    if keys.is_empty() {
+        return Err(io::Error::new(
+            InvalidData,
+            format!("No private keys found in '{}'", path.as_ref().display()),
+        ));
+    }
     Ok(keys.remove(0))
 }
 
@@ -81,13 +87,30 @@ where
 {
     let file = File::open(&path)?;
     let mut reader = BufReader::new(file);
-    let key_der_vec = rsa_private_keys(&mut reader).map_err(|_| {
-        io::Error::new(
-            InvalidData,
-            format!("Invalid RSA key in '{}'", path.as_ref().display()),
-        )
-    })?;
-    Ok(key_der_vec.into_iter().map(PrivateKey).collect())
+
+    // Try RSA keys first
+    let rsa_keys = rsa_private_keys(&mut reader)
+        .map(|keys| keys.into_iter().map(PrivateKey).collect::<Vec<_>>())
+        .unwrap_or_default();
+
+    if !rsa_keys.is_empty() {
+        return Ok(rsa_keys);
+    }
+
+    // If no RSA keys found, try PKCS8 format (for ECDSA, Ed25519, etc.)
+    reader.rewind()?;
+    let pkcs8_keys = pkcs8_private_keys(&mut reader)
+        .map(|keys| keys.into_iter().map(PrivateKey).collect::<Vec<_>>())
+        .unwrap_or_default();
+
+    if !pkcs8_keys.is_empty() {
+        return Ok(pkcs8_keys);
+    }
+
+    Err(io::Error::new(
+        InvalidData,
+        format!("No valid private keys (RSA or PKCS8) found in '{}'", path.as_ref().display()),
+    ))
 }
 
 pub struct ReconfigurableCertificateResolver<A>
