refactor(rustls): depend on tokio-rustls via linkerd-rustls

Cargo.lock

@@ -1541,7 +1541,6 @@ dependencies = [
  "serde_json",
  "socket2 0.6.1",
  "tokio",
- "tokio-rustls",
  "tokio-stream",
  "tonic",
  "tower",
@@ -1577,6 +1576,7 @@ dependencies = [
  "linkerd-opaq-route",
  "linkerd-proxy-client-policy",
  "linkerd-retry",
+ "linkerd-rustls",
  "linkerd-stack",
  "linkerd-tls-route",
  "linkerd-tonic-stream",
@@ -1589,7 +1589,6 @@ dependencies = [
  "prometheus-client",
  "thiserror",
  "tokio",
- "tokio-rustls",
  "tokio-test",
  "tonic",
  "tower",
@@ -2004,12 +2003,9 @@ dependencies = [
  "linkerd-tls",
  "linkerd-tls-test-util",
  "linkerd-tracing",
- "rcgen",
  "rustls-pemfile",
- "rustls-webpki",
  "thiserror",
  "tokio",
- "tokio-rustls",
  "tracing",
 ]
 
@@ -2019,7 +2015,7 @@ version = "0.1.0"
 dependencies = [
  "linkerd-error",
  "linkerd-identity",
- "rcgen",
+ "linkerd-rustls",
  "tracing",
  "x509-parser",
 ]
@@ -2329,8 +2325,8 @@ dependencies = [
  "linkerd-exp-backoff",
  "linkerd-identity",
  "linkerd-proxy-http",
+ "linkerd-rustls",
  "linkerd-tonic-watch",
- "rcgen",
  "simple_asn1",
  "spiffe-proto",
  "thiserror",
@@ -2442,6 +2438,7 @@ dependencies = [
 name = "linkerd-rustls"
 version = "0.1.0"
 dependencies = [
+ "rcgen",
  "rustls-webpki",
  "tokio-rustls",
 ]

Cargo.toml

@@ -110,9 +110,6 @@ prometheus-client = { version = "0.23" }
 prost = { version = "0.14" }
 prost-build = { version = "0.14", default-features = false }
 prost-types = { version = "0.14" }
-tokio-rustls = { version = "0.26", default-features = false, features = [
-    "logging",
-] }
 tonic = { version = "0.14", default-features = false }
 tonic-prost = { version = "0.14", default-features = false }
 tonic-prost-build = { version = "0.14", default-features = false }

linkerd/app/integration/Cargo.toml

@@ -25,25 +25,25 @@ http-body = { workspace = true }
 http-body-util = { workspace = true }
 hyper-util = { workspace = true, features = ["service"] }
 ipnet = "2"
-linkerd-app = { path = "..", features = ["allow-loopback"] }
-linkerd-app-core = { path = "../core" }
-linkerd-app-test = { path = "../test" }
-linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] }
-linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
-linkerd-rustls = { path = "../../rustls" }
-linkerd-tracing = { path = "../../tracing" }
 maplit = "1"
 parking_lot = "0.12"
 regex = "1"
 rustls-pemfile = "2.2"
 socket2 = "0.6"
 tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
-tokio-rustls = { workspace = true }
 tokio-stream = { version = "0.1", features = ["sync"] }
 tonic = { workspace = true, features = ["transport", "router"], default-features = false }
 tower = { workspace = true, default-features = false }
 tracing = { workspace = true }
 
+linkerd-app = { path = "..", features = ["allow-loopback"] }
+linkerd-app-core = { path = "../core" }
+linkerd-app-test = { path = "../test" }
+linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] }
+linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
+linkerd-rustls = { path = "../../rustls" }
+linkerd-tracing = { path = "../../tracing" }
+
 [dependencies.hyper]
 workspace = true
 features = [

linkerd/app/integration/src/client.rs

@@ -1,10 +1,10 @@
 use super::*;
 use http::{Request, Response};
 use linkerd_app_core::{proxy::http::TokioExecutor, svc::http::BoxBody};
+use linkerd_rustls::tokio_rustls::rustls::{self, ClientConfig};
 use parking_lot::Mutex;
 use std::io;
 use tokio::{net::TcpStream, task::JoinHandle};
-use tokio_rustls::rustls::{self, ClientConfig};
 use tracing::info_span;
 
 type ClientError = hyper_util::client::legacy::Error;
@@ -342,7 +342,7 @@ impl tower::Service<hyper::Uri> for Conn {
                 client_config,
             }) = tls
             {
-                let io = tokio_rustls::TlsConnector::from(client_config.clone())
+                let io = linkerd_rustls::tokio_rustls::TlsConnector::from(client_config.clone())
                     .connect(name, io)
                     .await?;
                 Box::pin(io) as Pin<Box<dyn Io + Send + 'static>>

linkerd/app/integration/src/identity.rs

@@ -8,8 +8,10 @@ use std::{
 };
 
 use linkerd2_proxy_api::identity as pb;
-use linkerd_rustls::get_default_provider;
-use tokio_rustls::rustls::{self, server::WebPkiClientVerifier};
+use linkerd_rustls::{
+    get_default_provider,
+    tokio_rustls::rustls::{self, server::WebPkiClientVerifier},
+};
 use tonic as grpc;
 
 pub struct Identity {

linkerd/app/integration/src/server.rs

@@ -2,12 +2,12 @@ use super::app_core::svc::http::TokioExecutor;
 use super::*;
 use http::{Request, Response};
 use linkerd_app_core::svc::http::BoxBody;
+use linkerd_rustls::tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use std::{
     io,
     sync::atomic::{AtomicUsize, Ordering},
 };
 use tokio::{net::TcpStream, task::JoinHandle};
-use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 
 pub fn new() -> Server {
     http2()

linkerd/app/outbound/Cargo.toml

@@ -59,7 +59,6 @@ http-body-util = { workspace = true, features = ["channel"] }
 hyper = { workspace = true, features = ["http1", "http2"] }
 hyper-util = { workspace = true }
 tokio = { version = "1", features = ["macros", "sync", "time"] }
-tokio-rustls = { workspace = true }
 tokio-test = "0.4"
 tower-test = { workspace = true }
 
@@ -71,6 +70,7 @@ linkerd-meshtls = { path = "../../meshtls", features = [
     "test-util",
 ] }
 linkerd-mock-http-body = { path = "../../mock/http-body" }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-stack = { path = "../../stack", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 

linkerd/app/outbound/src/tls/logical/tests.rs

@@ -8,6 +8,11 @@ use linkerd_app_core::{
 };
 use linkerd_app_test::{AsyncReadExt, AsyncWriteExt};
 use linkerd_proxy_client_policy::{self as client_policy, tls::sni};
+use linkerd_rustls::tokio_rustls::rustls::{
+    internal::msgs::codec::{Codec, Reader},
+    pki_types::DnsName,
+    InvalidMessage,
+};
 use parking_lot::Mutex;
 use std::{
     collections::HashMap,
@@ -18,11 +23,6 @@ use std::{
     time::Duration,
 };
 use tokio::sync::watch;
-use tokio_rustls::rustls::{
-    internal::msgs::codec::{Codec, Reader},
-    pki_types::DnsName,
-    InvalidMessage,
-};
 
 mod basic;
 
@@ -174,7 +174,7 @@ fn sni_route(backend: client_policy::Backend, sni: sni::MatchSni) -> client_poli
 
 // generates a sample ClientHello TLS message for testing
 fn generate_client_hello(sni: &str) -> Vec<u8> {
-    use tokio_rustls::rustls::{
+    use linkerd_rustls::tokio_rustls::rustls::{
         internal::msgs::{base::Payload, codec::Codec, message::PlainMessage},
         ContentType, ProtocolVersion,
     };

linkerd/meshtls/Cargo.toml

@@ -7,16 +7,14 @@ edition = "2018"
 publish = { workspace = true }
 
 [features]
-rustls-aws-lc-fips = ["tokio-rustls/fips"]
+rustls-aws-lc-fips = ["linkerd-rustls/rustls-aws-lc-fips"]
 test-util = ["linkerd-tls-test-util"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
 rustls-pemfile = "2.2"
-rustls-webpki = { version = "0.103.8", default-features = false, features = ["std", "aws-lc-rs"] }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
-tokio-rustls = { workspace = true, features = ["aws-lc-rs"] }
 tracing = { workspace = true }
 
 linkerd-dns-name = { path = "../dns/name" }
@@ -32,9 +30,9 @@ linkerd-tls-test-util = { path = "../tls/test-util", optional = true }
 [dev-dependencies]
 tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] }
 tracing = { workspace = true }
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
 
 linkerd-conditional = { path = "../conditional" }
 linkerd-proxy-transport = { path = "../proxy/transport" }
+linkerd-rustls = { path = "../rustls", features = ["test-util"] }
 linkerd-tls-test-util = { path = "../tls/test-util" }
-linkerd-tracing = { path = "../tracing", features = ["ansi"] }
+linkerd-tracing = { path = "../tracing", features = ["ansi"] }

linkerd/meshtls/src/client.rs

@@ -2,11 +2,14 @@ use futures::prelude::*;
 use linkerd_identity as id;
 use linkerd_io as io;
 use linkerd_meshtls_verifier as verifier;
+use linkerd_rustls::tokio_rustls::{
+    self,
+    rustls::{self, pki_types::CertificateDer, ClientConfig},
+};
 use linkerd_stack::{NewService, Service};
 use linkerd_tls::{client::AlpnProtocols, ClientTls, NegotiatedProtocol, NegotiatedProtocolRef};
 use std::{convert::TryFrom, pin::Pin, sync::Arc, task::Context};
 use tokio::sync::watch;
-use tokio_rustls::rustls::{self, pki_types::CertificateDer, ClientConfig};
 
 /// A `NewService` that produces `Connect` services from a dynamic TLS configuration.
 #[derive(Clone)]

linkerd/meshtls/src/creds.rs

@@ -6,10 +6,10 @@ pub use self::{receiver::Receiver, store::Store};
 use linkerd_dns_name as dns;
 use linkerd_error::Result;
 use linkerd_identity as id;
+use linkerd_rustls::tokio_rustls::rustls;
 use std::sync::Arc;
 use thiserror::Error;
 use tokio::sync::watch;
-use tokio_rustls::rustls::{self};
 use tracing::warn;
 
 #[derive(Debug, Error)]

linkerd/meshtls/src/creds/receiver.rs

@@ -1,9 +1,9 @@
 use crate::{NewClient, Server};
 use linkerd_dns_name as dns;
 use linkerd_identity::Id;
+use linkerd_rustls::tokio_rustls::rustls;
 use std::sync::Arc;
 use tokio::sync::watch;
-use tokio_rustls::rustls;
 
 /// Receives TLS config updates to build `NewClient` and `Server` types.
 #[derive(Clone)]

linkerd/meshtls/src/creds/store.rs

@@ -2,14 +2,14 @@ use linkerd_dns_name as dns;
 use linkerd_error::Result;
 use linkerd_identity as id;
 use linkerd_meshtls_verifier as verifier;
-use std::{convert::TryFrom, sync::Arc};
-use tokio::sync::watch;
-use tokio_rustls::rustls::{
+use linkerd_rustls::tokio_rustls::rustls::{
     self,
     pki_types::{PrivatePkcs8KeyDer, UnixTime},
     server::WebPkiClientVerifier,
     sign::CertifiedKey,
 };
+use std::{convert::TryFrom, sync::Arc};
+use tokio::sync::watch;
 use tracing::debug;
 
 pub struct Store {

linkerd/meshtls/src/creds/verify.rs

@@ -1,15 +1,20 @@
-use linkerd_rustls::SUPPORTED_SIG_ALGS;
-use std::{convert::TryFrom, sync::Arc};
-use tokio_rustls::rustls::{
-    self,
-    client::{
+use linkerd_rustls::{
+    tokio_rustls::{
         self,
-        danger::{ServerCertVerified, ServerCertVerifier},
+        rustls::{
+            self,
+            client::{
+                self,
+                danger::{ServerCertVerified, ServerCertVerifier},
+            },
+            pki_types::{CertificateDer, ServerName, UnixTime},
+            server::ParsedCertificate,
+            RootCertStore,
+        },
     },
-    pki_types::{CertificateDer, ServerName, UnixTime},
-    server::ParsedCertificate,
-    RootCertStore,
+    SUPPORTED_SIG_ALGS,
 };
+use std::{convert::TryFrom, sync::Arc};
 use tracing::trace;
 
 #[derive(Debug)]

linkerd/meshtls/src/server.rs

@@ -2,12 +2,15 @@ use futures::prelude::*;
 use linkerd_dns_name as dns;
 use linkerd_io as io;
 use linkerd_meshtls_verifier as verifier;
+use linkerd_rustls::tokio_rustls::{
+    self,
+    rustls::{pki_types::CertificateDer, ServerConfig},
+};
 use linkerd_stack::{Param, Service};
 use linkerd_tls::{ClientId, NegotiatedProtocol, NegotiatedProtocolRef, ServerName, ServerTls};
 use std::{pin::Pin, sync::Arc, task::Context};
 use thiserror::Error;
 use tokio::sync::watch;
-use tokio_rustls::rustls::{pki_types::CertificateDer, ServerConfig};
 use tracing::debug;
 
 /// A Service that terminates TLS connections using a dynamically updated server configuration.

linkerd/meshtls/tests/util.rs

@@ -13,12 +13,12 @@ use linkerd_proxy_transport::{
     listen::{Addrs, Bind, BindTcp},
     ConnectTcp, Keepalive, UserTimeout,
 };
+use linkerd_rustls::rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType};
 use linkerd_stack::{
     layer::Layer, service_fn, ExtractParam, InsertParam, NewService, Param, ServiceExt,
 };
 use linkerd_tls as tls;
 use linkerd_tls_test_util as test_util;
-use rcgen::{BasicConstraints, CertificateParams, IsCa, Issuer, KeyPair, SanType};
 use std::str::FromStr;
 use std::{
     net::SocketAddr,

linkerd/meshtls/verifier/Cargo.toml

@@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" }
 
 
 [dev-dependencies]
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
+linkerd-rustls = { path = "../../rustls", features = ["test-util"] }

linkerd/meshtls/verifier/src/lib.rs

@@ -58,7 +58,7 @@ mod tests {
     use crate::client_identity;
     use crate::verify_id;
     use linkerd_identity::Id;
-    use rcgen::{CertificateParams, KeyPair, SanType};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType};
 
     fn generate_cert_with_names(subject_alt_names: Vec<SanType>) -> Vec<u8> {
         let key = KeyPair::generate().expect("should generate key");

linkerd/proxy/spire-client/Cargo.toml

@@ -23,4 +23,4 @@ asn1 = { version = "0.6", package = "simple_asn1" }
 thiserror = "2"
 
 [dev-dependencies]
-rcgen = { version = "0.14.5", default-features = false, features = ["crypto", "pem", "aws_lc_rs"] }
+linkerd-rustls = { path = "../../rustls", features = ["test-util"] }

linkerd/proxy/spire-client/src/api.rs

@@ -220,7 +220,7 @@ where
 #[cfg(test)]
 mod tests {
     use crate::api::Svid;
-    use rcgen::{CertificateParams, KeyPair, SanType};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType};
     use spiffe_proto::client as api;
 
     fn gen_svid_pb(id: String, subject_alt_names: Vec<SanType>) -> api::X509svid {

linkerd/proxy/spire-client/src/lib.rs

@@ -62,7 +62,7 @@ mod tests {
     use crate::api::Svid;
     use linkerd_error::Result;
     use linkerd_identity::DerX509;
-    use rcgen::{CertificateParams, KeyPair, SanType, SerialNumber};
+    use linkerd_rustls::rcgen::{CertificateParams, KeyPair, SanType, SerialNumber};
     use std::time::SystemTime;
 
     fn gen_svid(id: Id, subject_alt_names: Vec<SanType>, serial: SerialNumber) -> Svid {