RUST-1122 Fix x509 auth for pkcs8 keys and Atlas free tier (#532)

abr-egn · abr-egn · commit 4538343bb45a · 2021-12-13T11:12:19.000-05:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -63,6 +63,7 @@ md-5 = "0.9.1"
 os_info = { version = "3.0.1", default-features = false }
 percent-encoding = "2.0.0"
 rand = { version = "0.8.3", features = ["small_rng"] }
+rustls-pemfile = "0.2.1"
 serde_with = "1.3.1"
 sha-1 = "0.9.4"
 sha2 = "0.9.3"
diff --git a/src/client/auth/x509.rs b/src/client/auth/x509.rs
@@ -51,14 +51,18 @@ pub(super) async fn authenticate_stream(
     server_api: Option<&ServerApi>,
     server_first: impl Into<Option<Document>>,
 ) -> Result<()> {
-    let server_response = match server_first.into() {
-        Some(server_first) => server_first,
+    let server_response: Document = match server_first.into() {
+        Some(_) => return Ok(()),
         None => send_client_first(conn, credential, server_api)
             .await?
             .auth_response_body("MONGODB-X509")?,
     };
 
-    if server_response.get_str("dbname") != Ok("$external") {
+    if server_response
+        .get("ok")
+        .and_then(crate::bson_util::get_int)
+        != Some(1)
+    {
         return Err(Error::authentication_error(
             "MONGODB-X509",
             "Authentication failed",
diff --git a/src/client/options/mod.rs b/src/client/options/mod.rs
@@ -26,6 +26,7 @@ use rustls::{
     ServerCertVerifier,
     TLSError,
 };
+use rustls_pemfile::{read_one, Item};
 use serde::{
     de::{Error, Unexpected},
     Deserialize,
@@ -846,22 +847,32 @@ impl TlsOptions {
             };
 
             file.seek(SeekFrom::Start(0))?;
-            let key = match pemfile::rsa_private_keys(&mut file) {
-                Ok(key) => key,
-                Err(()) => {
-                    return Err(ErrorKind::InvalidTlsConfig {
-                        message: format!(
-                            "Unable to parse PEM-encoded RSA key from {}",
-                            path.display()
-                        ),
+            let key = loop {
+                match read_one(&mut file) {
+                    Ok(Some(Item::PKCS8Key(bytes))) | Ok(Some(Item::RSAKey(bytes))) => {
+                        break rustls::PrivateKey(bytes)
+                    }
+                    Ok(Some(_)) => continue,
+                    Ok(None) => {
+                        return Err(ErrorKind::InvalidTlsConfig {
+                            message: format!("No PEM-encoded keys in {}", path.display()),
+                        }
+                        .into())
+                    }
+                    Err(_) => {
+                        return Err(ErrorKind::InvalidTlsConfig {
+                            message: format!(
+                                "Unable to parse PEM-encoded item from {}",
+                                path.display()
+                            ),
+                        }
+                        .into())
                     }
-                    .into())
                 }
             };
 
-            // TODO: Get rid of unwrap.
             config
-                .set_single_client_cert(certs, key.into_iter().next().unwrap())
+                .set_single_client_cert(certs, key)
                 .map_err(|e| ErrorKind::InvalidTlsConfig {
                     message: e.to_string(),
                 })?;
