Upgrade axum to latest version

Author: jarhodes314

Cargo.lock

@@ -82,7 +82,7 @@ async-tungstenite = { version = "0.23", features = [
     "tokio-runtime",
     "tokio-rustls-native-certs",
 ] }
-axum = "0.6"
+axum = "0.8.1"
 axum-server = { version = "0.5.1", features = ["tls-rustls"] }
 backoff = { version = "0.4", features = ["tokio"] }
 base64 = "0.13"
@@ -116,7 +116,8 @@ http-body = "0.4"
 httparse = "1.9.3"
 humantime = "2.1.0"
 hyper = { version = "0.14", default-features = false }
-hyper-rustls = { version = "0.24", default-features = false, features = [
+hyper-util = { version = "0.1" }
+hyper-rustls = { version = "0.27.5", default-features = false, features = [
     "tokio-runtime",
     "tls12",
     "rustls-native-certs",
@@ -151,14 +152,14 @@ quote = "1"
 rand = "0.8"
 rcgen = { version = "0.12", features = ["pem", "zeroize"] }
 regex = "1.4"
-reqwest = { version = "0.11", default-features = false }
+reqwest = { version = "0.12", default-features = false }
 rpassword = "5.0"
 rstest = "0.16.0"
-rumqttc = "0.23"
+rumqttc = { git = "https://github.com/bytebeamio/rumqtt", ref = "49c3b5f81360299c316b052778905a7420bea579" }
 rumqttd = "0.19"
-rustls = "0.21.11"
+rustls = "0.23"
 rustls-native-certs = "0.6.3"
-rustls-pemfile = "1.0.1"
+rustls-pemfile = "2.2"
 serde = "1.0"
 serde_ignored = "0.1"
 serde_json = "1.0"
@@ -176,7 +177,7 @@ test-case = "3.2"
 thiserror = "1.0"
 time = "0.3"
 tokio = { version = "1.37", default-features = false }
-tokio-rustls = "0.24.1"
+tokio-rustls = "0.26.1"
 tokio-tungstenite = { version = "0.20.0" }
 tokio-util = { version = "0.7", features = ["codec"] }
 toml = "0.8"

Cargo.toml

@@ -10,7 +10,7 @@ repository = { workspace = true }
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-error-matching = ["dep:reqwest"]
+error-matching = ["dep:reqwest", "dep:hyper-util"]
 test-helpers = ["dep:assert_matches", "error-matching"]
 
 [dependencies]
@@ -22,6 +22,7 @@ camino = { workspace = true }
 futures = { workspace = true }
 hyper = { workspace = true }
 pin-project = { workspace = true }
+hyper-util = { workspace = true, features = ["client", "client-legacy"], optional = true }
 reqwest = { workspace = true, features = [
     "rustls-tls-native-roots",
 ], optional = true }
@@ -37,6 +38,7 @@ yansi = { workspace = true }
 
 [dev-dependencies]
 assert_matches = { workspace = true }
+hyper-util = { workspace = true, features = ["client", "client-legacy"] }
 rcgen = { workspace = true }
 reqwest = { workspace = true, features = ["rustls-tls-native-roots"] }
 tempfile = { workspace = true }

crates/common/axum_tls/Cargo.toml

@@ -9,7 +9,7 @@ use axum_server::tls_rustls::RustlsConfig;
 
 use futures::future::BoxFuture;
 
-use rustls::ServerConfig;
+use tokio_rustls::rustls::ServerConfig;
 
 use std::io;
 use std::sync::Arc;
@@ -88,7 +88,7 @@ where
                 let (stream, service) = acceptor.accept(stream, service).await?;
                 let server_conn = stream.get_ref().1;
                 let cert = (|| {
-                    X509Certificate::from_der(&server_conn.peer_certificates()?.first()?.0).ok()
+                    X509Certificate::from_der(&server_conn.peer_certificates()?.first()?).ok()
                 })();
                 let certificate_info = TlsData {
                     common_name: common_name(cert.as_ref()).map(Arc::from),
@@ -117,6 +117,10 @@ mod tests {
     use reqwest::Certificate;
     use reqwest::Client;
     use reqwest::Identity;
+    use rustls::crypto::CryptoProvider;
+    use rustls::pki_types::pem::PemObject as _;
+    use rustls::pki_types::CertificateDer;
+    use rustls::pki_types::PrivateKeyDer;
     use rustls::RootCertStore;
     use std::net::SocketAddr;
     use std::net::TcpListener;
@@ -169,7 +173,10 @@ mod tests {
 
     #[tokio::test]
     async fn acceptor_rejects_untrusted_client_certificates() {
-        let server = Server::with_trusted_roots(RootCertStore::empty());
+        let permitted_certificate = rcgen::generate_simple_self_signed(vec!["not-my-client".into()]).unwrap();
+        let mut roots = RootCertStore::empty();
+        roots.add(permitted_certificate.serialize_der().unwrap().into()).unwrap();
+        let server = Server::with_trusted_roots(roots);
         let client = Client::builder()
             .add_root_certificate(server.certificate.clone())
             .identity(identity_with_name("my-client"))
@@ -180,6 +187,7 @@ mod tests {
             .get_with_scheme(Scheme::HTTPS, &client)
             .await
             .unwrap_err();
+        println!("{}", err);
         crate::error_matching::assert_error_matches(err, rustls::AlertDescription::UnknownCA);
     }
 
@@ -188,7 +196,9 @@ mod tests {
         let client_cert = rcgen::generate_simple_self_signed(["my-client".into()]).unwrap();
         let identity = identity_from(&client_cert);
         let mut cert_store = RootCertStore::empty();
-        cert_store.add_parsable_certificates(&[client_cert.serialize_der().unwrap()]);
+        cert_store.add_parsable_certificates([CertificateDer::from(
+            client_cert.serialize_der().unwrap(),
+        )]);
 
         let server = Server::with_trusted_roots(cert_store);
         let client = Client::builder()
@@ -247,6 +257,7 @@ mod tests {
         }
 
         fn start(trusted_roots: Option<RootCertStore>) -> Self {
+            let _ = CryptoProvider::install_default(rustls::crypto::ring::default_provider());
             let mut port = 3000;
             let listener = loop {
                 if let Ok(listener) = TcpListener::bind::<SocketAddr>(([127, 0, 0, 1], port).into())
@@ -256,8 +267,10 @@ mod tests {
                 port += 1;
             };
             let certificate = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
-            let certificate_der = certificate.serialize_der().unwrap();
-            let private_key_der = certificate.serialize_private_key_der();
+            let certificate_der = CertificateDer::from(certificate.serialize_der().unwrap());
+            let private_key_der =
+                PrivateKeyDer::from_pem_slice(certificate.serialize_private_key_pem().as_bytes())
+                    .unwrap();
             let certificate = reqwest::Certificate::from_der(&certificate_der).unwrap();
             let config = ssl_config(vec![certificate_der], private_key_der, trusted_roots).unwrap();
             tokio::spawn(

crates/common/axum_tls/src/acceptor.rs

@@ -5,6 +5,8 @@ use crate::ssl_config;
 use anyhow::anyhow;
 use anyhow::Context;
 use camino::Utf8Path;
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::PrivateKeyDer;
 use rustls::RootCertStore;
 use std::fmt::Debug;
 use std::fs::File;
@@ -100,7 +102,7 @@ pub fn load_ssl_config(
     }
 }
 
-type CertKeyPair = (Vec<Vec<u8>>, Vec<u8>);
+type CertKeyPair = (Vec<CertificateDer<'static>>, PrivateKeyDer<'static>);
 
 fn load_certificate_and_key(
     cert_path: &OptionalConfig<impl PemReader>,

crates/common/axum_tls/src/config.rs

@@ -14,7 +14,8 @@ pub fn assert_error_matches(err: reqwest::Error, alert_description: rustls::Aler
 
 pub fn rustls_error_from_reqwest(err: &reqwest::Error) -> Option<&rustls::Error> {
     err.source()?
-        .downcast_ref::<hyper::Error>()?
+        .downcast_ref::<hyper_util::client::legacy::Error>()?
+        .source()?
         .source()?
         .downcast_ref::<std::io::Error>()?
         .get_ref()?

crates/common/axum_tls/src/error_matching.rs

@@ -2,15 +2,14 @@ use crate::config::PemReader;
 use anyhow::anyhow;
 use anyhow::Context;
 use camino::Utf8Path;
-use rustls::server::AllowAnyAuthenticatedClient;
-use rustls::Certificate;
-use rustls::PrivateKey;
+use rustls::pki_types::CertificateDer;
+use rustls::pki_types::PrivateKeyDer;
+use rustls::server::WebPkiClientVerifier;
 use rustls::RootCertStore;
 use rustls::ServerConfig;
 use rustls_pemfile::Item;
 use std::fs::File;
 use std::io;
-use std::sync::Arc;
 
 /// Read a directory into a [RootCertStore]
 pub fn read_trust_store(ca_dir: &Utf8Path) -> anyhow::Result<RootCertStore> {
@@ -32,54 +31,47 @@ pub fn read_trust_store(ca_dir: &Utf8Path) -> anyhow::Result<RootCertStore> {
         let Ok(mut pem_file) = File::open(&path).map(std::io::BufReader::new) else {
             continue;
         };
-        if let Some(value) = rustls_pemfile::certs(&mut pem_file)
-            .with_context(|| format!("reading {path}"))?
-            .into_iter()
-            .next()
-        {
-            ders.push(value);
-        };
+
+        ders.extend(rustls_pemfile::certs(&mut pem_file).filter_map(Result::ok));
     }
-    roots.add_parsable_certificates(&ders);
+    roots.add_parsable_certificates(ders);
 
     Ok(roots)
 }
 
 /// Load the SSL configuration for rustls
 pub fn ssl_config(
-    certificate_chain: Vec<Vec<u8>>,
-    key_der: Vec<u8>,
+    server_cert_chain: Vec<CertificateDer<'static>>,
+    server_key: PrivateKeyDer<'static>,
     root_certs: Option<RootCertStore>,
 ) -> anyhow::Result<ServerConfig> {
     // Trusted CA for client certificates
-    let config = ServerConfig::builder().with_safe_defaults();
+    let config = ServerConfig::builder();
 
     let config = if let Some(root_certs) = root_certs {
-        config.with_client_cert_verifier(Arc::new(AllowAnyAuthenticatedClient::new(root_certs)))
+        config.with_client_cert_verifier(WebPkiClientVerifier::builder(root_certs.into()).build()?)
     } else {
         config.with_no_client_auth()
     };
 
-    let server_cert = certificate_chain.into_iter().map(Certificate).collect();
-    let server_key = PrivateKey(key_der);
-
     config
-        .with_single_cert(server_cert, server_key)
+        .with_single_cert(server_cert_chain, server_key)
         .context("invalid key or certificate")
 }
 
 /// Load the server certificate
-pub fn load_cert(path: &(impl PemReader + ?Sized)) -> anyhow::Result<Vec<Vec<u8>>> {
+pub fn load_cert(path: &(impl PemReader + ?Sized)) -> anyhow::Result<Vec<CertificateDer<'static>>> {
     let file = path
         .open()
         .with_context(|| format!("cannot open certificate file: {path:?}"))?;
     let mut reader = std::io::BufReader::new(file);
     rustls_pemfile::certs(&mut reader)
+        .collect::<Result<Vec<_>, _>>()
         .with_context(|| format!("parsing PEM-encoded certificate from {path:?}"))
 }
 
 /// Load the server private key
-pub fn load_pkey(path: &(impl PemReader + ?Sized)) -> anyhow::Result<Vec<u8>> {
+pub fn load_pkey(path: &(impl PemReader + ?Sized)) -> anyhow::Result<PrivateKeyDer<'static>> {
     let key_file = path
         .open()
         .with_context(|| format!("cannot open certificate file: {path:?}"))?;
@@ -90,14 +82,16 @@ pub fn load_pkey(path: &(impl PemReader + ?Sized)) -> anyhow::Result<Vec<u8>> {
 pub fn pkey_from_pem(
     reader: &mut dyn io::BufRead,
     filename: &(impl PemReader + ?Sized),
-) -> anyhow::Result<Vec<u8>> {
+) -> anyhow::Result<PrivateKeyDer<'static>> {
     rustls_pemfile::read_one(reader)
         .with_context(|| format!("reading PEM-encoded private key from {filename:?}"))?
         .ok_or(anyhow!(
             "expected private key in {filename:?}, but found no PEM-encoded data"
         ))
         .and_then(|item| match item {
-            Item::ECKey(key) | Item::PKCS8Key(key) | Item::RSAKey(key) => Ok(key),
+            Item::Sec1Key(key) => Ok(PrivateKeyDer::Sec1(key)),
+            Item::Pkcs8Key(key) => Ok(PrivateKeyDer::Pkcs8(key)),
+            Item::Pkcs1Key(key) => Ok(PrivateKeyDer::Pkcs1(key)),
             Item::Crl(_) => Err(anyhow!("expected private key in {filename:?}, found a CRL")),
             Item::X509Certificate(_) => Err(anyhow!(
                 "expected private key in {filename:?}, found an X509 certificate"
@@ -226,60 +220,71 @@ mod tests {
     }
 
     mod server_accepts {
+        use rustls::crypto::CryptoProvider;
+
         use super::*;
 
+        fn init_crypto() {
+            let _ = CryptoProvider::install_default(rustls::crypto::ring::default_provider());
+        }
+
         #[tokio::test]
         async fn alg_ed25519_pkcs8() {
+            init_crypto();
             let key = test_data("ed25519.key");
             let cert = test_data("ed25519.crt");
 
             let (config, cert) = config_from_pem(&key, &cert).unwrap();
 
-            assert_matches!(parse_key_to_item(&key), Item::PKCS8Key(_));
+            assert_matches!(parse_key_to_item(&key), Item::Pkcs8Key(_));
             assert_server_works_with(config, cert).await;
         }
 
         #[tokio::test]
         async fn alg_ec() {
+            init_crypto();
             let key = test_data("ec.key");
             let cert = test_data("ec.crt");
 
             let (config, cert) = config_from_pem(&key, &cert).unwrap();
 
-            assert_matches!(parse_key_to_item(&key), Item::ECKey(_));
+            assert_matches!(parse_key_to_item(&key), Item::Sec1Key(_));
             assert_server_works_with(config, cert).await;
         }
 
         #[tokio::test]
         async fn alg_ec_pkcs8() {
+            init_crypto();
             let key = test_data("ec.pkcs8.key");
             let cert = test_data("ec.crt");
 
             let (config, cert) = config_from_pem(&key, &cert).unwrap();
 
-            assert_matches!(parse_key_to_item(&key), Item::PKCS8Key(_));
+            assert_matches!(parse_key_to_item(&key), Item::Pkcs8Key(_));
             assert_server_works_with(config, cert).await;
         }
 
         #[tokio::test]
         async fn alg_rsa_pkcs8() {
+            init_crypto();
             let key = test_data("rsa.pkcs8.key");
             let cert = test_data("rsa.crt");
 
             let (config, cert) = config_from_pem(&key, &cert).unwrap();
 
-            assert_matches!(parse_key_to_item(&key), Item::PKCS8Key(_));
+            assert_matches!(parse_key_to_item(&key), Item::Pkcs8Key(_));
             assert_server_works_with(config, cert).await;
         }
 
         #[tokio::test]
         async fn alg_rsa_pkcs1() {
+            init_crypto();
             let key = test_data("rsa.pkcs1.key");
             let cert = test_data("rsa.crt");
 
             let (config, cert) = config_from_pem(&key, &cert).unwrap();
 
-            assert_matches!(parse_key_to_item(&key), Item::RSAKey(_));
+            assert_matches!(parse_key_to_item(&key), Item::Pkcs1Key(_));
             assert_server_works_with(config, cert).await;
         }
 
@@ -300,18 +305,20 @@ mod tests {
             key: &str,
             cert: &str,
         ) -> anyhow::Result<(ServerConfig, reqwest::tls::Certificate)> {
-            let chain = rustls_pemfile::certs(&mut Cursor::new(cert)).context("reading certs")?;
+            let chain = rustls_pemfile::certs(&mut Cursor::new(cert))
+                .collect::<Result<Vec<_>, _>>()
+                .context("reading certs")?;
             let key_der = parse_key_to_der(key)?;
             let cert = reqwest::tls::Certificate::from_der(
-                chain.first().expect("chain should contain certificate"),
+                &*chain.first().expect("chain should contain certificate"),
             )
             .context("converting certificate to reqwest::tls::Certificate")?;
             let config = ssl_config(chain, key_der, None)?;
 
             Ok((config, cert))
         }
 
-        fn parse_key_to_der(pem: &str) -> anyhow::Result<Vec<u8>> {
+        fn parse_key_to_der(pem: &str) -> anyhow::Result<PrivateKeyDer<'static>> {
             pkey_from_pem(
                 &mut Cursor::new(pem),
                 Utf8Path::new("just-in-memory-not-a-file.pem"),

crates/common/axum_tls/src/files.rs

@@ -82,9 +82,9 @@ pub fn read_trust_store(ca_dir_or_file: &Utf8Path) -> anyhow::Result<Vec<Certifi
         };
 
         let ders = rustls_pemfile::certs(&mut pem_file)
-            .with_context(|| format!("reading {path}"))?
-            .into_iter()
-            .map(|der| Certificate::from_der(&der).unwrap());
+            .map(|res| Ok(Certificate::from_der(&res?)?))
+            .collect::<anyhow::Result<Vec<_>>>()
+            .with_context(|| format!("reading {path}"))?;
         certs.extend(ders)
     }