Update depend rcgen (#559)

* Update depend rcgen

* Update depend x509-parser

* Update depend rcgen and rustls

* fix dtls test

* fix test webrtc

* change rustls features aws_lc_rs => ring

Author: a-wing

Cargo.lock

@@ -40,11 +40,11 @@ tokio = { version = "1.32.0", features = [
 ] }
 async-trait = "0.1"
 x25519-dalek = { version = "2", features = ["static_secrets"] }
-x509-parser = "0.15"
+x509-parser = "0.16"
 der-parser = "8.1"
-rcgen = "0.11"
+rcgen = "0.13"
 ring = "0.17"
-rustls = { version = "0.21", features = ["dangerous_configuration"]}
+rustls = { version = "0.23", default-features = false, features = ["std", "ring"] }
 bincode = "1"
 serde = { version = "1", features = ["derive"] }
 subtle = "2"

dtls/Cargo.toml

@@ -69,7 +69,7 @@ async fn main() -> Result<(), Error> {
     let mut cert_pool = rustls::RootCertStore::empty();
     let certs = load_certificate("dtls/examples/certificates/server.pub.pem".into())?;
     for cert in &certs {
-        if cert_pool.add(cert).is_err() {
+        if cert_pool.add(cert.to_owned()).is_err() {
             return Err(Error::Other("cert_pool add_pem_file failed".to_owned()));
         }
     }

dtls/examples/dial/verify/dial_verify.rs

@@ -10,7 +10,7 @@ util = { path = "../../../util", package = "webrtc-util", default-features = fal
 dtls = { package = "webrtc-dtls", path = "../../" }
 
 tokio = { version = "1.32.0", features = ["full"] }
-rcgen = { version = "0.11", features = ["pem", "x509-parser"] }
-rustls = "0.21"
+rcgen = { version = "0.13", features = ["pem", "x509-parser"] }
+rustls = { version = "0.23", default-features = false }
 rustls-pemfile = "1"
 thiserror = "1"

dtls/examples/hub/Cargo.toml

@@ -4,6 +4,7 @@ use std::path::PathBuf;
 
 use dtls::crypto::{Certificate, CryptoPrivateKey};
 use rcgen::KeyPair;
+use rustls::pki_types::CertificateDer;
 use thiserror::Error;
 
 use super::*;
@@ -101,12 +102,12 @@ pub fn load_key(path: PathBuf) -> Result<CryptoPrivateKey, Error> {
 }
 
 /// load_certificate Load/read certificate(s) from file
-pub fn load_certificate(path: PathBuf) -> Result<Vec<rustls::Certificate>, Error> {
+pub fn load_certificate(path: PathBuf) -> Result<Vec<CertificateDer<'static>>, Error> {
     let f = File::open(path)?;
 
     let mut reader = BufReader::new(f);
     match rustls_pemfile::certs(&mut reader) {
-        Ok(certs) => Ok(certs.into_iter().map(rustls::Certificate).collect()),
+        Ok(certs) => Ok(certs.into_iter().map(CertificateDer::from).collect()),
         Err(_) => Err(Error::ErrNoCertificateFound),
     }
 }

dtls/examples/hub/src/utilities.rs

@@ -64,7 +64,7 @@ async fn main() -> Result<(), Error> {
     let mut cert_pool = rustls::RootCertStore::empty();
     let certs = load_certificate("dtls/examples/certificates/server.pub.pem".into())?;
     for cert in &certs {
-        if cert_pool.add(cert).is_err() {
+        if cert_pool.add(cert.to_owned()).is_err() {
             return Err(Error::Other("cert_pool add_pem_file failed".to_owned()));
         }
     }

dtls/examples/listen/verify/listen_verify.rs

@@ -1,6 +1,7 @@
 use std::time::SystemTime;
 
 use rand::Rng;
+use rustls::pki_types::CertificateDer;
 use util::conn::conn_pipe::*;
 use util::KeyingMaterialExporter;
 
@@ -860,13 +861,13 @@ async fn test_client_certificate() -> Result<()> {
     let srv_cert = Certificate::generate_self_signed(vec!["localhost".to_owned()])?;
     let mut srv_ca_pool = rustls::RootCertStore::empty();
     srv_ca_pool
-        .add(&srv_cert.certificate[0])
+        .add(srv_cert.certificate[0].to_owned())
         .map_err(|_err| Error::Other("add srv_cert error".to_owned()))?;
 
     let cert = Certificate::generate_self_signed(vec!["localhost".to_owned()])?;
     let mut ca_pool = rustls::RootCertStore::empty();
     ca_pool
-        .add(&cert.certificate[0])
+        .add(cert.certificate[0].to_owned())
         .map_err(|_err| Error::Other("add cert error".to_owned()))?;
 
     let tests = vec![
@@ -1291,21 +1292,21 @@ async fn test_extended_master_secret() -> Result<()> {
     Ok(())
 }
 
-fn fn_not_expected_chain(_cert: &[Vec<u8>], chain: &[rustls::Certificate]) -> Result<()> {
+fn fn_not_expected_chain(_cert: &[Vec<u8>], chain: &[CertificateDer<'static>]) -> Result<()> {
     if !chain.is_empty() {
         return Err(Error::Other(ERR_NOT_EXPECTED_CHAIN.to_owned()));
     }
     Ok(())
 }
 
-fn fn_expected_chain(_cert: &[Vec<u8>], chain: &[rustls::Certificate]) -> Result<()> {
+fn fn_expected_chain(_cert: &[Vec<u8>], chain: &[CertificateDer<'static>]) -> Result<()> {
     if chain.is_empty() {
         return Err(Error::Other(ERR_EXPECTED_CHAIN.to_owned()));
     }
     Ok(())
 }
 
-fn fn_wrong_cert(_cert: &[Vec<u8>], _chain: &[rustls::Certificate]) -> Result<()> {
+fn fn_wrong_cert(_cert: &[Vec<u8>], _chain: &[CertificateDer<'static>]) -> Result<()> {
     Err(Error::Other(ERR_WRONG_CERT.to_owned()))
 }
 
@@ -1330,7 +1331,7 @@ async fn test_server_certificate() -> Result<()> {
     let cert = Certificate::generate_self_signed(vec![server_name.clone()])?;
     let mut ca_pool = rustls::RootCertStore::empty();
     ca_pool
-        .add(&cert.certificate[0])
+        .add(cert.certificate[0].clone())
         .map_err(|_err| Error::Other("add cert error".to_owned()))?;
 
     let tests = vec![

dtls/src/conn/conn_test.rs

@@ -221,16 +221,33 @@ impl DTLSConn {
             client_cert_verifier: if config.client_auth as u8
                 >= ClientAuthType::VerifyClientCertIfGiven as u8
             {
-                Some(Arc::new(rustls::server::AllowAnyAuthenticatedClient::new(
-                    config.client_cas,
-                )))
+                Some(
+                    rustls::server::WebPkiClientVerifier::builder(Arc::new(config.client_cas))
+                        .allow_unauthenticated()
+                        .build()
+                        .unwrap_or(
+                            rustls::server::WebPkiClientVerifier::builder(Arc::new(
+                                gen_self_signed_root_cert(),
+                            ))
+                            .allow_unauthenticated()
+                            .build()
+                            .unwrap(),
+                        ),
+                )
             } else {
                 None
             },
-            server_cert_verifier: Arc::new(rustls::client::WebPkiVerifier::new(
+            server_cert_verifier: rustls::client::WebPkiServerVerifier::builder(Arc::new(
                 config.roots_cas,
-                None,
-            )),
+            ))
+            .build()
+            .unwrap_or(
+                rustls::client::WebPkiServerVerifier::builder(
+                    Arc::new(gen_self_signed_root_cert()),
+                )
+                .build()
+                .unwrap(),
+            ),
             retransmit_interval,
             //log: logger,
             initial_epoch: 0,

dtls/src/conn/mod.rs

@@ -190,7 +190,7 @@ fn test_certificate_verify() -> Result<()> {
         &certificate_ecdsa256
             .certificate
             .iter()
-            .map(|x| x.0.clone())
+            .map(|x| x.as_ref().to_owned())
             .collect::<Vec<Vec<u8>>>(),
         false,
     )?;
@@ -212,7 +212,7 @@ fn test_certificate_verify() -> Result<()> {
         &certificate_ed25519
             .certificate
             .iter()
-            .map(|x| x.0.clone())
+            .map(|x| x.as_ref().to_owned())
             .collect::<Vec<Vec<u8>>>(),
         false,
     )?;

dtls/src/crypto/crypto_test.rs

@@ -11,7 +11,12 @@ use std::sync::Arc;
 
 use der_parser::oid;
 use der_parser::oid::Oid;
-use rcgen::KeyPair;
+
+use rustls::client::danger::ServerCertVerifier;
+use rustls::pki_types::{CertificateDer, ServerName};
+use rustls::server::danger::ClientCertVerifier;
+
+use rcgen::{generate_simple_self_signed, CertifiedKey, KeyPair};
 use ring::rand::SystemRandom;
 use ring::signature::{EcdsaKeyPair, Ed25519KeyPair};
 
@@ -24,7 +29,7 @@ use crate::signature_hash_algorithm::{HashAlgorithm, SignatureAlgorithm, Signatu
 #[derive(Clone, PartialEq, Debug)]
 pub struct Certificate {
     /// DER-encoded certificates.
-    pub certificate: Vec<rustls::Certificate>,
+    pub certificate: Vec<CertificateDer<'static>>,
     /// Private key.
     pub private_key: CryptoPrivateKey,
 }
@@ -34,12 +39,11 @@ impl Certificate {
     ///
     /// See [`rcgen::generate_simple_self_signed`].
     pub fn generate_self_signed(subject_alt_names: impl Into<Vec<String>>) -> Result<Self> {
-        let cert = rcgen::generate_simple_self_signed(subject_alt_names)?;
-        let key_pair = cert.get_key_pair();
-
+        let CertifiedKey { cert, key_pair } =
+            generate_simple_self_signed(subject_alt_names).unwrap();
         Ok(Certificate {
-            certificate: vec![rustls::Certificate(cert.serialize_der()?)],
-            private_key: CryptoPrivateKey::try_from(key_pair)?,
+            certificate: vec![cert.der().to_owned()],
+            private_key: CryptoPrivateKey::try_from(&key_pair)?,
         })
     }
 
@@ -50,14 +54,13 @@ impl Certificate {
         subject_alt_names: impl Into<Vec<String>>,
         alg: &'static rcgen::SignatureAlgorithm,
     ) -> Result<Self> {
-        let mut params = rcgen::CertificateParams::new(subject_alt_names);
-        params.alg = alg;
-        let cert = rcgen::Certificate::from_params(params)?;
-        let key_pair = cert.get_key_pair();
+        let params = rcgen::CertificateParams::new(subject_alt_names).unwrap();
+        let key_pair = rcgen::KeyPair::generate_for(alg).unwrap();
+        let cert = params.self_signed(&key_pair).unwrap();
 
         Ok(Certificate {
-            certificate: vec![rustls::Certificate(cert.serialize_der()?)],
-            private_key: CryptoPrivateKey::try_from(key_pair)?,
+            certificate: vec![cert.der().to_owned()],
+            private_key: CryptoPrivateKey::try_from(&key_pair)?,
         })
     }
 
@@ -78,7 +81,7 @@ impl Certificate {
             )));
         }
 
-        let keypair = rcgen::KeyPair::from_der(pems[0].contents())
+        let keypair = KeyPair::try_from(pems[0].contents())
             .map_err(|e| Error::InvalidPEM(format!("can't decode keypair: {e}")))?;
 
         let mut rustls_certs = Vec::new();
@@ -89,7 +92,7 @@ impl Certificate {
                     p.tag()
                 )));
             }
-            rustls_certs.push(rustls::Certificate(p.contents().to_vec()));
+            rustls_certs.push(CertificateDer::from(p.contents().to_vec()));
         }
 
         Ok(Certificate {
@@ -108,7 +111,7 @@ impl Certificate {
         for rustls_cert in &self.certificate {
             data.push(pem::Pem::new(
                 "CERTIFICATE".to_string(),
-                rustls_cert.0.clone(),
+                rustls_cert.as_ref(),
             ));
         }
         pem::encode_many(&data)
@@ -427,14 +430,14 @@ pub(crate) fn verify_certificate_verify(
     )
 }
 
-pub(crate) fn load_certs(raw_certificates: &[Vec<u8>]) -> Result<Vec<rustls::Certificate>> {
+pub(crate) fn load_certs(raw_certificates: &[Vec<u8>]) -> Result<Vec<CertificateDer<'static>>> {
     if raw_certificates.is_empty() {
         return Err(Error::ErrLengthMismatch);
     }
 
     let mut certs = vec![];
     for raw_cert in raw_certificates {
-        let cert = rustls::Certificate(raw_cert.to_vec());
+        let cert = CertificateDer::from(raw_cert.to_vec());
         certs.push(cert);
     }
 
@@ -443,16 +446,19 @@ pub(crate) fn load_certs(raw_certificates: &[Vec<u8>]) -> Result<Vec<rustls::Cer
 
 pub(crate) fn verify_client_cert(
     raw_certificates: &[Vec<u8>],
-    cert_verifier: &Arc<dyn rustls::server::ClientCertVerifier>,
-) -> Result<Vec<rustls::Certificate>> {
+    cert_verifier: &Arc<dyn ClientCertVerifier>,
+) -> Result<Vec<CertificateDer<'static>>> {
     let chains = load_certs(raw_certificates)?;
 
     let (end_entity, intermediates) = chains
         .split_first()
         .ok_or(Error::ErrClientCertificateRequired)?;
 
-    match cert_verifier.verify_client_cert(end_entity, intermediates, std::time::SystemTime::now())
-    {
+    match cert_verifier.verify_client_cert(
+        end_entity,
+        intermediates,
+        rustls::pki_types::UnixTime::now(),
+    ) {
         Ok(_) => {}
         Err(err) => return Err(Error::Other(err.to_string())),
     };
@@ -462,12 +468,12 @@ pub(crate) fn verify_client_cert(
 
 pub(crate) fn verify_server_cert(
     raw_certificates: &[Vec<u8>],
-    cert_verifier: &Arc<dyn rustls::client::ServerCertVerifier>,
+    cert_verifier: &Arc<dyn ServerCertVerifier>,
     server_name: &str,
-) -> Result<Vec<rustls::Certificate>> {
+) -> Result<Vec<CertificateDer<'static>>> {
     let chains = load_certs(raw_certificates)?;
-    let dns_name = match rustls::server::DnsName::try_from_ascii(server_name.as_ref()) {
-        Ok(dns_name) => dns_name,
+    let server_name = match ServerName::try_from(server_name) {
+        Ok(server_name) => server_name,
         Err(err) => return Err(Error::Other(err.to_string())),
     };
 
@@ -477,10 +483,9 @@ pub(crate) fn verify_server_cert(
     match cert_verifier.verify_server_cert(
         end_entity,
         intermediates,
-        &rustls::ServerName::DnsName(dns_name.to_owned()),
-        &mut [].into_iter(),
+        &server_name,
         &[],
-        std::time::SystemTime::now(),
+        rustls::pki_types::UnixTime::now(),
     ) {
         Ok(_) => {}
         Err(err) => return Err(Error::Other(err.to_string())),