update to use rustls 0.23

Cargo.toml

@@ -144,7 +144,7 @@ async-trait = "0.1"
 async-recursion = "1.0"
 pin-project = "1.1"
 #
-rustls = "0.22"
+rustls = { version = "0.23.0", default-features = false, features = ["std", "tls12", "aws_lc_rs"] }
 rustls-pki-types = "1"
 rustls-pemfile = "2"
 tokio-rustls = "0.25"
@@ -238,3 +238,4 @@ debug-assertions = false
 quinn-proto = { version = "0.10.6", git = "https://github.com/zh-jq/quinn.git", branch = "ring-0.17" }
 hickory-proto = { version = "0.24.0", git = "https://github.com/hickory-dns/hickory-dns.git", rev = "b0c0566" }
 bssl-sys = { version = "0.1.0", path = "lib/bssl-sys" }
+tokio-rustls = { version = "0.25.0", git = "https://github.com/rustls/tokio-rustls.git", branch = "jbp-rustls-0.23" }

g3bench/Cargo.toml

@@ -64,3 +64,4 @@ vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-types/tongsuo"]
 vendored-aws-lc = ["openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-tls-cert/aws-lc", "g3-openssl/aws-lc"]
 vendored-boringssl = ["openssl/boringssl", "openssl-probe", "g3-types/boringssl", "g3-tls-cert/boringssl", "g3-openssl/boringssl"]
 openssl-async-job = ["g3-openssl/async-job", "g3-runtime/openssl-async-job"]
+rustls-ring = ["rustls/ring", "g3-types/rustls-ring"]

g3proxy/Cargo.toml

@@ -111,3 +111,4 @@ vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-yaml/tongsuo", "g3-j
 vendored-aws-lc = ["openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-tls-cert/aws-lc", "g3-openssl/aws-lc"]
 vendored-boringssl = ["openssl/boringssl", "openssl-probe", "g3-types/boringssl", "g3-tls-cert/boringssl", "g3-openssl/boringssl"]
 vendored-c-ares = ["c-ares", "g3-resolver/vendored-c-ares"]
+rustls-ring = ["rustls/ring", "g3-types/rustls-ring"]

g3tiles/Cargo.toml

@@ -61,3 +61,4 @@ vendored-openssl = ["openssl/vendored", "openssl-probe"]
 vendored-tongsuo = ["openssl/tongsuo", "openssl-probe", "g3-yaml/tongsuo", "g3-types/tongsuo"]
 vendored-aws-lc = ["openssl/aws-lc", "openssl-probe", "g3-types/aws-lc", "g3-openssl/aws-lc"]
 vendored-boringssl = ["openssl/boringssl", "openssl-probe", "g3-types/boringssl", "g3-openssl/boringssl"]
+rustls-ring = ["rustls/ring", "g3-types/rustls-ring"]

g3tiles/src/config/server/rustls_proxy/host.rs

@@ -18,6 +18,9 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use anyhow::{anyhow, Context};
+#[cfg(feature = "vendored-aws-lc")]
+use rustls::crypto::aws_lc_rs::Ticketer;
+#[cfg(not(feature = "vendored-aws-lc"))]
 use rustls::crypto::ring::Ticketer;
 use rustls::server::WebPkiClientVerifier;
 use rustls::{RootCertStore, ServerConfig};

lib/g3-types/Cargo.toml

@@ -56,6 +56,7 @@ default = []
 auth-crypt = ["dep:digest", "dep:md-5", "dep:sha-1", "dep:blake3", "dep:hex"]
 resolve = ["dep:ahash", "dep:radix_trie", "dep:fastrand"]
 rustls = ["dep:rustls", "dep:rustls-pki-types", "dep:webpki-roots", "dep:rustls-pemfile", "dep:rustls-native-certs", "dep:ahash", "dep:lru"]
+rustls-ring = ["rustls", "rustls/ring"]
 openssl = ["dep:openssl", "dep:ahash", "dep:lru", "dep:bytes"]
 tongsuo = ["openssl", "openssl/tongsuo", "dep:brotli"]
 aws-lc = ["openssl", "openssl/aws-lc", "dep:brotli"]

lib/g3-types/src/net/rustls/cert_pair.rs

@@ -15,61 +15,7 @@
  */
 
 use anyhow::anyhow;
-use rustls_pki_types::{
-    CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer, PrivatePkcs8KeyDer, PrivateSec1KeyDer,
-};
-
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub enum PrivateKey {
-    Pkcs1(Vec<u8>),
-    Sec1(Vec<u8>),
-    Pkcs8(Vec<u8>),
-}
-
-impl PrivateKey {
-    fn borrowed(&self) -> PrivateKeyDer<'_> {
-        match self {
-            PrivateKey::Pkcs1(v) => PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(v.as_ref())),
-            PrivateKey::Sec1(v) => PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(v.as_ref())),
-            PrivateKey::Pkcs8(v) => PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(v.as_ref())),
-        }
-    }
-}
-
-impl TryFrom<PrivateKeyDer<'_>> for PrivateKey {
-    type Error = anyhow::Error;
-
-    fn try_from(value: PrivateKeyDer<'_>) -> anyhow::Result<Self> {
-        match value {
-            PrivateKeyDer::Pkcs1(d) => Ok(PrivateKey::Pkcs1(d.secret_pkcs1_der().to_vec())),
-            PrivateKeyDer::Sec1(d) => Ok(PrivateKey::Sec1(d.secret_sec1_der().to_vec())),
-            PrivateKeyDer::Pkcs8(d) => Ok(PrivateKey::Pkcs8(d.secret_pkcs8_der().to_vec())),
-            _ => Err(anyhow!(
-                "unsupported private key type, this code should be updated"
-            )),
-        }
-    }
-}
-
-impl From<&PrivateKey> for PrivateKeyDer<'static> {
-    fn from(value: &PrivateKey) -> Self {
-        match value {
-            PrivateKey::Pkcs1(v) => PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(v.clone())),
-            PrivateKey::Sec1(v) => PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(v.clone())),
-            PrivateKey::Pkcs8(v) => PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(v.clone())),
-        }
-    }
-}
-
-impl From<PrivateKey> for PrivateKeyDer<'static> {
-    fn from(value: PrivateKey) -> Self {
-        match value {
-            PrivateKey::Pkcs1(v) => PrivateKeyDer::Pkcs1(PrivatePkcs1KeyDer::from(v)),
-            PrivateKey::Sec1(v) => PrivateKeyDer::Sec1(PrivateSec1KeyDer::from(v)),
-            PrivateKey::Pkcs8(v) => PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(v)),
-        }
-    }
-}
+use rustls_pki_types::{CertificateDer, PrivateKeyDer};
 
 #[derive(Default)]
 pub struct RustlsCertificatePairBuilder {
@@ -93,18 +39,26 @@ impl RustlsCertificatePairBuilder {
         let Some(key) = self.key else {
             return Err(anyhow!("no private key set"));
         };
-        let key = PrivateKey::try_from(key)?;
         Ok(RustlsCertificatePair {
             certs: self.certs,
             key,
         })
     }
 }
 
-#[derive(Clone, Debug, Eq, PartialEq)]
+#[derive(Debug, Eq, PartialEq)]
 pub struct RustlsCertificatePair {
     certs: Vec<CertificateDer<'static>>,
-    key: PrivateKey,
+    key: PrivateKeyDer<'static>,
+}
+
+impl Clone for RustlsCertificatePair {
+    fn clone(&self) -> Self {
+        RustlsCertificatePair {
+            certs: self.certs.clone(),
+            key: self.key.clone_key(),
+        }
+    }
 }
 
 impl RustlsCertificatePair {
@@ -113,14 +67,14 @@ impl RustlsCertificatePair {
     }
 
     pub fn key_owned(&self) -> PrivateKeyDer<'static> {
-        PrivateKeyDer::from(&self.key)
+        self.key.clone_key()
     }
 
-    pub fn key_borrowed(&self) -> PrivateKeyDer<'_> {
-        self.key.borrowed()
+    pub fn key_ref(&self) -> &PrivateKeyDer<'_> {
+        &self.key
     }
 
     pub fn into_inner(self) -> (Vec<CertificateDer<'static>>, PrivateKeyDer<'static>) {
-        (self.certs, self.key.into())
+        (self.certs, self.key)
     }
 }

lib/g3-types/src/net/rustls/cert_resolver.rs

@@ -36,7 +36,7 @@ impl MultipleCertResolver {
     }
 
     pub fn push_cert_pair(&mut self, pair: &RustlsCertificatePair) -> anyhow::Result<()> {
-        let signing_key = any_supported_type(&pair.key_borrowed())
+        let signing_key = any_supported_type(pair.key_ref())
             .map_err(|e| anyhow!("failed to add cert pair: {e}"))?;
         let ck = CertifiedKey::new(pair.certs_owned(), signing_key);
         self.keys.push(Arc::new(ck));

lib/g3-types/src/net/rustls/server.rs

@@ -18,6 +18,9 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use anyhow::{anyhow, Context};
+#[cfg(not(feature = "rustls-ring"))]
+use rustls::crypto::aws_lc_rs::Ticketer;
+#[cfg(feature = "rustls-ring")]
 use rustls::crypto::ring::Ticketer;
 use rustls::server::WebPkiClientVerifier;
 use rustls::{RootCertStore, ServerConfig};