forked/reqwest-impersonate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

native-tls: add Identiy::from_pkcs8_pem (#1655)

Browse Source 
Add new optional fn from_pkcs8_pem for easy load client certificate (*.crt and *.key) for feature native-tls.
This commit is contained in:
Andrei Grazhdankov
2022-10-19 17:48:10 +03:00
committed by GitHub
parent 110c3aee33
commit 231b18f835
2 changed files with 46 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.toml
View File

@@ -110,7 +110,7 @@ ipnet = "2.3"
## default-tls ## default-tls
hyper-tls = { version = "0.5", optional = true } hyper-tls = { version = "0.5", optional = true }
native-tls-crate = { version = "0.2.8", optional = true, package = "native-tls" } native-tls-crate = { version = "0.2.10", optional = true, package = "native-tls" }
tokio-native-tls = { version = "0.3.0", optional = true } tokio-native-tls = { version = "0.3.0", optional = true }
# rustls-tls # rustls-tls

47
src/tls.rs
View File

@@ -45,6 +45,8 @@ pub struct Identity {
enum ClientCert { enum ClientCert {
#[cfg(feature = "native-tls")] #[cfg(feature = "native-tls")]
Pkcs12(native_tls_crate::Identity), Pkcs12(native_tls_crate::Identity),
#[cfg(feature = "native-tls")]
Pkcs8(native_tls_crate::Identity),
#[cfg(feature = "__rustls")] #[cfg(feature = "__rustls")]
Pem { Pem {
key: rustls::PrivateKey, key: rustls::PrivateKey,
@@ -179,6 +181,39 @@ impl Identity {
}) })
} }
/// Parses a chain of PEM encoded X509 certificates, with the leaf certificate first.
/// `key` is a PEM encoded PKCS #8 formatted private key for the leaf certificate.
///
/// The certificate chain should contain any intermediate cerficates that should be sent to
/// clients to allow them to build a chain to a trusted root.
///
/// A certificate chain here means a series of PEM encoded certificates concatenated together.
///
/// # Examples
///
/// ```
/// # use std::fs;
/// # fn pkcs8() -> Result<(), Box<std::error::Error>> {
/// let cert = fs::read("client.pem")?;
/// let key = fs::read("key.pem")?;
/// let pkcs8 = reqwest::Identity::from_pkcs8_pem(&cert, &key)?;
/// # drop(pkcs8);
/// # Ok(())
/// # }
/// ```
///
/// # Optional
///
/// This requires the `native-tls` Cargo feature enabled.
#[cfg(feature = "native-tls")]
pub fn from_pkcs8_pem(pem: &[u8], key: &[u8]) -> crate::Result<Identity> {
Ok(Identity {
inner: ClientCert::Pkcs8(
native_tls_crate::Identity::from_pkcs8(pem, key).map_err(crate::error::builder)?,
),
})
}
/// Parses PEM encoded private key and certificate. /// Parses PEM encoded private key and certificate.
/// ///
/// The input should contain a PEM encoded private key /// The input should contain a PEM encoded private key
@@ -253,7 +288,7 @@ impl Identity {
tls: &mut native_tls_crate::TlsConnectorBuilder, tls: &mut native_tls_crate::TlsConnectorBuilder,
) -> crate::Result<()> { ) -> crate::Result<()> {
match self.inner { match self.inner {
ClientCert::Pkcs12(id) => { ClientCert::Pkcs12(id) | ClientCert::Pkcs8(id) => {
tls.identity(id); tls.identity(id);
Ok(()) Ok(())
} }
@@ -275,7 +310,9 @@ impl Identity {
.with_single_cert(certs, key) .with_single_cert(certs, key)
.map_err(crate::error::builder), .map_err(crate::error::builder),
#[cfg(feature = "native-tls")] #[cfg(feature = "native-tls")]
ClientCert::Pkcs12(..) => Err(crate::error::builder("incompatible TLS identity type")), ClientCert::Pkcs12(..) | ClientCert::Pkcs8(..) => {
Err(crate::error::builder("incompatible TLS identity type"))
}
} }
} }
} }
@@ -443,6 +480,12 @@ mod tests {
Identity::from_pkcs12_der(b"not der", "nope").unwrap_err(); Identity::from_pkcs12_der(b"not der", "nope").unwrap_err();
} }
#[cfg(feature = "native-tls")]
#[test]
fn identity_from_pkcs8_pem_invalid() {
Identity::from_pkcs8_pem(b"not pem", b"not key").unwrap_err();
}
#[cfg(feature = "__rustls")] #[cfg(feature = "__rustls")]
#[test] #[test]
fn identity_from_pem_invalid() { fn identity_from_pem_invalid() {