build(deps): bump rcgen from 0.12.1 to 0.13.2

Cargo.lock

@@ -3298,12 +3298,13 @@ checksum = "f60fcc7d6849342eff22c4350c8b9a989ee8ceabc4b481253e8946b9fe83d684"
 
 [[package]]
 name = "rcgen"
-version = "0.12.1"
+version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1"
+checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2"
 dependencies = [
  "pem",
  "ring",
+ "rustls-pki-types",
  "time",
  "yasna",
 ]

linkerd/meshtls/Cargo.toml

@@ -29,7 +29,7 @@ linkerd-tls = { path = "../tls" }
 [dev-dependencies]
 tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] }
 tracing = "0.1"
-rcgen = "0.12.0"
+rcgen = "0.13.2"
 
 linkerd-conditional = { path = "../conditional" }
 linkerd-proxy-transport = { path = "../proxy/transport" }

linkerd/meshtls/tests/util.rs

@@ -18,7 +18,7 @@ use linkerd_stack::{
 };
 use linkerd_tls as tls;
 use linkerd_tls_test_util as test_util;
-use rcgen::{BasicConstraints, Certificate, CertificateParams, IsCa, SanType};
+use rcgen::{BasicConstraints, CertificateParams, IsCa, KeyPair, SanType};
 use std::str::FromStr;
 use std::{
     net::SocketAddr,
@@ -29,20 +29,25 @@ use tokio::net::TcpStream;
 use tracing::Instrument;
 
 fn generate_cert_with_name(subject_alt_names: Vec<SanType>) -> (Vec<u8>, Vec<u8>, String) {
+    let root_key = KeyPair::generate().unwrap();
     let mut root_params = CertificateParams::default();
     root_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
-    let root_cert = Certificate::from_params(root_params).expect("should generate root");
 
+    let root_cert = root_params
+        .self_signed(&root_key)
+        .expect("should generate root");
+
+    let issuer_key = KeyPair::generate().unwrap();
     let mut params = CertificateParams::default();
     params.subject_alt_names = subject_alt_names;
-
-    let cert = Certificate::from_params(params).expect("should generate cert");
+    let cert = params
+        .signed_by(&issuer_key, &root_cert, &root_key)
+        .expect("should generate cert");
 
     (
-        cert.serialize_der_with_signer(&root_cert)
-            .expect("should serialize"),
-        cert.serialize_private_key_der(),
-        root_cert.serialize_pem().expect("should serialize"),
+        cert.der().to_vec(),
+        issuer_key.serialize_der(),
+        root_cert.pem(),
     )
 }
 
@@ -51,7 +56,7 @@ pub fn fails_processing_cert_when_wrong_id_configured(mode: meshtls::Mode) {
     let id = Id::Dns(server_name.clone());
 
     let (cert, key, roots) =
-        generate_cert_with_name(vec![SanType::URI("spiffe://system/local".into())]);
+        generate_cert_with_name(vec![SanType::URI("spiffe://system/local".parse().unwrap())]);
     let (mut store, _) = mode
         .watch(id, server_name.clone(), &roots)
         .expect("should construct");

linkerd/meshtls/verifier/Cargo.toml

@@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" }
 
 
 [dev-dependencies]
-rcgen = "0.12.0"
+rcgen = "0.13.2"

linkerd/meshtls/verifier/src/lib.rs

@@ -61,38 +61,42 @@ mod tests {
     use crate::client_identity;
     use crate::verify_id;
     use linkerd_identity::Id;
-    use rcgen::{Certificate, CertificateParams, SanType};
+    use rcgen::{CertificateParams, KeyPair, SanType};
 
     fn generate_cert_with_names(subject_alt_names: Vec<SanType>) -> Vec<u8> {
+        let key = KeyPair::generate().expect("should generate key");
         let mut params = CertificateParams::default();
         params.subject_alt_names = subject_alt_names;
 
-        Certificate::from_params(params)
+        params
+            .self_signed(&key)
             .expect("should generate cert")
-            .serialize_der()
-            .expect("should serialize")
+            .der()
+            .to_vec()
     }
 
     #[test]
     pub fn cert_with_dns_san_matches_dns_id() {
         let dns_name = "foo.ns1.serviceaccount.identity.linkerd.cluster.local";
-        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.into())]);
+        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.parse().unwrap())]);
         let id = Id::parse_dns_name(dns_name).expect("should parse DNS id");
         assert!(verify_id(&cert, &id).is_ok());
     }
 
     #[test]
     fn cert_with_spiffe_san_matches_spiffe_id() {
         let spiffe_uri = "spiffe://identity.linkerd.cluster.local/ns/ns1/sa/foo";
-        let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.into())]);
+        let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.parse().unwrap())]);
         let id = Id::parse_uri(spiffe_uri).expect("should parse SPIFFE id");
         assert!(verify_id(&cert, &id).is_ok());
     }
 
     #[test]
     pub fn cert_with_dns_san_does_not_match_dns_id() {
         let dns_name_cert = vec![SanType::DnsName(
-            "foo.ns1.serviceaccount.identity.linkerd.cluster.local".into(),
+            "foo.ns1.serviceaccount.identity.linkerd.cluster.local"
+                .parse()
+                .unwrap(),
         )];
         let dns_name = "bar.ns1.serviceaccount.identity.linkerd.cluster.local";
 
@@ -104,7 +108,9 @@ mod tests {
     #[test]
     fn cert_with_dns_san_does_not_match_spiffe_id() {
         let dns_name_cert = vec![SanType::DnsName(
-            "bar.ns1.serviceaccount.identity.linkerd.cluster.local".into(),
+            "bar.ns1.serviceaccount.identity.linkerd.cluster.local"
+                .parse()
+                .unwrap(),
         )];
         let spiffe_uri = "spiffe://some-trust-comain/some-system/some-component";
 
@@ -136,9 +142,9 @@ mod tests {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(foo_dns_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::URI(spiffe_id.into()),
+            SanType::DnsName(foo_dns_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::URI(spiffe_id.parse().unwrap()),
         ]);
         let id = Id::parse_dns_name(foo_dns_id).expect("should parse DNS id");
         assert!(verify_id(&cert, &id).is_ok());
@@ -151,9 +157,9 @@ mod tests {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(foo_dns_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::URI(spiffe_id.into()),
+            SanType::DnsName(foo_dns_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::URI(spiffe_id.parse().unwrap()),
         ]);
         let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
         assert!(verify_id(&cert, &id).is_ok());
@@ -167,9 +173,9 @@ mod tests {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(foo_dns_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::URI(spiffe_id.into()),
+            SanType::DnsName(foo_dns_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::URI(spiffe_id.parse().unwrap()),
         ]);
         let id = Id::parse_dns_name(nar_dns_id).expect("should parse DNS id");
         assert!(verify_id(&cert, &id).is_err());
@@ -183,9 +189,9 @@ mod tests {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(foo_dns_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::DnsName(nar_dns_id.into()),
+            SanType::DnsName(foo_dns_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::DnsName(nar_dns_id.parse().unwrap()),
         ]);
         let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
         assert!(verify_id(&cert, &id).is_err());
@@ -195,7 +201,7 @@ mod tests {
     fn can_extract_spiffe_client_identity_one_san() {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
-        let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.into())]);
+        let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.parse().unwrap())]);
         let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
         let client_id = client_identity(&cert);
         assert_eq!(client_id, Some(id));
@@ -208,9 +214,9 @@ mod tests {
         let nar_dns_id = "nar.ns1.serviceaccount.identity.linkerd.cluster.local";
 
         let cert = generate_cert_with_names(vec![
-            SanType::URI(spiffe_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::DnsName(nar_dns_id.into()),
+            SanType::URI(spiffe_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::DnsName(nar_dns_id.parse().unwrap()),
         ]);
         let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
         let client_id = client_identity(&cert);
@@ -221,7 +227,7 @@ mod tests {
     fn can_extract_dns_client_identity_one_san() {
         let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local";
 
-        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]);
+        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]);
         let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
         let client_id = client_identity(&cert);
         assert_eq!(client_id, Some(id));
@@ -235,10 +241,10 @@ mod tests {
         let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(dns_id.into()),
-            SanType::DnsName(bar_dns_id.into()),
-            SanType::DnsName(nar_dns_id.into()),
-            SanType::URI(spiffe_id.into()),
+            SanType::DnsName(dns_id.parse().unwrap()),
+            SanType::DnsName(bar_dns_id.parse().unwrap()),
+            SanType::DnsName(nar_dns_id.parse().unwrap()),
+            SanType::URI(spiffe_id.parse().unwrap()),
         ]);
         let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
         let client_id = client_identity(&cert);
@@ -252,9 +258,9 @@ mod tests {
         let email_san_2 = "[email protected]";
 
         let cert = generate_cert_with_names(vec![
-            SanType::DnsName(dns_id.into()),
-            SanType::Rfc822Name(email_san_1.into()),
-            SanType::Rfc822Name(email_san_2.into()),
+            SanType::DnsName(dns_id.parse().unwrap()),
+            SanType::Rfc822Name(email_san_1.parse().unwrap()),
+            SanType::Rfc822Name(email_san_2.parse().unwrap()),
         ]);
         let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
         let client_id = client_identity(&cert);
@@ -268,9 +274,9 @@ mod tests {
         let email_san_2 = "[email protected]";
 
         let cert = generate_cert_with_names(vec![
-            SanType::URI(spiffe_id.into()),
-            SanType::Rfc822Name(email_san_1.into()),
-            SanType::Rfc822Name(email_san_2.into()),
+            SanType::URI(spiffe_id.parse().unwrap()),
+            SanType::Rfc822Name(email_san_1.parse().unwrap()),
+            SanType::Rfc822Name(email_san_2.parse().unwrap()),
         ]);
         let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
         let client_id = client_identity(&cert);
@@ -281,7 +287,7 @@ mod tests {
     fn skips_dns_san_with_trailing_dot() {
         let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local.";
 
-        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]);
+        let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]);
         let client_id = client_identity(&cert);
         assert_eq!(client_id, None);
     }

linkerd/proxy/spire-client/Cargo.toml

@@ -24,5 +24,5 @@ asn1 = { version = "0.6", package = "simple_asn1" }
 thiserror = "2"
 
 [dev-dependencies]
-rcgen = "0.12.0"
+rcgen = "0.13.2"
 tokio-test = "0.4"

linkerd/proxy/spire-client/src/api.rs

@@ -220,48 +220,49 @@ where
 #[cfg(test)]
 mod tests {
     use crate::api::Svid;
-    use rcgen::{Certificate, CertificateParams, SanType};
+    use rcgen::{CertificateParams, KeyPair, SanType};
     use spiffe_proto::client as api;
 
     fn gen_svid_pb(id: String, subject_alt_names: Vec<SanType>) -> api::X509svid {
         let mut params = CertificateParams::default();
         params.subject_alt_names = subject_alt_names;
-        let cert = Certificate::from_params(params).expect("should generate cert");
+        let key = KeyPair::generate().expect("should generate key");
+        let cert = params.self_signed(&key).expect("should generate cert");
 
         api::X509svid {
             spiffe_id: id,
-            x509_svid: cert.serialize_der().expect("should serialize"),
-            x509_svid_key: cert.serialize_private_key_der(),
+            x509_svid: cert.der().to_vec(),
+            x509_svid_key: key.serialize_der(),
             bundle: Vec::default(),
         }
     }
 
     #[test]
     fn can_parse_valid_proto() {
         let id = "spiffe://some-domain/some-workload";
-        let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
+        let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
         assert!(Svid::try_from(svid_pb).is_ok());
     }
 
     #[test]
     fn cannot_parse_non_spiffe_id() {
         let id = "some-domain.some-workload";
-        let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.into())]);
+        let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.parse().unwrap())]);
         assert!(Svid::try_from(svid_pb).is_err());
     }
 
     #[test]
     fn cannot_parse_empty_cert() {
         let id = "spiffe://some-domain/some-workload";
-        let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
+        let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
         svid_pb.x509_svid = Vec::default();
         assert!(Svid::try_from(svid_pb).is_err());
     }
 
     #[test]
     fn cannot_parse_empty_key() {
         let id = "spiffe://some-domain/some-workload";
-        let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
+        let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
         svid_pb.x509_svid_key = Vec::default();
         assert!(Svid::try_from(svid_pb).is_err());
     }