From 18dc47797d72360d41b46a1facdcab62933f6049 Mon Sep 17 00:00:00 2001 From: "oxide-renovate[bot]" <146848827+oxide-renovate[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 06:07:59 +0000 Subject: [PATCH 1/2] Update Rust crate rustls to 0.22.0 --- Cargo.lock | 47 +++++++++++++++++++++++++++++++++++++++-------- Cargo.toml | 2 +- 2 files changed, 40 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 9671cb34bb..69f1adb4c5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1899,7 +1899,7 @@ dependencies = [ "paste", "percent-encoding", "proc-macro2", - "rustls", + "rustls 0.21.9", "rustls-pemfile", "schemars", "serde", @@ -2960,7 +2960,7 @@ dependencies = [ "http", "hyper", "log", - "rustls", + "rustls 0.21.9", "rustls-native-certs", "tokio", "tokio-rustls", @@ -4050,7 +4050,7 @@ dependencies = [ "rcgen", "ref-cast", "regex", - "rustls", + "rustls 0.22.0", "samael", "serde", "serde_json", @@ -4663,7 +4663,7 @@ dependencies = [ "regex", "reqwest", "ring 0.16.20", - "rustls", + "rustls 0.22.0", "samael", "schemars", "semver 1.0.20", @@ -4900,7 +4900,7 @@ dependencies = [ "regex", "reqwest", "ring 0.16.20", - "rustls", + "rustls 0.22.0", "slog", "subprocess", "tar", @@ -6577,7 +6577,7 @@ dependencies = [ "once_cell", "percent-encoding", "pin-project-lite", - "rustls", + "rustls 0.21.9", "rustls-pemfile", "serde", "serde_json", @@ -6893,10 +6893,24 @@ checksum = "629648aced5775d558af50b2b4c7b02983a04b312126d45eeead26e7caa498b9" dependencies = [ "log", "ring 0.17.5", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.22.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5bc238b76c51bbc449c55ffbc39d03772a057cc8cf783c49d4af4c2537b74a8b" +dependencies = [ + "log", + "ring 0.17.5", + "rustls-pki-types", + "rustls-webpki 0.102.0", + "subtle", + "zeroize", +] + [[package]] name = "rustls-native-certs" version = "0.6.3" @@ -6918,6 +6932,12 @@ dependencies = [ "base64 0.21.5", ] +[[package]] +name = "rustls-pki-types" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eb0a1f9b9efec70d32e6d6aa3e58ebd88c3754ec98dfe9145c63cf54cc829b83" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -6928,6 +6948,17 @@ dependencies = [ "untrusted 0.9.0", ] +[[package]] +name = "rustls-webpki" +version = "0.102.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" +dependencies = [ + "ring 0.17.5", + "rustls-pki-types", + "untrusted 0.9.0", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -8510,7 +8541,7 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.9", "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index 533e710dc2..497adb4885 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -309,7 +309,7 @@ ring = "0.16" rpassword = "7.3.1" rstest = "0.18.2" rustfmt-wrapper = "0.2" -rustls = "0.21.9" +rustls = "0.22.0" samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" } schemars = "0.8.12" secrecy = "0.8.0" From 1c3b99e99119ca5589bad59cc0ab4eddc24efe1a Mon Sep 17 00:00:00 2001 From: Rain Date: Wed, 6 Dec 2023 18:48:06 -0800 Subject: [PATCH 2/2] start updating API calls -- turns out dropshot needs to be updated as well --- Cargo.lock | 7 ++++--- Cargo.toml | 1 + nexus/Cargo.toml | 1 + nexus/src/app/external_endpoints.rs | 15 +++++++++++---- nexus/src/app/mod.rs | 7 +++---- test-utils/Cargo.toml | 2 +- test-utils/src/certificates.rs | 20 +++++++++++--------- 7 files changed, 32 insertions(+), 21 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 66110bb9d8..a68ede5a51 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4720,6 +4720,7 @@ dependencies = [ "reqwest", "ring 0.16.20", "rustls 0.22.0", + "rustls-pki-types", "samael", "schemars", "semver 1.0.20", @@ -4956,7 +4957,7 @@ dependencies = [ "regex", "reqwest", "ring 0.16.20", - "rustls 0.22.0", + "rustls-pki-types", "slog", "subprocess", "tar", @@ -7021,9 +7022,9 @@ dependencies = [ [[package]] name = "rustls-pki-types" -version = "1.0.0" +version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb0a1f9b9efec70d32e6d6aa3e58ebd88c3754ec98dfe9145c63cf54cc829b83" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" [[package]] name = "rustls-webpki" diff --git a/Cargo.toml b/Cargo.toml index eeb0045b00..4ed3e558f0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -310,6 +310,7 @@ rpassword = "7.3.1" rstest = "0.18.2" rustfmt-wrapper = "0.2" rustls = "0.22.0" +rustls-pki-types = "1.0.1" samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" } schemars = "0.8.12" secrecy = "0.8.0" diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml index 704a7ab7bd..0cd22968f2 100644 --- a/nexus/Cargo.toml +++ b/nexus/Cargo.toml @@ -85,6 +85,7 @@ oximeter.workspace = true oximeter-instruments = { workspace = true, features = ["http-instruments"] } oximeter-producer.workspace = true rustls = { workspace = true } +rustls-pki-types.workspace = true omicron-workspace-hack.workspace = true [dev-dependencies] diff --git a/nexus/src/app/external_endpoints.rs b/nexus/src/app/external_endpoints.rs index f95c64d3eb..bb5bbc8b75 100644 --- a/nexus/src/app/external_endpoints.rs +++ b/nexus/src/app/external_endpoints.rs @@ -47,6 +47,8 @@ use omicron_common::bail_unless; use openssl::pkey::PKey; use openssl::x509::X509; use rustls::sign::CertifiedKey; +use rustls_pki_types::CertificateDer; +use rustls_pki_types::PrivateKeyDer; use serde::Serialize; use serde_with::SerializeDisplay; use std::collections::btree_map::Entry; @@ -432,16 +434,20 @@ impl TryFrom for TlsCertificate { let private_key_der = private_key .private_key_to_der() .context("serializing private key to DER")?; - let rustls_private_key = rustls::PrivateKey(private_key_der); + // XXX: Is PKCS#8 correct? + let rustls_private_key = + PrivateKeyDer::Pkcs8(private_key_der.into()); let rustls_signing_key = - rustls::sign::any_supported_type(&rustls_private_key) - .context("parsing DER private key")?; + rustls::crypto::ring::sign::any_supported_type( + &rustls_private_key, + ) + .context("parsing DER private key")?; let rustls_certs = certs_pem .iter() .map(|x509| { x509.to_der() .context("serializing cert to DER") - .map(rustls::Certificate) + .map(CertificateDer::from) }) .collect::>()?; Arc::new(CertifiedKey::new(rustls_certs, rustls_signing_key)) @@ -563,6 +569,7 @@ pub(crate) async fn read_all_endpoints( /// session. /// /// See the module-level comment for more details. +#[derive(Debug)] pub struct NexusCertResolver { log: slog::Logger, config_rx: watch::Receiver>, diff --git a/nexus/src/app/mod.rs b/nexus/src/app/mod.rs index d4c2d596f8..3a69050e9a 100644 --- a/nexus/src/app/mod.rs +++ b/nexus/src/app/mod.rs @@ -509,11 +509,10 @@ impl Nexus { return None; } + // This used to specify safe default cipher suites, kx groups, and + // protocol versions, but starting rustls 0.22 the safe defaults are + // implicit. let mut rustls_cfg = rustls::ServerConfig::builder() - .with_safe_default_cipher_suites() - .with_safe_default_kx_groups() - .with_safe_default_protocol_versions() - .unwrap() .with_no_client_auth() .with_cert_resolver(Arc::new(NexusCertResolver::new( self.log.new(o!("component" => "NexusCertResolver")), diff --git a/test-utils/Cargo.toml b/test-utils/Cargo.toml index 7f210134a2..66d7b98547 100644 --- a/test-utils/Cargo.toml +++ b/test-utils/Cargo.toml @@ -18,7 +18,7 @@ libc.workspace = true omicron-common.workspace = true pem.workspace = true ring.workspace = true -rustls.workspace = true +rustls-pki-types.workspace = true slog.workspace = true subprocess.workspace = true tempfile.workspace = true diff --git a/test-utils/src/certificates.rs b/test-utils/src/certificates.rs index ab84f30b15..760ed5b819 100644 --- a/test-utils/src/certificates.rs +++ b/test-utils/src/certificates.rs @@ -4,11 +4,13 @@ //! Utilities for tests that need certificates. +use rustls_pki_types::CertificateDer; + // Utility structure for making a test certificate pub struct CertificateChain { - root_cert: rustls::Certificate, - intermediate_cert: rustls::Certificate, - end_cert: rustls::Certificate, + root_cert: CertificateDer<'static>, + intermediate_cert: CertificateDer<'static>, + end_cert: CertificateDer<'static>, end_keypair: rcgen::Certificate, } @@ -36,17 +38,17 @@ impl CertificateChain { let end_keypair = rcgen::Certificate::from_params(params) .expect("failed to generate end-entity keys"); - let root_cert = rustls::Certificate( + let root_cert = CertificateDer::from( root_keypair .serialize_der() .expect("failed to serialize root cert"), ); - let intermediate_cert = rustls::Certificate( + let intermediate_cert = CertificateDer::from( intermediate_keypair .serialize_der_with_signer(&root_keypair) .expect("failed to serialize intermediate cert"), ); - let end_cert = rustls::Certificate( + let end_cert = CertificateDer::from( end_keypair .serialize_der_with_signer(&intermediate_keypair) .expect("failed to serialize end-entity cert"), @@ -63,7 +65,7 @@ impl CertificateChain { self.end_keypair.serialize_private_key_pem() } - fn cert_chain(&self) -> Vec { + fn cert_chain(&self) -> Vec { vec![ self.end_cert.clone(), self.intermediate_cert.clone(), @@ -76,12 +78,12 @@ impl CertificateChain { } } -fn tls_cert_to_pem(certs: &Vec) -> String { +fn tls_cert_to_pem(certs: &Vec) -> String { let mut serialized_certs = String::new(); for cert in certs { let encoded_cert = pem::encode(&pem::Pem { tag: "CERTIFICATE".to_string(), - contents: cert.0.clone(), + contents: cert.as_ref().to_owned(), }); serialized_certs.push_str(&encoded_cert);