Update Rust crate rustls to 0.22.0 - abandoned

Cargo.toml

@@ -309,7 +309,8 @@ ring = "0.16"
 rpassword = "7.3.1"
 rstest = "0.18.2"
 rustfmt-wrapper = "0.2"
-rustls = "0.21.9"
+rustls = "0.22.0"
+rustls-pki-types = "1.0.1"
 samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
 schemars = "0.8.12"
 secrecy = "0.8.0"

nexus/Cargo.toml

@@ -85,6 +85,7 @@ oximeter.workspace = true
 oximeter-instruments = { workspace = true, features = ["http-instruments"] }
 oximeter-producer.workspace = true
 rustls = { workspace = true }
+rustls-pki-types.workspace = true
 omicron-workspace-hack.workspace = true
 
 [dev-dependencies]

nexus/src/app/external_endpoints.rs

@@ -47,6 +47,8 @@ use omicron_common::bail_unless;
 use openssl::pkey::PKey;
 use openssl::x509::X509;
 use rustls::sign::CertifiedKey;
+use rustls_pki_types::CertificateDer;
+use rustls_pki_types::PrivateKeyDer;
 use serde::Serialize;
 use serde_with::SerializeDisplay;
 use std::collections::btree_map::Entry;
@@ -432,16 +434,20 @@ impl TryFrom<Certificate> for TlsCertificate {
             let private_key_der = private_key
                 .private_key_to_der()
                 .context("serializing private key to DER")?;
-            let rustls_private_key = rustls::PrivateKey(private_key_der);
+            // XXX: Is PKCS#8 correct?
+            let rustls_private_key =
+                PrivateKeyDer::Pkcs8(private_key_der.into());
             let rustls_signing_key =
-                rustls::sign::any_supported_type(&rustls_private_key)
-                    .context("parsing DER private key")?;
+                rustls::crypto::ring::sign::any_supported_type(
+                    &rustls_private_key,
+                )
+                .context("parsing DER private key")?;
             let rustls_certs = certs_pem
                 .iter()
                 .map(|x509| {
                     x509.to_der()
                         .context("serializing cert to DER")
-                        .map(rustls::Certificate)
+                        .map(CertificateDer::from)
                 })
                 .collect::<Result<_, _>>()?;
             Arc::new(CertifiedKey::new(rustls_certs, rustls_signing_key))
@@ -563,6 +569,7 @@ pub(crate) async fn read_all_endpoints(
 /// session.
 ///
 /// See the module-level comment for more details.
+#[derive(Debug)]
 pub struct NexusCertResolver {
     log: slog::Logger,
     config_rx: watch::Receiver<Option<ExternalEndpoints>>,

nexus/src/app/mod.rs

@@ -509,11 +509,10 @@ impl Nexus {
             return None;
         }
 
+        // This used to specify safe default cipher suites, kx groups, and
+        // protocol versions, but starting rustls 0.22 the safe defaults are
+        // implicit.
         let mut rustls_cfg = rustls::ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_safe_default_protocol_versions()
-            .unwrap()
             .with_no_client_auth()
             .with_cert_resolver(Arc::new(NexusCertResolver::new(
                 self.log.new(o!("component" => "NexusCertResolver")),

test-utils/Cargo.toml

@@ -18,7 +18,7 @@ libc.workspace = true
 omicron-common.workspace = true
 pem.workspace = true
 ring.workspace = true
-rustls.workspace = true
+rustls-pki-types.workspace = true
 slog.workspace = true
 subprocess.workspace = true
 tempfile.workspace = true

test-utils/src/certificates.rs

@@ -4,11 +4,13 @@
 
 //! Utilities for tests that need certificates.
 
+use rustls_pki_types::CertificateDer;
+
 // Utility structure for making a test certificate
 pub struct CertificateChain {
-    root_cert: rustls::Certificate,
-    intermediate_cert: rustls::Certificate,
-    end_cert: rustls::Certificate,
+    root_cert: CertificateDer<'static>,
+    intermediate_cert: CertificateDer<'static>,
+    end_cert: CertificateDer<'static>,
     end_keypair: rcgen::Certificate,
 }
 
@@ -36,17 +38,17 @@ impl CertificateChain {
         let end_keypair = rcgen::Certificate::from_params(params)
             .expect("failed to generate end-entity keys");
 
-        let root_cert = rustls::Certificate(
+        let root_cert = CertificateDer::from(
             root_keypair
                 .serialize_der()
                 .expect("failed to serialize root cert"),
         );
-        let intermediate_cert = rustls::Certificate(
+        let intermediate_cert = CertificateDer::from(
             intermediate_keypair
                 .serialize_der_with_signer(&root_keypair)
                 .expect("failed to serialize intermediate cert"),
         );
-        let end_cert = rustls::Certificate(
+        let end_cert = CertificateDer::from(
             end_keypair
                 .serialize_der_with_signer(&intermediate_keypair)
                 .expect("failed to serialize end-entity cert"),
@@ -63,7 +65,7 @@ impl CertificateChain {
         self.end_keypair.serialize_private_key_pem()
     }
 
-    fn cert_chain(&self) -> Vec<rustls::Certificate> {
+    fn cert_chain(&self) -> Vec<CertificateDer> {
         vec![
             self.end_cert.clone(),
             self.intermediate_cert.clone(),
@@ -76,12 +78,12 @@ impl CertificateChain {
     }
 }
 
-fn tls_cert_to_pem(certs: &Vec<rustls::Certificate>) -> String {
+fn tls_cert_to_pem(certs: &Vec<CertificateDer>) -> String {
     let mut serialized_certs = String::new();
     for cert in certs {
         let encoded_cert = pem::encode(&pem::Pem {
             tag: "CERTIFICATE".to_string(),
-            contents: cert.0.clone(),
+            contents: cert.as_ref().to_owned(),
         });
 
         serialized_certs.push_str(&encoded_cert);