wip: fix quic

rwf2 · Mar 27, 2024 · e5527e1 · e5527e1
1 parent 3a6c031
commit e5527e1
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 12 deletions.
diff --git a/core/lib/src/listener/quic.rs b/core/lib/src/listener/quic.rs
@@ -73,8 +73,8 @@ impl QuicListener {
             .map(rustls::Certificate)
             .collect::<Vec<_>>();
 
-        let key = crate::tls::util::load_key(&mut tls.key_reader().unwrap())
-            .unwrap()
+        let key = crate::tls::util::load_key(&mut tls.key_reader().unwrap(), true)
+            .map_err(|e| io::Error::new(io::ErrorKind::Other, format!("bad TLS key: {}", e)))?
             .secret_der()
             .to_vec();
 

diff --git a/core/lib/src/listener/tls.rs b/core/lib/src/listener/tls.rs
@@ -49,7 +49,7 @@ impl TlsConfig {
         #[cfg(not(feature = "mtls"))]
         let verifier = WebPkiClientVerifier::no_client_auth();
 
-        let key = load_key(&mut self.key_reader()?)?;
+        let key = load_key(&mut self.key_reader()?, false)?;
         let cert_chain = load_cert_chain(&mut self.certs_reader()?)?;
         let mut tls_config = ServerConfig::builder_with_provider(provider.clone())
             .with_safe_default_protocol_versions()?

diff --git a/core/lib/src/tls/util.rs b/core/lib/src/tls/util.rs
@@ -15,7 +15,7 @@ pub fn load_cert_chain(reader: &mut dyn io::BufRead) -> Result<Vec<CertificateDe
 }
 
 /// Load and decode the private key  from `reader`.
-pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>> {
+pub fn load_key(reader: &mut dyn io::BufRead, ring_key: bool) -> Result<PrivateKeyDer<'static>> {
     use rustls_pemfile::Item::*;
 
     let mut keys: Vec<PrivateKeyDer<'static>> = rustls_pemfile::read_all(reader)
@@ -35,10 +35,16 @@ pub fn load_key(reader: &mut dyn io::BufRead) -> Result<PrivateKeyDer<'static>>
 
     // Ensure we can use the key.
     let key = keys.remove(0);
-    default_crypto_provider(None)
-        .key_provider
-        .load_private_key(key.clone_key())
-        .map_err(KeyError::Unsupported)?;
+
+    if ring_key {
+        rustls::crypto::ring::sign::any_supported_type(&key)
+            .map_err(KeyError::Unsupported)?;
+    } else {
+        default_crypto_provider(None)
+            .key_provider
+            .load_private_key(key.clone_key())
+            .map_err(KeyError::Unsupported)?;
+    }
 
     Ok(key)
 }
@@ -85,10 +91,10 @@ mod test {
         let ecdsa_nistp384_sha384_key = tls_example_key!("ecdsa_nistp384_sha384_key_pkcs8.pem");
         let ed2551_key = tls_example_key!("ed25519_key.pem");
 
-        load_key(&mut &rsa_sha256_key[..])?;
-        load_key(&mut &ecdsa_nistp256_sha256_key[..])?;
-        load_key(&mut &ecdsa_nistp384_sha384_key[..])?;
-        load_key(&mut &ed2551_key[..])?;
+        load_key(&mut &rsa_sha256_key[..], false)?;
+        load_key(&mut &ecdsa_nistp256_sha256_key[..], false)?;
+        load_key(&mut &ecdsa_nistp384_sha384_key[..], false)?;
+        load_key(&mut &ed2551_key[..], false)?;
 
         Ok(())
     }