diff --git a/Cargo.lock b/Cargo.lock index 4bbfb1a..4c121d7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2111,11 +2111,12 @@ dependencies = [ [[package]] name = "rustls-pemfile" -version = "1.0.4" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" dependencies = [ "base64", + "rustls-pki-types", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 8ec3550..f1bd40a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -91,7 +91,7 @@ rand = "0.8" ring = { version = "0.17.7", features = ["std"], default-features = false } rsa = { version = "0.9.6", features = ["sha2"] } rustls = { version = "0.22" } -rustls-pemfile = "1" +rustls-pemfile = "2" sec1 = { version = "0.7.3", features = ["der"], default-features = false } serde = { version = "1", features = ["derive", "rc"] } serde_json = "1" diff --git a/bin/tee-vault-unseal/src/main.rs b/bin/tee-vault-unseal/src/main.rs index 74b2f96..0467d22 100644 --- a/bin/tee-vault-unseal/src/main.rs +++ b/bin/tee-vault-unseal/src/main.rs @@ -14,7 +14,7 @@ use actix_web::http::header; use actix_web::rt::time::sleep; use actix_web::web::Data; use actix_web::{web, App, HttpServer}; -use anyhow::{Context, Result}; +use anyhow::{bail, Context, Result}; use attestation::get_attestation; use awc::{Client, Connector}; use clap::Parser; @@ -310,23 +310,20 @@ pub fn load_rustls_config() -> Result<(ServerConfig, Arc, [u8; 64] ); // convert files to key/cert objects - let cert_chain: Vec<_> = certs(cert_file) - .unwrap() - .into_iter() - .map(rustls::pki_types::CertificateDer::from) - .collect(); - let priv_key: rustls::pki_types::PrivateKeyDer = match read_one(key_file).unwrap() { - Some(rustls_pemfile::Item::RSAKey(key)) => { - rustls::pki_types::PrivatePkcs1KeyDer::from(key).into() - } - Some(rustls_pemfile::Item::PKCS8Key(key)) => { - rustls::pki_types::PrivatePkcs8KeyDer::from(key).into() - } - _ => panic!("no keys found"), - }; + let cert_chain = certs(cert_file) + .collect::, _>>() + .context("Failed to load TLS cert file")?; + + let priv_key: rustls::pki_types::PrivateKeyDer = + match read_one(key_file).context("Failed to read TLS key file")? { + Some(rustls_pemfile::Item::Sec1Key(key)) => key.into(), + Some(rustls_pemfile::Item::Pkcs1Key(key)) => key.into(), + Some(rustls_pemfile::Item::Pkcs8Key(key)) => key.into(), + _ => bail!("no keys found in TLS key file"), + }; let tls_config = Arc::new( - rustls::ClientConfig::builder() + ClientConfig::builder() .dangerous() .with_custom_certificate_verifier(Arc::new(make_verifier( cert_chain[0].as_ref().into(),