diff --git a/poem/Cargo.toml b/poem/Cargo.toml index 2a2aed1658..8f5997d5dc 100644 --- a/poem/Cargo.toml +++ b/poem/Cargo.toml @@ -99,7 +99,7 @@ sync_wrapper = { version = "0.1.2", features = ["futures"] } multer = { version = "3.0.0", features = ["tokio"], optional = true } tokio-tungstenite = { version = "0.21.0", optional = true } tokio-rustls = { workspace = true, optional = true } -rustls-pemfile = { version = "1.0.0", optional = true } +rustls-pemfile = { version = "2.0.0", optional = true } async-compression = { version = "0.4.0", optional = true, features = [ "tokio", "gzip", diff --git a/poem/src/listener/acme/listener.rs b/poem/src/listener/acme/listener.rs index fea4810ef5..1f5c950d05 100644 --- a/poem/src/listener/acme/listener.rs +++ b/poem/src/listener/acme/listener.rs @@ -109,11 +109,14 @@ impl Listener for AutoCertListener { .await?; let (cache_certs, cert_key) = { - let mut certs = None; + let mut certs: Option> = None; let mut key = None; if let Some(cache_cert) = &self.auto_cert.cache_cert { - match rustls_pemfile::certs(&mut cache_cert.as_slice()) { + match rustls_pemfile::certs(&mut cache_cert.as_slice()) + .collect::>() + .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}"))) + { Ok(c) => certs = Some(c), Err(err) => { tracing::warn!("failed to parse cached tls certificates: {}", err) @@ -122,7 +125,9 @@ impl Listener for AutoCertListener { } if let Some(cache_key) = &self.auto_cert.cache_key { - match rustls_pemfile::pkcs8_private_keys(&mut cache_key.as_slice()) { + match rustls_pemfile::pkcs8_private_keys(&mut cache_key.as_slice()) + .collect::, _>>() + { Ok(k) => key = k.into_iter().next(), Err(err) => { tracing::warn!("failed to parse cached private key: {}", err) @@ -157,7 +162,7 @@ impl Listener for AutoCertListener { ); *cert_resolver.cert.write() = Some(Arc::new(CertifiedKey::new( certs, - any_ecdsa_type(&PrivateKeyDer::Pkcs8(key.into())).unwrap(), + any_ecdsa_type(&PrivateKeyDer::Pkcs8(key)).unwrap(), ))); } @@ -403,10 +408,8 @@ pub async fn issue_cert>( .await?; let pkey_pem = cert.serialize_private_key_pem(); let cert_chain = rustls_pemfile::certs(&mut acme_cert_pem.as_slice()) - .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}")))? - .into_iter() - .map(CertificateDer::from) - .collect(); + .collect::>() + .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}")))?; let cert_key = CertifiedKey::new(cert_chain, pk); tracing::debug!("certificate obtained"); diff --git a/poem/src/listener/rustls.rs b/poem/src/listener/rustls.rs index 445123dc3c..b03471e7e2 100644 --- a/poem/src/listener/rustls.rs +++ b/poem/src/listener/rustls.rs @@ -10,7 +10,6 @@ use tokio::io::{Error as IoError, ErrorKind, Result as IoResult}; use tokio_rustls::{ rustls::{ crypto::ring::sign::any_supported_type, - pki_types::{CertificateDer, PrivateKeyDer}, server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier}, sign::CertifiedKey, RootCertStore, ServerConfig, @@ -71,26 +70,21 @@ impl RustlsCertificate { impl RustlsCertificate { fn create_certificate_key(&self) -> IoResult { let cert = rustls_pemfile::certs(&mut self.cert.as_slice()) - .map(|mut certs| certs.drain(..).map(CertificateDer::from).collect()) + .collect::>() .map_err(|_| IoError::new(ErrorKind::Other, "failed to parse tls certificates"))?; - let priv_key = { - loop { - let key = match rustls_pemfile::read_one(&mut self.key.as_slice())? { - Some(Item::RSAKey(key)) => key, - Some(Item::PKCS8Key(key)) => key, - Some(Item::ECKey(key)) => key, - None => { - return Err(IoError::new( - ErrorKind::Other, - "failed to parse tls private keys", - )) - } - _ => continue, - }; - if !key.is_empty() { - break PrivateKeyDer::Pkcs8(key.into()); + let priv_key = loop { + match rustls_pemfile::read_one(&mut self.key.as_slice())? { + Some(Item::Pkcs1Key(key)) => break key.into(), + Some(Item::Pkcs8Key(key)) => break key.into(), + Some(Item::Sec1Key(key)) => break key.into(), + None => { + return Err(IoError::new( + ErrorKind::Other, + "failed to parse tls private keys", + )) } + _ => continue, } }; @@ -269,10 +263,11 @@ impl RustlsConfig { fn read_trust_anchor(mut trust_anchor: &[u8]) -> IoResult { let mut store = RootCertStore::empty(); - let ders = rustls_pemfile::certs(&mut trust_anchor)?; + let ders = rustls_pemfile::certs(&mut trust_anchor); for der in ders { + let der = der.map_err(|err| IoError::new(ErrorKind::Other, err.to_string()))?; store - .add(CertificateDer::from(der)) + .add(der) .map_err(|err| IoError::new(ErrorKind::Other, err.to_string()))?; } Ok(store) diff --git a/poem/src/listener/unix.rs b/poem/src/listener/unix.rs index 8e678f088e..5072e6cc22 100644 --- a/poem/src/listener/unix.rs +++ b/poem/src/listener/unix.rs @@ -46,7 +46,7 @@ impl UnixListener { /// Provides owner to be set on actual bind pub fn with_owner(self, uid: Option, gid: Option) -> Self { Self { - owner: Some((uid.map(|v| Uid::from_raw(v)), gid.map(|v| Gid::from_raw(v)))), + owner: Some((uid.map(Uid::from_raw), gid.map(Gid::from_raw))), ..self } } @@ -61,7 +61,7 @@ impl + Send + Clone> Listener for UnixListener { (Some(permissions), Some((uid, gid))) => { let listener = TokioUnixListener::bind(self.path.clone())?; set_permissions(self.path.clone(), permissions)?; - chown(self.path.as_ref().as_os_str().into(), uid, gid)?; + chown(self.path.as_ref().as_os_str(), uid, gid)?; listener } (Some(permissions), None) => { @@ -71,7 +71,7 @@ impl + Send + Clone> Listener for UnixListener { } (None, Some((uid, gid))) => { let listener = TokioUnixListener::bind(self.path.clone())?; - chown(self.path.as_ref().as_os_str().into(), uid, gid)?; + chown(self.path.as_ref().as_os_str(), uid, gid)?; listener } (None, None) => TokioUnixListener::bind(self.path)?,