diff --git a/Cargo.Bazel.lock b/Cargo.Bazel.lock index 998052685..22da4d1fb 100644 --- a/Cargo.Bazel.lock +++ b/Cargo.Bazel.lock @@ -1,5 +1,5 @@ { - "checksum": "ce765802469bb915a59874ca092755075fe0d4dd85555be1b7fa504074568962", + "checksum": "1c7910a42fe467fecbece0d296b19911037ed919e5cb526b08c7297a08338585", "crates": { "addr2line 0.21.0": { "name": "addr2line", @@ -7981,7 +7981,7 @@ "target": "prometheus_client" }, { - "id": "rustls-pemfile 1.0.4", + "id": "rustls-pemfile 2.0.0", "target": "rustls_pemfile" }, { @@ -7997,7 +7997,7 @@ "target": "tokio" }, { - "id": "tokio-rustls 0.24.1", + "id": "tokio-rustls 0.25.0", "target": "tokio_rustls" }, { @@ -11858,6 +11858,102 @@ }, "license": "Apache-2.0 OR ISC OR MIT" }, + "rustls 0.22.1": { + "name": "rustls", + "version": "0.22.1", + "repository": { + "Http": { + "url": "https://crates.io/api/v1/crates/rustls/0.22.1/download", + "sha256": "fe6b63262c9fcac8659abfaa96cac103d28166d3ff3eaf8f412e19f3ae9e5a48" + } + }, + "targets": [ + { + "Library": { + "crate_name": "rustls", + "crate_root": "src/lib.rs", + "srcs": [ + "**/*.rs" + ] + } + }, + { + "BuildScript": { + "crate_name": "build_script_build", + "crate_root": "build.rs", + "srcs": [ + "**/*.rs" + ] + } + } + ], + "library_target_name": "rustls", + "common_attrs": { + "compile_data_glob": [ + "**" + ], + "crate_features": { + "common": [ + "log", + "logging", + "ring", + "tls12" + ], + "selects": {} + }, + "deps": { + "common": [ + { + "id": "log 0.4.20", + "target": "log" + }, + { + "id": "ring 0.17.7", + "target": "ring" + }, + { + "id": "rustls 0.22.1", + "target": "build_script_build" + }, + { + "id": "rustls-pki-types 1.0.1", + "target": "rustls_pki_types", + "alias": "pki_types" + }, + { + "id": "rustls-webpki 0.102.0", + "target": "webpki" + }, + { + "id": "subtle 2.5.0", + "target": "subtle" + }, + { + "id": "zeroize 1.7.0", + "target": "zeroize" + } + ], + "selects": {} + }, + "edition": "2021", + "version": "0.22.1" + }, + "build_script_attrs": { + "data_glob": [ + "**" + ], + "link_deps": { + "common": [ + { + "id": "ring 0.17.7", + "target": "ring" + } + ], + "selects": {} + } + }, + "license": "Apache-2.0 OR ISC OR MIT" + }, "rustls-native-certs 0.6.3": { "name": "rustls-native-certs", "version": "0.6.3", @@ -11955,6 +12051,95 @@ }, "license": "Apache-2.0 OR ISC OR MIT" }, + "rustls-pemfile 2.0.0": { + "name": "rustls-pemfile", + "version": "2.0.0", + "repository": { + "Http": { + "url": "https://crates.io/api/v1/crates/rustls-pemfile/2.0.0/download", + "sha256": "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" + } + }, + "targets": [ + { + "Library": { + "crate_name": "rustls_pemfile", + "crate_root": "src/lib.rs", + "srcs": [ + "**/*.rs" + ] + } + } + ], + "library_target_name": "rustls_pemfile", + "common_attrs": { + "compile_data_glob": [ + "**" + ], + "crate_features": { + "common": [ + "default", + "std" + ], + "selects": {} + }, + "deps": { + "common": [ + { + "id": "base64 0.21.5", + "target": "base64" + }, + { + "id": "rustls-pki-types 1.0.1", + "target": "rustls_pki_types", + "alias": "pki_types" + } + ], + "selects": {} + }, + "edition": "2018", + "version": "2.0.0" + }, + "license": "Apache-2.0 OR ISC OR MIT" + }, + "rustls-pki-types 1.0.1": { + "name": "rustls-pki-types", + "version": "1.0.1", + "repository": { + "Http": { + "url": "https://crates.io/api/v1/crates/rustls-pki-types/1.0.1/download", + "sha256": "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + } + }, + "targets": [ + { + "Library": { + "crate_name": "rustls_pki_types", + "crate_root": "src/lib.rs", + "srcs": [ + "**/*.rs" + ] + } + } + ], + "library_target_name": "rustls_pki_types", + "common_attrs": { + "compile_data_glob": [ + "**" + ], + "crate_features": { + "common": [ + "alloc", + "default", + "std" + ], + "selects": {} + }, + "edition": "2021", + "version": "1.0.1" + }, + "license": "MIT OR Apache-2.0" + }, "rustls-webpki 0.101.7": { "name": "rustls-webpki", "version": "0.101.7", @@ -12006,6 +12191,62 @@ }, "license": "ISC" }, + "rustls-webpki 0.102.0": { + "name": "rustls-webpki", + "version": "0.102.0", + "repository": { + "Http": { + "url": "https://crates.io/api/v1/crates/rustls-webpki/0.102.0/download", + "sha256": "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" + } + }, + "targets": [ + { + "Library": { + "crate_name": "webpki", + "crate_root": "src/lib.rs", + "srcs": [ + "**/*.rs" + ] + } + } + ], + "library_target_name": "webpki", + "common_attrs": { + "compile_data_glob": [ + "**" + ], + "crate_features": { + "common": [ + "alloc", + "ring", + "std" + ], + "selects": {} + }, + "deps": { + "common": [ + { + "id": "ring 0.17.7", + "target": "ring" + }, + { + "id": "rustls-pki-types 1.0.1", + "target": "rustls_pki_types", + "alias": "pki_types" + }, + { + "id": "untrusted 0.9.0", + "target": "untrusted" + } + ], + "selects": {} + }, + "edition": "2021", + "version": "0.102.0" + }, + "license": "ISC" + }, "rustversion 1.0.14": { "name": "rustversion", "version": "1.0.14", @@ -14286,7 +14527,6 @@ ], "crate_features": { "common": [ - "default", "logging", "tls12" ], @@ -14310,6 +14550,63 @@ }, "license": "MIT/Apache-2.0" }, + "tokio-rustls 0.25.0": { + "name": "tokio-rustls", + "version": "0.25.0", + "repository": { + "Http": { + "url": "https://crates.io/api/v1/crates/tokio-rustls/0.25.0/download", + "sha256": "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" + } + }, + "targets": [ + { + "Library": { + "crate_name": "tokio_rustls", + "crate_root": "src/lib.rs", + "srcs": [ + "**/*.rs" + ] + } + } + ], + "library_target_name": "tokio_rustls", + "common_attrs": { + "compile_data_glob": [ + "**" + ], + "crate_features": { + "common": [ + "default", + "logging", + "ring", + "tls12" + ], + "selects": {} + }, + "deps": { + "common": [ + { + "id": "rustls 0.22.1", + "target": "rustls" + }, + { + "id": "rustls-pki-types 1.0.1", + "target": "rustls_pki_types", + "alias": "pki_types" + }, + { + "id": "tokio 1.35.0", + "target": "tokio" + } + ], + "selects": {} + }, + "edition": "2021", + "version": "0.25.0" + }, + "license": "MIT/Apache-2.0" + }, "tokio-stream 0.1.14": { "name": "tokio-stream", "version": "0.1.14", @@ -17552,7 +17849,7 @@ "prost-types 0.12.3", "rand 0.8.5", "relative-path 1.9.0", - "rustls-pemfile 1.0.4", + "rustls-pemfile 2.0.0", "scopeguard 1.2.0", "serde 1.0.193", "serde_json5 0.1.0", @@ -17560,7 +17857,7 @@ "shellexpand 3.1.0", "shlex 1.2.0", "tokio 1.35.0", - "tokio-rustls 0.24.1", + "tokio-rustls 0.25.0", "tokio-stream 0.1.14", "tokio-util 0.7.10", "tonic 0.10.2", diff --git a/Cargo.lock b/Cargo.lock index cf26b5410..bbbbad793 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -494,7 +494,7 @@ dependencies = [ "once_cell", "pin-project-lite", "pin-utils", - "rustls", + "rustls 0.21.10", "serde", "serde_json", "tokio", @@ -1326,10 +1326,10 @@ dependencies = [ "http", "hyper", "log", - "rustls", + "rustls 0.21.10", "rustls-native-certs", "tokio", - "tokio-rustls", + "tokio-rustls 0.24.1", "webpki-roots", ] @@ -1557,11 +1557,11 @@ dependencies = [ "nativelink-worker", "parking_lot", "prometheus-client", - "rustls-pemfile", + "rustls-pemfile 2.0.0", "scopeguard", "serde_json5", "tokio", - "tokio-rustls", + "tokio-rustls 0.25.0", "tonic", "tower", "tracing", @@ -2308,10 +2308,24 @@ checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba" dependencies = [ "log", "ring", - "rustls-webpki", + "rustls-webpki 0.101.7", "sct", ] +[[package]] +name = "rustls" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fe6b63262c9fcac8659abfaa96cac103d28166d3ff3eaf8f412e19f3ae9e5a48" +dependencies = [ + "log", + "ring", + "rustls-pki-types", + "rustls-webpki 0.102.0", + "subtle", + "zeroize", +] + [[package]] name = "rustls-native-certs" version = "0.6.3" @@ -2319,7 +2333,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00" dependencies = [ "openssl-probe", - "rustls-pemfile", + "rustls-pemfile 1.0.4", "schannel", "security-framework", ] @@ -2333,6 +2347,22 @@ dependencies = [ "base64", ] +[[package]] +name = "rustls-pemfile" +version = "2.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "35e4980fa29e4c4b212ffb3db068a564cbf560e51d3944b7c88bd8bf5bec64f4" +dependencies = [ + "base64", + "rustls-pki-types", +] + +[[package]] +name = "rustls-pki-types" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -2343,6 +2373,17 @@ dependencies = [ "untrusted", ] +[[package]] +name = "rustls-webpki" +version = "0.102.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", +] + [[package]] name = "rustversion" version = "1.0.14" @@ -2771,7 +2812,18 @@ version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "rustls", + "rustls 0.21.10", + "tokio", +] + +[[package]] +name = "tokio-rustls" +version = "0.25.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f" +dependencies = [ + "rustls 0.22.1", + "rustls-pki-types", "tokio", ] diff --git a/Cargo.toml b/Cargo.toml index f2e9d48e9..aef6245a2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -35,11 +35,11 @@ futures = "0.3.29" hyper = { version = "0.14.27" } parking_lot = "0.12.1" prometheus-client = "0.21.2" -rustls-pemfile = "1.0.4" +rustls-pemfile = "2.0.0" scopeguard = "1.2.0" serde_json5 = "0.1.0" tokio = { version = "1.35.0", features = ["rt-multi-thread", "signal"] } -tokio-rustls = "0.24.1" +tokio-rustls = "0.25.0" tonic = { version = "0.10.2", features = ["gzip"] } tower = "0.4.13" tracing = "0.1.40" diff --git a/src/bin/cas.rs b/src/bin/cas.rs index a692b5944..89445e091 100644 --- a/src/bin/cas.rs +++ b/src/bin/cas.rs @@ -45,13 +45,13 @@ use nativelink_util::metrics_utils::{ }; use nativelink_worker::local_worker::new_local_worker; use parking_lot::Mutex; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls_pemfile::{certs as extract_certs, pkcs8_private_keys}; use scopeguard::guard; use tokio::net::TcpListener; #[cfg(target_family = "unix")] use tokio::signal::unix::{signal, SignalKind}; use tokio::task::spawn_blocking; -use tokio_rustls::rustls::{Certificate, PrivateKey, ServerConfig as TlsServerConfig}; +use tokio_rustls::rustls::ServerConfig as TlsServerConfig; use tokio_rustls::TlsAcceptor; use tonic::codec::CompressionEncoding; use tonic::transport::Server as TonicServer; @@ -446,29 +446,32 @@ async fn inner_main(cfg: CasConfig, server_start_timestamp: u64) -> Result<(), B std::fs::File::open(&tls_config.cert_file) .err_tip(|| format!("Could not open cert file {}", tls_config.cert_file))?, ); - let certs = certs(&mut cert_reader) - .err_tip(|| format!("Could not extract certs from file {}", tls_config.cert_file))? - .into_iter() - .map(Certificate) - .collect(); + let mut certs = vec![]; + for cert in extract_certs(&mut cert_reader) { + certs.push(cert.err_tip(|| format!("Could not extract certs from file {}", tls_config.cert_file))?); + } let mut key_reader = std::io::BufReader::new( std::fs::File::open(&tls_config.key_file) .err_tip(|| format!("Could not open key file {}", tls_config.key_file))?, ); - let keys = pkcs8_private_keys(&mut key_reader) - .err_tip(|| format!("Could not extract key(s) from file {}", tls_config.key_file))?; - if keys.len() != 1 { - return Err(Box::new(make_err!( - Code::InvalidArgument, - "Expected 1 key in file {}, found {} keys", - tls_config.key_file, - keys.len() - ))); - } + let key = { + let keys = pkcs8_private_keys(&mut key_reader).collect::>(); + if keys.len() != 1 { + return Err(Box::new(make_err!( + Code::InvalidArgument, + "Expected 1 key in file {}, found {} keys", + tls_config.key_file, + keys.len() + ))); + } + keys.into_iter() + .next() + .unwrap() + .err_tip(|| format!("Could not extract key(s) from file {}", tls_config.key_file))? + }; let mut config = TlsServerConfig::builder() - .with_safe_defaults() .with_no_client_auth() - .with_single_cert(certs, PrivateKey(keys.into_iter().next().unwrap())) + .with_single_cert(certs, key.into()) .map_err(|e| make_err!(Code::Internal, "Could not create TlsServerConfig : {:?}", e))?; config.alpn_protocols.push("h2".into());