Merge pull request #205 from nats-io/tyler_manual_tls

Add manual TLS config provision method for cases where certificates are unable to be passed-in manually. Closes #204.
nats-io · Aug 25, 2021 · 0d16a32 · 0d16a32
2 parents 7d5986f + d0a533c
commit 0d16a32
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@
 - #199 implemented `asynk::Subscription::try_next`.
 - #199 implemented conversion traits b/w sync & async
   Message types.
+- #205 `Options::tls_client_config` allows users to
+  provide a manually-configured `rustls::ClientConfig`
+  for communicating to the server, for cases where
+  certificates are not available on the filesystem.
 
 # 0.13.0
 

diff --git a/src/connector.rs b/src/connector.rs
@@ -7,11 +7,11 @@ use std::thread;
 use std::time::Duration;
 
 use parking_lot::{Mutex, MutexGuard};
-use rustls::{ClientConfig, ClientSession, Session};
 use webpki::DNSNameRef;
 
 use crate::auth_utils;
 use crate::proto::{self, ClientOp, ServerOp};
+use crate::rustls::{ClientConfig, ClientSession, Session};
 use crate::secure_wipe::SecureString;
 use crate::{
     connect::ConnectInfo, inject_io_failure, AuthStyle, Options, ServerInfo,
@@ -39,7 +39,7 @@ impl Connector {
         url: &str,
         options: Arc<Options>,
     ) -> io::Result<Connector> {
-        let mut tls_config = ClientConfig::new();
+        let mut tls_config = options.tls_client_config.clone();
 
         // Include system root certificates.
         //

diff --git a/src/lib.rs b/src/lib.rs
@@ -225,6 +225,11 @@ pub use message::Message;
 pub use options::Options;
 pub use subscription::Subscription;
 
+/// A re-export of the `rustls` crate used in this crate,
+/// for use in cases where manual client configurations
+/// must be provided using `Options::tls_client_config`.
+pub use rustls;
+
 #[doc(hidden)]
 pub use connect::ConnectInfo;
 

diff --git a/src/options.rs b/src/options.rs
@@ -21,6 +21,7 @@ pub struct Options {
     pub(crate) certificates: Vec<PathBuf>,
     pub(crate) client_cert: Option<PathBuf>,
     pub(crate) client_key: Option<PathBuf>,
+    pub(crate) tls_client_config: crate::rustls::ClientConfig,
 
     pub(crate) disconnect_callback: Callback,
     pub(crate) reconnect_callback: Callback,
@@ -41,6 +42,7 @@ impl fmt::Debug for Options {
             .entry(&"certificates", &self.certificates)
             .entry(&"client_cert", &self.client_cert)
             .entry(&"client_key", &self.client_key)
+            .entry(&"tls_client_config", &"XXXXXXXX")
             .entry(&"disconnect_callback", &self.disconnect_callback)
             .entry(&"reconnect_callback", &self.reconnect_callback)
             .entry(&"reconnect_delay_callback", &"set")
@@ -66,6 +68,7 @@ impl Default for Options {
             reconnect_delay_callback: ReconnectDelayCallback(Box::new(backoff)),
             close_callback: Callback(None),
             jetstream_prefix: "$JS.API.".to_string(),
+            tls_client_config: crate::rustls::ClientConfig::default(),
         }
     }
 }
@@ -311,6 +314,43 @@ impl Options {
         self
     }
 
+    /// Set the default TLS config that will be used
+    /// for connections. Note that this is less secure
+    /// than specifying TLS certificate file paths
+    /// using the other methods on `Options`, which
+    /// will avoid keeping raw key material in-memory
+    /// and will zero memory buffers that temporarily
+    /// contain key material during connection attempts.
+    /// This is intended to be used as a method of
+    /// last-resort when providing well-known file
+    /// paths is not feasible.
+    ///
+    /// To avoid version conflicts, the `rustls` version
+    /// used by this crate is exported as `nats::rustls`.
+    ///
+    /// # Example
+    /// ```no_run
+    /// # fn main() -> std::io::Result<()> {
+    /// let mut tls_client_config = nats::rustls::ClientConfig::default();
+    /// tls_client_config
+    ///     .set_single_client_cert(
+    ///         vec![nats::rustls::Certificate(b"MY_CERT".to_vec())],
+    ///         nats::rustls::PrivateKey(b"MY_KEY".to_vec()),
+    ///     );
+    /// let nc = nats::Options::new()
+    ///     .tls_client_config(tls_client_config)
+    ///     .connect("nats://localhost:4443")?;
+    /// # Ok(())
+    /// # }
+    /// ```
+    pub fn tls_client_config(
+        mut self,
+        tls_client_config: crate::rustls::ClientConfig,
+    ) -> Options {
+        self.tls_client_config = tls_client_config;
+        self
+    }
+
     /// Add a name option to this configuration.
     ///
     /// # Example