Generate trust roots SecCertificate for Transport Services #350
Conversation
|
Can one of the admins verify this patch? |
1 similar comment
|
Can one of the admins verify this patch? |
adam-fowler
force-pushed
the
ts-tls-config2
branch
from
7205d36
to
75d8d1c
Compare
Sorry I'm running a newer version of swift format and submitted all the other files by mistake. The |
|
@swift-server-bot add to allowlist |
| try SecCertificateCreateWithData(nil, Data(certificate.toDERBytes()) as CFData) | ||
| } | ||
| } catch { | ||
| // failed to load |
There was a problem hiding this comment.
I think we need some error handling here.
There was a problem hiding this comment.
I stopped catching the error here and set getNWProtocolTLSOptions() to throws. Is that enough?
Sources/AsyncHTTPClient/NIOTransportServices/TLSConfiguration.swift
Outdated
Show resolved
Hide resolved
| } | ||
| case .some(.file): | ||
| preconditionFailure("TLSConfiguration.trustRoots.file is not supported") |
There was a problem hiding this comment.
This is a slightly different case. I could probably support this case if I knew what format the file was in.
There was a problem hiding this comment.
The file format for trust roots is just bundle-o-pem: a collection of PEM-encoded X509 certs in the same file.
There was a problem hiding this comment.
Now loading PEM info NIOSSLCertificate and generating DER for loading into SecCertificateCreateWithData. Possibly not the quickest route.
adam-fowler
force-pushed
the
ts-tls-config2
branch
2 times, most recently
from
7b7857b
to
7a6826b
Compare
|
@Lukasa do we need some more tests for converting between |
| guard case .default = trustRoots else { | ||
| preconditionFailure("TLSConfiguration.trustRoots != .default is not supported") | ||
| var secTrustRoots: [SecCertificate]? | ||
| switch trustRoots { |
There was a problem hiding this comment.
A note for the future, we've also added additionalTrustRoots which allows you to do default + others. No need to block this PR on that, but worth noting that it's there.
There was a problem hiding this comment.
Thank you, this looks good to me too! I left one comment (https://github.com/swift-server/async-http-client/pull/350/files#r631742891) which'd be nice to address. Just to be 100% sure we're on the right queue.
There was a problem hiding this comment.
After chatting to @adam-fowler: we're not calling SecEvaluateTrust on the right queue at the moment.
Support TLSConfiguration.trustRoots(.file) when converting to a `NWProtocolTLS.Options`
adam-fowler
force-pushed
the
ts-tls-config2
branch
from
28c56b2
to
29ea5c3
Compare
And then after reviewing code I realised we were. Although we did come across another issue where a file load could happen on the EventLoop. To avoid this I have moved the whole |
| @@ -109,6 +126,11 @@ | |||
| preconditionFailure("TLSConfiguration.keyLogCallback is not supported. \(useMTELGExplainer)") | |||
| } | |||
|
|
|||
| // the certificate chain | |||
| if self.certificateChain.count > 0 { | |||
| preconditionFailure("TLSConfiguration.certificateChain is not supported") | |||
There was a problem hiding this comment.
| preconditionFailure("TLSConfiguration.certificateChain is not supported") | |
| preconditionFailure("TLSConfiguration.certificateChain is not supported. \(useMTELGExplainer)") |
weissi
added
the
patch-version-bump-only
This PR is a result of another #321.
In that PR I provided an alternative structure to
TLSConfigurationfor when connecting with Transport Services.In this one I construct the
NWProtocolTLS.OptionsfromTLSConfiguration. It does mean a little more work for whenever we make a connection, but having spoken to @weissi he doesn't seem to think that is an issue.Also there is no method to create a
SecIdentityat the moment. We need to generate a pkcs#12 from the certificate chain and private key, which can then be used to create theSecIdentity.This should resolve #292