1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// Copyright 2015-2018 Benjamin Fry <benjaminfry@me.com>
//
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
// https://opensource.org/licenses/MIT>, at your option. This file may not be
// copied, modified, or distributed except according to those terms.

//! DNS over TLS server implementation for Rustls

use std::fs::File;
use std::io::{BufReader, Read};
use std::path::Path;

use rustls::{self, Certificate, PrivateKey, ServerConfig};
use rustls_pemfile::{certs, read_one, Item};

use crate::error::{ProtoError, ProtoResult};

/// Read the certificate from the specified path.
///
/// If the password is specified, then it will be used to decode the Certificate
pub fn read_cert(cert_path: &Path) -> ProtoResult<Vec<Certificate>> {
    let mut cert_file = File::open(cert_path)
        .map_err(|e| format!("error opening cert file: {cert_path:?}: {e}"))?;

    let mut reader = BufReader::new(&mut cert_file);
    match certs(&mut reader) {
        Ok(certs) => Ok(certs.into_iter().map(Certificate).collect()),
        Err(_) => Err(ProtoError::from(format!(
            "failed to read certs from: {}",
            cert_path.display()
        ))),
    }
}

/// Reads a private key from a pkcs8 formatted, and possibly encoded file
///
/// ## Accepted formats
///
/// - A Sec1-encoded plaintext private key; as specified in RFC5915
/// - A DER-encoded plaintext RSA private key; as specified in PKCS#1/RFC3447
/// - DER-encoded plaintext private key; as specified in PKCS#8/RFC5958
pub fn read_key(path: &Path) -> ProtoResult<PrivateKey> {
    let mut file = BufReader::new(File::open(path)?);

    loop {
        match read_one(&mut file)? {
            Some(Item::ECKey(key)) => return Ok(PrivateKey(key)),
            Some(Item::RSAKey(key)) => return Ok(PrivateKey(key)),
            Some(Item::PKCS8Key(key)) => return Ok(PrivateKey(key)),
            Some(_) => continue,
            None => return Err(format!("no keys available in: {}", path.display()).into()),
        };
    }
}

/// Reads a private key from a der formatted file
pub fn read_key_from_der(path: &Path) -> ProtoResult<PrivateKey> {
    let mut file = File::open(path)?;
    let mut buf = Vec::new();
    file.read_to_end(&mut buf)?;

    Ok(PrivateKey(buf))
}

/// Attempts to read a private key from a PEM formatted file.
///
/// ## Accepted formats
///
/// - DER-encoded plaintext RSA private key; as specified in PKCS#1/RFC3447
/// - DER-encoded plaintext RSA private key; as specified in PKCS#8/RFC5958 default with openssl v3
///
/// ## Errors
///
/// Returns a [ProtoError] in either cases:
///
/// - Unable to open key at given `path`
/// - Encountered an IO error
/// - Unable to read key: either no key or no key found in the right format
pub fn read_key_from_pem(path: &Path) -> ProtoResult<PrivateKey> {
    let file = File::open(path)?;
    let mut file = BufReader::new(file);

    loop {
        match rustls_pemfile::read_one(&mut file)? {
            None => return Err(format!("No RSA keys in file: {}", path.display()).into()),
            Some(Item::RSAKey(key)) | Some(Item::PKCS8Key(key)) => return Ok(PrivateKey(key)),
            Some(_) => continue,
        }
    }
}

/// Construct the new Acceptor with the associated pkcs12 data
pub fn new_acceptor(
    cert: Vec<Certificate>,
    key: PrivateKey,
) -> Result<ServerConfig, rustls::Error> {
    let mut config = ServerConfig::builder()
        .with_safe_defaults()
        .with_no_client_auth()
        .with_single_cert(cert, key)?;

    config.alpn_protocols = vec![b"h2".to_vec()];
    Ok(config)
}