update dropshot (#4794)

oxidecomputer · Jan 18, 2024 · 9a3e1d8 · 9a3e1d8
1 parent 0ab0df5
commit 9a3e1d8
Show file tree

Hide file tree

Showing 8 changed files with 100 additions and 55 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -219,7 +219,7 @@ httptest = "0.15.5"
 hubtools = { git = "https://github.com/oxidecomputer/hubtools.git", branch = "main" }
 humantime = "2.1.0"
 hyper = "0.14"
-hyper-rustls = "0.24.2"
+hyper-rustls = "0.25.0"
 hyper-staticfile = "0.9.5"
 illumos-utils = { path = "illumos-utils" }
 indexmap = "2.1.0"
@@ -319,7 +319,8 @@ ring = "0.17.7"
 rpassword = "7.3.1"
 rstest = "0.18.2"
 rustfmt-wrapper = "0.2"
-rustls = "0.21.9"
+rustls = "0.22.2"
+rustls-pemfile = "2.0.0"
 rustyline = "12.0.0"
 samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
 schemars = "0.8.16"

diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
@@ -87,6 +87,7 @@ oximeter.workspace = true
 oximeter-instruments = { workspace = true, features = ["http-instruments"] }
 oximeter-producer.workspace = true
 rustls = { workspace = true }
+rustls-pemfile = { workspace = true }
 omicron-workspace-hack.workspace = true
 
 [dev-dependencies]

diff --git a/nexus/src/app/external_endpoints.rs b/nexus/src/app/external_endpoints.rs
@@ -429,19 +429,21 @@ impl TryFrom<Certificate> for TlsCertificate {
 
         // Assemble a rustls CertifiedKey with both the certificate and the key.
         let certified_key = {
-            let private_key_der = private_key
-                .private_key_to_der()
-                .context("serializing private key to DER")?;
-            let rustls_private_key = rustls::PrivateKey(private_key_der);
+            let mut cursor = std::io::Cursor::new(db_cert.key.clone());
+            let rustls_private_key = rustls_pemfile::private_key(&mut cursor)
+                .expect("parsing private key PEM")
+                .expect("no private keys found");
             let rustls_signing_key =
-                rustls::sign::any_supported_type(&rustls_private_key)
-                    .context("parsing DER private key")?;
+                rustls::crypto::ring::sign::any_supported_type(
+                    &rustls_private_key,
+                )
+                .context("parsing DER private key")?;
             let rustls_certs = certs_pem
                 .iter()
                 .map(|x509| {
                     x509.to_der()
                         .context("serializing cert to DER")
-                        .map(rustls::Certificate)
+                        .map(rustls::pki_types::CertificateDer::from)
                 })
                 .collect::<Result<_, _>>()?;
             Arc::new(CertifiedKey::new(rustls_certs, rustls_signing_key))
@@ -563,6 +565,7 @@ pub(crate) async fn read_all_endpoints(
 /// session.
 ///
 /// See the module-level comment for more details.
+#[derive(Debug)]
 pub struct NexusCertResolver {
     log: slog::Logger,
     config_rx: watch::Receiver<Option<ExternalEndpoints>>,

diff --git a/nexus/src/app/mod.rs b/nexus/src/app/mod.rs
@@ -518,10 +518,6 @@ impl Nexus {
         }
 
         let mut rustls_cfg = rustls::ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_safe_default_protocol_versions()
-            .unwrap()
             .with_no_client_auth()
             .with_cert_resolver(Arc::new(NexusCertResolver::new(
                 self.log.new(o!("component" => "NexusCertResolver")),

diff --git a/sled-agent/Cargo.toml b/sled-agent/Cargo.toml
@@ -53,11 +53,11 @@ propolis-client.workspace = true
 propolis-mock-server.workspace = true # Only used by the simulated sled agent
 rand = { workspace = true, features = ["getrandom"] }
 reqwest = { workspace = true, features = ["rustls-tls", "stream"] }
-schemars = { workspace = true, features = [ "chrono", "uuid1" ] }
+schemars = { workspace = true, features = ["chrono", "uuid1"] }
 semver.workspace = true
 serde.workspace = true
 serde_human_bytes.workspace = true
-serde_json = {workspace = true, features = ["raw_value"]}
+serde_json = { workspace = true, features = ["raw_value"] }
 sha3.workspace = true
 sled-agent-client.workspace = true
 sled-hardware.workspace = true
@@ -70,7 +70,7 @@ smf.workspace = true
 tar.workspace = true
 thiserror.workspace = true
 tofino.workspace = true
-tokio = { workspace = true, features = [ "full" ] }
+tokio = { workspace = true, features = ["full"] }
 toml.workspace = true
 usdt.workspace = true
 uuid.workspace = true

diff --git a/test-utils/src/certificates.rs b/test-utils/src/certificates.rs
@@ -5,14 +5,14 @@
 //! Utilities for tests that need certificates.
 
 // Utility structure for making a test certificate
-pub struct CertificateChain {
-    root_cert: rustls::Certificate,
-    intermediate_cert: rustls::Certificate,
-    end_cert: rustls::Certificate,
+pub struct CertificateChain<'a> {
+    root_cert: rustls::pki_types::CertificateDer<'a>,
+    intermediate_cert: rustls::pki_types::CertificateDer<'a>,
+    end_cert: rustls::pki_types::CertificateDer<'a>,
     end_keypair: rcgen::Certificate,
 }
 
-impl CertificateChain {
+impl<'a> CertificateChain<'a> {
     pub fn new<S: Into<String>>(subject_alt_name: S) -> Self {
         let params =
             rcgen::CertificateParams::new(vec![subject_alt_name.into()]);
@@ -36,17 +36,17 @@ impl CertificateChain {
         let end_keypair = rcgen::Certificate::from_params(params)
             .expect("failed to generate end-entity keys");
 
-        let root_cert = rustls::Certificate(
+        let root_cert = rustls::pki_types::CertificateDer::from(
             root_keypair
                 .serialize_der()
                 .expect("failed to serialize root cert"),
         );
-        let intermediate_cert = rustls::Certificate(
+        let intermediate_cert = rustls::pki_types::CertificateDer::from(
             intermediate_keypair
                 .serialize_der_with_signer(&root_keypair)
                 .expect("failed to serialize intermediate cert"),
         );
-        let end_cert = rustls::Certificate(
+        let end_cert = rustls::pki_types::CertificateDer::from(
             end_keypair
                 .serialize_der_with_signer(&intermediate_keypair)
                 .expect("failed to serialize end-entity cert"),
@@ -63,7 +63,7 @@ impl CertificateChain {
         self.end_keypair.serialize_private_key_pem()
     }
 
-    fn cert_chain(&self) -> Vec<rustls::Certificate> {
+    fn cert_chain(&self) -> Vec<rustls::pki_types::CertificateDer<'a>> {
         vec![
             self.end_cert.clone(),
             self.intermediate_cert.clone(),
@@ -76,12 +76,12 @@ impl CertificateChain {
     }
 }
 
-fn tls_cert_to_pem(certs: &Vec<rustls::Certificate>) -> String {
+fn tls_cert_to_pem(certs: &Vec<rustls::pki_types::CertificateDer>) -> String {
     let mut serialized_certs = String::new();
     for cert in certs {
         let encoded_cert = pem::encode(&pem::Pem::new(
             "CERTIFICATE".to_string(),
-            cert.0.clone(),
+            cert.to_vec(),
         ));
 
         serialized_certs.push_str(&encoded_cert);