cloudiful_server/core/
tls.rs1use std::{fs::File, io::BufReader, sync::Arc};
2
3use crate::core::{
4 ValidatedServerConfig,
5 error::{ServerError, TlsConfigLoadError},
6};
7
8pub fn load_tls_config<U>(
9 config: &ValidatedServerConfig<U>,
10) -> Result<Option<rustls::ServerConfig>, ServerError> {
11 let Some(tls) = config.tls.as_ref() else {
12 return Ok(None);
13 };
14
15 let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
16
17 let mut cert_file = BufReader::new(File::open(&tls.cert_path).map_err(|source| {
18 ServerError::Tls(TlsConfigLoadError::OpenCertificate {
19 path: tls.cert_path.clone(),
20 source,
21 })
22 })?);
23
24 let mut key_file = BufReader::new(File::open(&tls.cert_key_path).map_err(|source| {
25 ServerError::Tls(TlsConfigLoadError::OpenPrivateKey {
26 path: tls.cert_key_path.clone(),
27 source,
28 })
29 })?);
30
31 let tls_certs = rustls_pemfile::certs(&mut cert_file)
32 .collect::<Result<Vec<_>, _>>()
33 .map_err(|source| {
34 ServerError::Tls(TlsConfigLoadError::ReadCertificates {
35 path: tls.cert_path.clone(),
36 source,
37 })
38 })?;
39
40 let tls_key = rustls_pemfile::private_key(&mut key_file)
41 .map_err(|source| {
42 ServerError::Tls(TlsConfigLoadError::ReadPrivateKey {
43 path: tls.cert_key_path.clone(),
44 source,
45 })
46 })?
47 .ok_or_else(|| {
48 ServerError::Tls(TlsConfigLoadError::MissingPrivateKey {
49 path: tls.cert_key_path.clone(),
50 })
51 })?;
52
53 let builder = rustls::ServerConfig::builder();
54 let builder = match tls.client_ca.as_ref() {
55 Some(client_ca_path) => {
56 let mut client_ca_file = BufReader::new(File::open(client_ca_path).map_err(|source| {
57 ServerError::Tls(TlsConfigLoadError::OpenClientCa {
58 path: client_ca_path.clone(),
59 source,
60 })
61 })?);
62
63 let client_ca_certs = rustls_pemfile::certs(&mut client_ca_file)
64 .collect::<Result<Vec<_>, _>>()
65 .map_err(|source| {
66 ServerError::Tls(TlsConfigLoadError::ReadClientCa {
67 path: client_ca_path.clone(),
68 source,
69 })
70 })?;
71
72 let mut client_roots = rustls::RootCertStore::empty();
73 let (added, _ignored) = client_roots.add_parsable_certificates(client_ca_certs);
74 if added == 0 {
75 return Err(ServerError::Tls(TlsConfigLoadError::InvalidClientCa {
76 path: client_ca_path.clone(),
77 source: rustls::Error::General("no valid client CA certificates found".into()),
78 }));
79 }
80
81 let client_verifier = rustls::server::WebPkiClientVerifier::builder(Arc::new(client_roots))
82 .build()
83 .map_err(|source| {
84 ServerError::Tls(TlsConfigLoadError::InvalidClientCa {
85 path: client_ca_path.clone(),
86 source: rustls::Error::General(source.to_string().into()),
87 })
88 })?;
89
90 builder.with_client_cert_verifier(client_verifier)
91 }
92 None => builder.with_no_client_auth(),
93 };
94
95 builder
96 .with_single_cert(tls_certs, tls_key)
97 .map(Some)
98 .map_err(|source| ServerError::Tls(TlsConfigLoadError::InvalidConfig { source }))
99}