crabka-security 0.3.1

TLS, SASL, SCRAM, OAuth, and Kerberos security utilities for Crabka
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

//! Build a rustls `ClientConfig` whose trust roots are exclusively the
//! certificates in a user-supplied PEM bundle. Backs the
//! broker's outbound HTTPS to the JWKS endpoint when the operator
//! configures a private `IdP` CA (Strimzi-shaped tlsTrustedCertificates
//! "replace" semantic — webpki-roots are not consulted when this is
//! used).

use std::path::{Path, PathBuf};
use std::sync::Arc;

use rustls::pki_types::CertificateDer;
use rustls::pki_types::pem::PemObject;
use thiserror::Error;

#[derive(Debug, Error)]
pub enum JwksTrustError {
    #[error("read {0}: {1}")]
    Io(PathBuf, std::io::Error),
    #[error("no certificates in {0}")]
    Empty(PathBuf),
    #[error("rustls add cert: {0}")]
    Rustls(#[from] rustls::Error),
}

/// Read a PEM bundle of one or more CA certificates and produce a
/// `rustls::ClientConfig` that trusts exactly those certificates. The
/// returned config has no client auth (the broker does not present a
/// client cert when fetching the JWKS endpoint).
pub fn build_client_config_from_pem(
    path: &Path,
) -> Result<Arc<rustls::ClientConfig>, JwksTrustError> {
    let certs: Vec<CertificateDer<'static>> = CertificateDer::pem_file_iter(path)
        .map_err(|e| JwksTrustError::Io(path.into(), std::io::Error::other(e.to_string())))?
        .collect::<Result<Vec<_>, _>>()
        .map_err(|e| JwksTrustError::Io(path.into(), std::io::Error::other(e.to_string())))?;
    if certs.is_empty() {
        return Err(JwksTrustError::Empty(path.into()));
    }
    let mut roots = rustls::RootCertStore::empty();
    for cert in certs {
        roots.add(cert)?;
    }
    Ok(Arc::new(
        rustls::ClientConfig::builder()
            .with_root_certificates(roots)
            .with_no_client_auth(),
    ))
}

#[cfg(test)]
mod tests {
    use super::*;
    use assert2::assert;
    use std::fs::File;
    use std::io::Write;

    fn install_provider() {
        // rustls requires an explicit CryptoProvider when no default feature
        // is compiled in. Mirrors the pattern in tls.rs.
        let _ = rustls::crypto::ring::default_provider().install_default();
    }

    fn dev_cert_pem() -> &'static str {
        include_str!("../tests/fixtures/dev_cert.pem")
    }

    #[test]
    fn build_client_config_from_pem_loads_single_cert() {
        install_provider();
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("ca.pem");
        File::create(&path)
            .unwrap()
            .write_all(dev_cert_pem().as_bytes())
            .unwrap();
        let cfg = build_client_config_from_pem(&path).expect("single cert PEM should load");
        // Smoke-check it's actually a ClientConfig (compile-level type
        // check is the main assertion; runtime use is exercised by HTTPS
        // integration tests).
        let _: Arc<rustls::ClientConfig> = cfg;
    }

    #[test]
    fn build_client_config_from_pem_loads_concatenated_chain() {
        install_provider();
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("ca-chain.pem");
        let mut f = File::create(&path).unwrap();
        f.write_all(dev_cert_pem().as_bytes()).unwrap();
        f.write_all(b"\n").unwrap();
        f.write_all(dev_cert_pem().as_bytes()).unwrap();
        let cfg = build_client_config_from_pem(&path);
        assert!(cfg.is_ok(), "concatenated chain should load: {cfg:?}");
    }

    #[test]
    fn build_client_config_from_pem_rejects_missing_file() {
        install_provider();
        let err = build_client_config_from_pem(Path::new("/nonexistent/path.pem")).unwrap_err();
        assert!(
            matches!(err, JwksTrustError::Io(_, _)),
            "expected Io, got {err:?}",
        );
    }

    #[test]
    fn build_client_config_from_pem_rejects_empty_pem() {
        install_provider();
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("empty.pem");
        File::create(&path)
            .unwrap()
            .write_all(b"# no certs in this file\n")
            .unwrap();
        let err = build_client_config_from_pem(&path).unwrap_err();
        // Either Empty (parser returned zero certs) or Io (parser
        // errored on the "comment-only" content). Both are acceptable
        // rejection shapes — both reach the right outcome (no
        // ClientConfig produced).
        assert!(
            matches!(err, JwksTrustError::Empty(_) | JwksTrustError::Io(_, _)),
            "expected Empty or Io, got {err:?}",
        );
    }

    #[test]
    fn build_client_config_from_pem_rejects_non_pem_garbage() {
        install_provider();
        let dir = tempfile::tempdir().unwrap();
        let path = dir.path().join("garbage.bin");
        File::create(&path).unwrap().write_all(&[0u8; 64]).unwrap();
        let err = build_client_config_from_pem(&path);
        assert!(
            err.is_err(),
            "arbitrary bytes should not parse as a PEM bundle"
        );
    }
}