mirror of
https://github.com/neondatabase/neon.git
synced 2025-12-23 06:09:59 +00:00
chore: remove x509-parser (#11247)
Both crates seem well maintained. x509-cert is part of the high quality RustCrypto project that we already make heavy use of, and I think it makes sense to reduce the dependencies where possible.
This commit is contained in:
Conrad Ludgate
GitHub
91
Cargo.lock
generated
91
Cargo.lock
generated
@@ -167,45 +167,6 @@ version = "0.7.6"
|
|||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
|
checksum = "7c02d123df017efcdfbd739ef81735b36c5ba83ec3c59c80a9d7ecc718f92e50"
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "asn1-rs"
|
|
||||||
version = "0.6.2"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "5493c3bedbacf7fd7382c6346bbd66687d12bbaad3a89a2d2c303ee6cf20b048"
|
|
||||||
dependencies = [
|
|
||||||
"asn1-rs-derive",
|
|
||||||
"asn1-rs-impl",
|
|
||||||
"displaydoc",
|
|
||||||
"nom",
|
|
||||||
"num-traits",
|
|
||||||
"rusticata-macros",
|
|
||||||
"thiserror 1.0.69",
|
|
||||||
"time",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "asn1-rs-derive"
|
|
||||||
version = "0.5.1"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "965c2d33e53cb6b267e148a4cb0760bc01f4904c1cd4bb4002a085bb016d1490"
|
|
||||||
dependencies = [
|
|
||||||
"proc-macro2",
|
|
||||||
"quote",
|
|
||||||
"syn 2.0.100",
|
|
||||||
"synstructure",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "asn1-rs-impl"
|
|
||||||
version = "0.2.0"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "7b18050c2cd6fe86c3a76584ef5e0baf286d038cda203eb6223df2cc413565f7"
|
|
||||||
dependencies = [
|
|
||||||
"proc-macro2",
|
|
||||||
"quote",
|
|
||||||
"syn 2.0.100",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "assert-json-diff"
|
name = "assert-json-diff"
|
||||||
version = "2.0.2"
|
version = "2.0.2"
|
||||||
@@ -1813,20 +1774,6 @@ dependencies = [
|
|||||||
"zeroize",
|
"zeroize",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "der-parser"
|
|
||||||
version = "9.0.0"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "5cd0a5c643689626bec213c4d8bd4d96acc8ffdb4ad4bb6bc16abf27d5f4b553"
|
|
||||||
dependencies = [
|
|
||||||
"asn1-rs",
|
|
||||||
"displaydoc",
|
|
||||||
"nom",
|
|
||||||
"num-bigint",
|
|
||||||
"num-traits",
|
|
||||||
"rusticata-macros",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "der_derive"
|
name = "der_derive"
|
||||||
version = "0.7.3"
|
version = "0.7.3"
|
||||||
@@ -4044,15 +3991,6 @@ dependencies = [
|
|||||||
"memchr",
|
"memchr",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "oid-registry"
|
|
||||||
version = "0.7.1"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "a8d8034d9489cdaf79228eb9f6a3b8d7bb32ba00d6645ebd48eef4077ceb5bd9"
|
|
||||||
dependencies = [
|
|
||||||
"asn1-rs",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "once_cell"
|
name = "once_cell"
|
||||||
version = "1.20.2"
|
version = "1.20.2"
|
||||||
@@ -5227,7 +5165,7 @@ dependencies = [
|
|||||||
"uuid",
|
"uuid",
|
||||||
"walkdir",
|
"walkdir",
|
||||||
"workspace_hack",
|
"workspace_hack",
|
||||||
"x509-parser",
|
"x509-cert",
|
||||||
"zerocopy",
|
"zerocopy",
|
||||||
]
|
]
|
||||||
|
|
||||||
@@ -5848,15 +5786,6 @@ dependencies = [
|
|||||||
"semver",
|
"semver",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "rusticata-macros"
|
|
||||||
version = "4.1.0"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
|
|
||||||
dependencies = [
|
|
||||||
"nom",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "rustix"
|
name = "rustix"
|
||||||
version = "0.38.41"
|
version = "0.38.41"
|
||||||
@@ -8440,7 +8369,6 @@ dependencies = [
|
|||||||
"der 0.7.8",
|
"der 0.7.8",
|
||||||
"deranged",
|
"deranged",
|
||||||
"digest",
|
"digest",
|
||||||
"displaydoc",
|
|
||||||
"ecdsa 0.16.9",
|
"ecdsa 0.16.9",
|
||||||
"either",
|
"either",
|
||||||
"elliptic-curve 0.13.8",
|
"elliptic-curve 0.13.8",
|
||||||
@@ -8568,23 +8496,6 @@ dependencies = [
|
|||||||
"zeroize",
|
"zeroize",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
|
||||||
name = "x509-parser"
|
|
||||||
version = "0.16.0"
|
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
||||||
checksum = "fcbc162f30700d6f3f82a24bf7cc62ffe7caea42c0b2cba8bf7f3ae50cf51f69"
|
|
||||||
dependencies = [
|
|
||||||
"asn1-rs",
|
|
||||||
"data-encoding",
|
|
||||||
"der-parser",
|
|
||||||
"lazy_static",
|
|
||||||
"nom",
|
|
||||||
"oid-registry",
|
|
||||||
"rusticata-macros",
|
|
||||||
"thiserror 1.0.69",
|
|
||||||
"time",
|
|
||||||
]
|
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "xattr"
|
name = "xattr"
|
||||||
version = "1.0.0"
|
version = "1.0.0"
|
||||||
|
|||||||
@@ -215,10 +215,10 @@ urlencoding = "2.1"
|
|||||||
uuid = { version = "1.6.1", features = ["v4", "v7", "serde"] }
|
uuid = { version = "1.6.1", features = ["v4", "v7", "serde"] }
|
||||||
walkdir = "2.3.2"
|
walkdir = "2.3.2"
|
||||||
rustls-native-certs = "0.8"
|
rustls-native-certs = "0.8"
|
||||||
x509-parser = "0.16"
|
|
||||||
whoami = "1.5.1"
|
whoami = "1.5.1"
|
||||||
zerocopy = { version = "0.7", features = ["derive"] }
|
zerocopy = { version = "0.7", features = ["derive"] }
|
||||||
json-structural-diff = { version = "0.2.0" }
|
json-structural-diff = { version = "0.2.0" }
|
||||||
|
x509-cert = { version = "0.2.5" }
|
||||||
|
|
||||||
## TODO replace this with tracing
|
## TODO replace this with tracing
|
||||||
env_logger = "0.11"
|
env_logger = "0.11"
|
||||||
|
|||||||
@@ -61,7 +61,7 @@ thiserror.workspace = true
|
|||||||
url.workspace = true
|
url.workspace = true
|
||||||
uuid.workspace = true
|
uuid.workspace = true
|
||||||
walkdir.workspace = true
|
walkdir.workspace = true
|
||||||
x509-cert = { version = "0.2.5" }
|
x509-cert.workspace = true
|
||||||
|
|
||||||
postgres_initdb.workspace = true
|
postgres_initdb.workspace = true
|
||||||
compute_api.workspace = true
|
compute_api.workspace = true
|
||||||
|
|||||||
@@ -3,7 +3,6 @@ use std::{io::Write, os::unix::fs::OpenOptionsExt, path::Path, time::Duration};
|
|||||||
use anyhow::{Context, Result, bail};
|
use anyhow::{Context, Result, bail};
|
||||||
use compute_api::responses::TlsConfig;
|
use compute_api::responses::TlsConfig;
|
||||||
use ring::digest;
|
use ring::digest;
|
||||||
use spki::ObjectIdentifier;
|
|
||||||
use spki::der::{Decode, PemReader};
|
use spki::der::{Decode, PemReader};
|
||||||
use x509_cert::Certificate;
|
use x509_cert::Certificate;
|
||||||
|
|
||||||
@@ -91,13 +90,13 @@ fn try_update_key_path_blocking(pg_data: &Path, tls_config: &TlsConfig) -> Resul
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn verify_key_cert(key: &str, cert: &str) -> Result<()> {
|
fn verify_key_cert(key: &str, cert: &str) -> Result<()> {
|
||||||
const ECDSA_WITH_SHA256: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.10045.4.3.2");
|
use x509_cert::der::oid::db::rfc5912::ECDSA_WITH_SHA_256;
|
||||||
|
|
||||||
let cert = Certificate::decode(&mut PemReader::new(cert.as_bytes()).context("pem reader")?)
|
let cert = Certificate::decode(&mut PemReader::new(cert.as_bytes()).context("pem reader")?)
|
||||||
.context("decode cert")?;
|
.context("decode cert")?;
|
||||||
|
|
||||||
match cert.signature_algorithm.oid {
|
match cert.signature_algorithm.oid {
|
||||||
ECDSA_WITH_SHA256 => {
|
ECDSA_WITH_SHA_256 => {
|
||||||
let key = p256::SecretKey::from_sec1_pem(key).context("parse key")?;
|
let key = p256::SecretKey::from_sec1_pem(key).context("parse key")?;
|
||||||
|
|
||||||
let a = key.public_key().to_sec1_bytes();
|
let a = key.public_key().to_sec1_bytes();
|
||||||
|
|||||||
@@ -70,8 +70,9 @@ reqwest-middleware = { workspace = true, features = ["json"] }
|
|||||||
reqwest-retry.workspace = true
|
reqwest-retry.workspace = true
|
||||||
reqwest-tracing.workspace = true
|
reqwest-tracing.workspace = true
|
||||||
rustc-hash.workspace = true
|
rustc-hash.workspace = true
|
||||||
rustls-pemfile.workspace = true
|
|
||||||
rustls.workspace = true
|
rustls.workspace = true
|
||||||
|
rustls-native-certs.workspace = true
|
||||||
|
rustls-pemfile.workspace = true
|
||||||
scopeguard.workspace = true
|
scopeguard.workspace = true
|
||||||
serde.workspace = true
|
serde.workspace = true
|
||||||
serde_json.workspace = true
|
serde_json.workspace = true
|
||||||
@@ -99,8 +100,7 @@ url.workspace = true
|
|||||||
urlencoding.workspace = true
|
urlencoding.workspace = true
|
||||||
utils.workspace = true
|
utils.workspace = true
|
||||||
uuid.workspace = true
|
uuid.workspace = true
|
||||||
rustls-native-certs.workspace = true
|
x509-cert.workspace = true
|
||||||
x509-parser.workspace = true
|
|
||||||
redis.workspace = true
|
redis.workspace = true
|
||||||
zerocopy.workspace = true
|
zerocopy.workspace = true
|
||||||
|
|
||||||
|
|||||||
@@ -6,7 +6,7 @@ use anyhow::Context;
|
|||||||
use rustls::pki_types::CertificateDer;
|
use rustls::pki_types::CertificateDer;
|
||||||
use sha2::{Digest, Sha256};
|
use sha2::{Digest, Sha256};
|
||||||
use tracing::{error, info};
|
use tracing::{error, info};
|
||||||
use x509_parser::oid_registry;
|
use x509_cert::der::{Reader, SliceReader, oid};
|
||||||
|
|
||||||
/// <https://github.com/postgres/postgres/blob/ca481d3c9ab7bf69ff0c8d71ad3951d407f6a33c/src/include/libpq/pqcomm.h#L159>
|
/// <https://github.com/postgres/postgres/blob/ca481d3c9ab7bf69ff0c8d71ad3951d407f6a33c/src/include/libpq/pqcomm.h#L159>
|
||||||
pub const PG_ALPN_PROTOCOL: &[u8] = b"postgresql";
|
pub const PG_ALPN_PROTOCOL: &[u8] = b"postgresql";
|
||||||
@@ -41,27 +41,27 @@ pub enum TlsServerEndPoint {
|
|||||||
|
|
||||||
impl TlsServerEndPoint {
|
impl TlsServerEndPoint {
|
||||||
pub fn new(cert: &CertificateDer<'_>) -> anyhow::Result<Self> {
|
pub fn new(cert: &CertificateDer<'_>) -> anyhow::Result<Self> {
|
||||||
let sha256_oids = [
|
const SHA256_OIDS: &[oid::ObjectIdentifier] = &[
|
||||||
// I'm explicitly not adding MD5 or SHA1 here... They're bad.
|
// I'm explicitly not adding MD5 or SHA1 here... They're bad.
|
||||||
oid_registry::OID_SIG_ECDSA_WITH_SHA256,
|
oid::db::rfc5912::ECDSA_WITH_SHA_256,
|
||||||
oid_registry::OID_PKCS1_SHA256WITHRSA,
|
oid::db::rfc5912::SHA_256_WITH_RSA_ENCRYPTION,
|
||||||
];
|
];
|
||||||
|
|
||||||
let pem = x509_parser::parse_x509_certificate(cert)
|
let certificate = SliceReader::new(cert)
|
||||||
.context("Failed to parse PEM object from cerficiate")?
|
.context("Failed to parse cerficiate")?
|
||||||
.1;
|
.decode::<x509_cert::Certificate>()
|
||||||
|
.context("Failed to parse cerficiate")?;
|
||||||
|
|
||||||
info!(subject = %pem.subject, "parsing TLS certificate");
|
let subject = certificate.tbs_certificate.subject;
|
||||||
|
info!(%subject, "parsing TLS certificate");
|
||||||
|
|
||||||
let reg = oid_registry::OidRegistry::default().with_all_crypto();
|
let oid = certificate.signature_algorithm.oid;
|
||||||
let oid = pem.signature_algorithm.oid();
|
if SHA256_OIDS.contains(&oid) {
|
||||||
let alg = reg.get(oid);
|
|
||||||
if sha256_oids.contains(oid) {
|
|
||||||
let tls_server_end_point: [u8; 32] = Sha256::new().chain_update(cert).finalize().into();
|
let tls_server_end_point: [u8; 32] = Sha256::new().chain_update(cert).finalize().into();
|
||||||
info!(subject = %pem.subject, signature_algorithm = alg.map(|a| a.description()), tls_server_end_point = %base64::encode(tls_server_end_point), "determined channel binding");
|
info!(%subject, tls_server_end_point = %base64::encode(tls_server_end_point), "determined channel binding");
|
||||||
Ok(Self::Sha256(tls_server_end_point))
|
Ok(Self::Sha256(tls_server_end_point))
|
||||||
} else {
|
} else {
|
||||||
error!(subject = %pem.subject, signature_algorithm = alg.map(|a| a.description()), "unknown channel binding");
|
error!(%subject, "unknown channel binding");
|
||||||
Ok(Self::Undefined)
|
Ok(Self::Undefined)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ use anyhow::{Context, bail};
|
|||||||
use itertools::Itertools;
|
use itertools::Itertools;
|
||||||
use rustls::crypto::ring::{self, sign};
|
use rustls::crypto::ring::{self, sign};
|
||||||
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
use rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
||||||
|
use x509_cert::der::{Reader, SliceReader};
|
||||||
|
|
||||||
use super::{PG_ALPN_PROTOCOL, TlsServerEndPoint};
|
use super::{PG_ALPN_PROTOCOL, TlsServerEndPoint};
|
||||||
|
|
||||||
@@ -131,11 +132,13 @@ impl CertResolver {
|
|||||||
|
|
||||||
let first_cert = &cert_chain[0];
|
let first_cert = &cert_chain[0];
|
||||||
let tls_server_end_point = TlsServerEndPoint::new(first_cert)?;
|
let tls_server_end_point = TlsServerEndPoint::new(first_cert)?;
|
||||||
let pem = x509_parser::parse_x509_certificate(first_cert)
|
|
||||||
.context("Failed to parse PEM object from cerficiate")?
|
|
||||||
.1;
|
|
||||||
|
|
||||||
let common_name = pem.subject().to_string();
|
let certificate = SliceReader::new(first_cert)
|
||||||
|
.context("Failed to parse cerficiate")?
|
||||||
|
.decode::<x509_cert::Certificate>()
|
||||||
|
.context("Failed to parse cerficiate")?;
|
||||||
|
|
||||||
|
let common_name = certificate.tbs_certificate.subject.to_string();
|
||||||
|
|
||||||
// We need to get the canonical name for this certificate so we can match them against any domain names
|
// We need to get the canonical name for this certificate so we can match them against any domain names
|
||||||
// seen within the proxy codebase.
|
// seen within the proxy codebase.
|
||||||
|
|||||||
@@ -61,7 +61,7 @@ memchr = { version = "2" }
|
|||||||
nix = { version = "0.26" }
|
nix = { version = "0.26" }
|
||||||
nom = { version = "7" }
|
nom = { version = "7" }
|
||||||
num = { version = "0.4" }
|
num = { version = "0.4" }
|
||||||
num-bigint = { version = "0.4" }
|
num-bigint = { version = "0.4", default-features = false, features = ["std"] }
|
||||||
num-complex = { version = "0.4", default-features = false, features = ["std"] }
|
num-complex = { version = "0.4", default-features = false, features = ["std"] }
|
||||||
num-integer = { version = "0.1", features = ["i128"] }
|
num-integer = { version = "0.1", features = ["i128"] }
|
||||||
num-iter = { version = "0.1", default-features = false, features = ["i128", "std"] }
|
num-iter = { version = "0.1", default-features = false, features = ["i128", "std"] }
|
||||||
@@ -115,7 +115,6 @@ anyhow = { version = "1", features = ["backtrace"] }
|
|||||||
bytes = { version = "1", features = ["serde"] }
|
bytes = { version = "1", features = ["serde"] }
|
||||||
cc = { version = "1", default-features = false, features = ["parallel"] }
|
cc = { version = "1", default-features = false, features = ["parallel"] }
|
||||||
chrono = { version = "0.4", default-features = false, features = ["clock", "serde", "wasmbind"] }
|
chrono = { version = "0.4", default-features = false, features = ["clock", "serde", "wasmbind"] }
|
||||||
displaydoc = { version = "0.2" }
|
|
||||||
either = { version = "1" }
|
either = { version = "1" }
|
||||||
getrandom = { version = "0.2", default-features = false, features = ["std"] }
|
getrandom = { version = "0.2", default-features = false, features = ["std"] }
|
||||||
half = { version = "2", default-features = false, features = ["num-traits"] }
|
half = { version = "2", default-features = false, features = ["num-traits"] }
|
||||||
@@ -128,7 +127,7 @@ log = { version = "0.4", default-features = false, features = ["std"] }
|
|||||||
memchr = { version = "2" }
|
memchr = { version = "2" }
|
||||||
nom = { version = "7" }
|
nom = { version = "7" }
|
||||||
num = { version = "0.4" }
|
num = { version = "0.4" }
|
||||||
num-bigint = { version = "0.4" }
|
num-bigint = { version = "0.4", default-features = false, features = ["std"] }
|
||||||
num-complex = { version = "0.4", default-features = false, features = ["std"] }
|
num-complex = { version = "0.4", default-features = false, features = ["std"] }
|
||||||
num-integer = { version = "0.1", features = ["i128"] }
|
num-integer = { version = "0.1", features = ["i128"] }
|
||||||
num-iter = { version = "0.1", default-features = false, features = ["i128", "std"] }
|
num-iter = { version = "0.1", default-features = false, features = ["i128", "std"] }
|
||||||
|
|||||||
Reference in New Issue
Block a user