Support configuring a CA certificates bundle and update to tokio-rustls 0.26.1#290
Support configuring a CA certificates bundle and update to tokio-rustls 0.26.1#290main-- wants to merge 4 commits intoprisma:mainfrom
Conversation
The trust_cert_ca() config option configures one specific trusted CA certificate. However, there are two downsides: - it requires a file path, so an in-memory certificate would have to be written to a temporary file - it supports loading exactly one certificate, so if you need to load an entire bundle (e.g. the AWS RDS bundle) you're out of luck The trust_cert_ca_bundle() method implemented here solves both of these issues by taking a bundle of PEM-encoded CA certificates in a Vec<u8> and adding all of them to the TLS context. For cases where a CA bundle needs to be loaded from disk, users can of course simply read the file on their end and pass the contents to trust_cert_ca_bundle.
| &self.bundle[begin..next_begin.unwrap_or(self.bundle.len() - 1)] | ||
| }) | ||
| } | ||
| } |
There was a problem hiding this comment.
This looks good, but I think it ignores the markers for the end of the certificate. Have you tested this outside of this repo? Do you think a test case in this repo would be doable, to confirm that this doesn't break?
There was a problem hiding this comment.
I think it ignores the markers for the end of the certificate
I'm not sure I understand. In any valid PEM bundle, each certificate is terminated before the next one begins. The only thing this code does is splitting a bundle of concatenated PEM structures into individual PEM structures. The PEM format explicitly allows arbitrary data (which parsers must skip over) before the BEGIN and after the END marker, so cleanly terminating after the END marker is not a requirement.
Have you tested this outside of this repo
We're using this code in production.
Do you think a test case in this repo would be doable
Sure. Do you think it would be sufficient to just have a small unit test that loads an arbitrary bundle using include_str!() and verifies that the expected number of certificates is produced? Or did you have something else in mind?
main--
changed the title
|
Hi, what's blocking this from getting merged? |
3 participants
The trust_cert_ca() config option configures one specific trusted CA certificate. However, there are two downsides:
The trust_cert_ca_bundle() method implemented here solves both of these issues by taking a bundle of PEM-encoded CA certificates in a Vec and adding all of them to the TLS context. For cases where a CA bundle needs to be loaded from disk, users can of course simply read the file on their end and pass the contents to trust_cert_ca_bundle.