From 2ec898502255fdc74fa6739e9edba94fb7ae1fa5 Mon Sep 17 00:00:00 2001
From: Danielle Lancashire <dani@builds.terrible.systems>
Date: Sat, 23 Mar 2024 09:34:58 +0100
Subject: [PATCH] tls: Update dependencies and fixes for removed types

This unbreaks building spin on RiscV, and is otherwise good dependency
hygiene.

Signed-off-by: Danielle Lancashire <dani@builds.terrible.systems>
---
 Cargo.lock                     | 95 +++++-----------------------------
 crates/trigger-http/Cargo.toml |  4 +-
 crates/trigger-http/src/tls.rs | 19 ++++---
 3 files changed, 24 insertions(+), 94 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index dbf00ed291..8ae355bcf4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2035,7 +2035,7 @@ checksum = "55ac459de2512911e4b674ce33cf20befaba382d05b62b008afc1c8b57cbf181"
 dependencies = [
  "futures-core",
  "futures-sink",
- "spin 0.9.8",
+ "spin",
 ]
 
 [[package]]
@@ -5313,21 +5313,6 @@ dependencies = [
  "winreg",
 ]
 
-[[package]]
-name = "ring"
-version = "0.16.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
-dependencies = [
- "cc",
- "libc",
- "once_cell",
- "spin 0.5.2",
- "untrusted 0.7.1",
- "web-sys",
- "winapi",
-]
-
 [[package]]
 name = "ring"
 version = "0.17.8"
@@ -5338,8 +5323,8 @@ dependencies = [
  "cfg-if",
  "getrandom 0.2.12",
  "libc",
- "spin 0.9.8",
- "untrusted 0.9.0",
+ "spin",
+ "untrusted",
  "windows-sys 0.52.0",
 ]
 
@@ -5497,18 +5482,6 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
-[[package]]
-name = "rustls"
-version = "0.20.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b80e3dec595989ea8510028f30c408a4630db12c9cbb8de34203b89d6577e99"
-dependencies = [
- "log",
- "ring 0.16.20",
- "sct",
- "webpki",
-]
-
 [[package]]
 name = "rustls"
 version = "0.21.10"
@@ -5516,7 +5489,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f9d5a6813c0759e4609cd494e8e725babae6a2ca7b62a5536a13daaec6fcb7ba"
 dependencies = [
  "log",
- "ring 0.17.8",
+ "ring",
  "rustls-webpki 0.101.7",
  "sct",
 ]
@@ -5528,7 +5501,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e87c9956bd9807afa1f77e0f7594af32566e830e088a5576d27c5b6f30f49d41"
 dependencies = [
  "log",
- "ring 0.17.8",
+ "ring",
  "rustls-pki-types",
  "rustls-webpki 0.102.2",
  "subtle",
@@ -5548,15 +5521,6 @@ dependencies = [
  "security-framework",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360"
-dependencies = [
- "base64 0.13.1",
-]
-
 [[package]]
 name = "rustls-pemfile"
 version = "1.0.4"
@@ -5588,8 +5552,8 @@ version = "0.101.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
 dependencies = [
- "ring 0.17.8",
- "untrusted 0.9.0",
+ "ring",
+ "untrusted",
 ]
 
 [[package]]
@@ -5598,9 +5562,9 @@ version = "0.102.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "faaa0a62740bedb9b2ef5afa303da42764c012f743917351dc9a237ea1663610"
 dependencies = [
- "ring 0.17.8",
+ "ring",
  "rustls-pki-types",
- "untrusted 0.9.0",
+ "untrusted",
 ]
 
 [[package]]
@@ -5671,8 +5635,8 @@ version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
 dependencies = [
- "ring 0.17.8",
- "untrusted 0.9.0",
+ "ring",
+ "untrusted",
 ]
 
 [[package]]
@@ -5994,12 +5958,6 @@ dependencies = [
  "smallvec",
 ]
 
-[[package]]
-name = "spin"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
-
 [[package]]
 name = "spin"
 version = "0.9.8"
@@ -6676,7 +6634,7 @@ dependencies = [
  "num_cpus",
  "outbound-http",
  "percent-encoding",
- "rustls-pemfile 0.3.0",
+ "rustls-pemfile 2.1.1",
  "serde",
  "serde_json",
  "spin-app",
@@ -6690,7 +6648,7 @@ dependencies = [
  "terminal",
  "tls-listener",
  "tokio",
- "tokio-rustls 0.23.4",
+ "tokio-rustls 0.25.0",
  "tracing",
  "url",
  "wasi-common",
@@ -7257,17 +7215,6 @@ dependencies = [
  "whoami",
 ]
 
-[[package]]
-name = "tokio-rustls"
-version = "0.23.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c43ee83903113e03984cb9e5cebe6c04a5116269e900e3ddba8f068a62adda59"
-dependencies = [
- "rustls 0.20.9",
- "tokio",
- "webpki",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.24.1"
@@ -7692,12 +7639,6 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39ec24b3121d976906ece63c9daad25b85969647682eee313cb5779fdd69e14e"
 
-[[package]]
-name = "untrusted"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
-
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -8519,16 +8460,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "webpki"
-version = "0.22.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed63aea5ce73d0ff405984102c42de94fc55a6b75765d621c65262469b3c9b53"
-dependencies = [
- "ring 0.17.8",
- "untrusted 0.9.0",
-]
-
 [[package]]
 name = "webpki-roots"
 version = "0.25.4"
diff --git a/crates/trigger-http/Cargo.toml b/crates/trigger-http/Cargo.toml
index ced8e44473..960e4a0f89 100644
--- a/crates/trigger-http/Cargo.toml
+++ b/crates/trigger-http/Cargo.toml
@@ -20,7 +20,7 @@ http-body-util = { workspace = true }
 indexmap = "1"
 outbound-http = { path = "../outbound-http" }
 percent-encoding = "2"
-rustls-pemfile = "0.3.0"
+rustls-pemfile = "2.1.1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
 spin-app = { path = "../app" }
@@ -33,7 +33,7 @@ spin-world = { path = "../world" }
 terminal = { path = "../terminal" }
 tls-listener = { version = "0.10.0", features = ["rustls"] }
 tokio = { version = "1.23", features = ["full"] }
-tokio-rustls = { version = "0.23.2" }
+tokio-rustls = { version = "0.25.0" }
 url = "2.4.1"
 tracing = { workspace = true }
 wasmtime = { workspace = true }
diff --git a/crates/trigger-http/src/tls.rs b/crates/trigger-http/src/tls.rs
index cb2ea0af67..4f99ed3fc2 100644
--- a/crates/trigger-http/src/tls.rs
+++ b/crates/trigger-http/src/tls.rs
@@ -1,3 +1,4 @@
+use crate::tls::rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer};
 use rustls_pemfile::{certs, pkcs8_private_keys};
 use std::{
     fs, io,
@@ -22,9 +23,11 @@ impl TlsConfig {
         let mut keys = load_keys(&self.key_path)?;
 
         let cfg = rustls::ServerConfig::builder()
-            .with_safe_defaults()
             .with_no_client_auth()
-            .with_single_cert(certs, keys.remove(0))
+            .with_single_cert(
+                certs,
+                tokio_rustls::rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)),
+            )
             .map_err(|e| anyhow::anyhow!("{}", e))?;
 
         Ok(Arc::new(cfg).into())
@@ -32,15 +35,11 @@ impl TlsConfig {
 }
 
 // Loads public certificate from file.
-fn load_certs(path: impl AsRef<Path>) -> io::Result<Vec<rustls::Certificate>> {
-    certs(&mut io::BufReader::new(fs::File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid cert"))
-        .map(|mut certs| certs.drain(..).map(rustls::Certificate).collect())
+fn load_certs(path: impl AsRef<Path>) -> io::Result<Vec<CertificateDer<'static>>> {
+    certs(&mut io::BufReader::new(fs::File::open(path)?)).collect()
 }
 
 // Loads private key from file.
-fn load_keys(path: impl AsRef<Path>) -> io::Result<Vec<rustls::PrivateKey>> {
-    pkcs8_private_keys(&mut io::BufReader::new(fs::File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"))
-        .map(|mut keys| keys.drain(..).map(rustls::PrivateKey).collect())
+fn load_keys(path: impl AsRef<Path>) -> io::Result<Vec<PrivatePkcs8KeyDer<'static>>> {
+    pkcs8_private_keys(&mut io::BufReader::new(fs::File::open(path)?)).collect()
 }