test(tls): fix accept-openssl test

Author: robjtede

.cargo/config.toml

@@ -15,8 +15,9 @@ ci-check-linux = "hack --workspace --feature-powerset --depth=2 check --tests --
 
 # tests avoiding io-uring feature
 ci-test = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture"
-ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture"
-ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20 test --lib --tests --no-fail-fast -- --nocapture"
+ci-test-rustls-020 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_21,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture"
+ci-test-rustls-021 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_22 test --lib --tests --no-fail-fast -- --nocapture"
+ci-test-rustls-022 = "hack --feature-powerset --depth=2 --exclude-features=io-uring,rustls-0_20,rustls-0_21 test --lib --tests --no-fail-fast -- --nocapture"
 
 # tests avoiding io-uring feature on Windows
 ci-test-win = "hack --feature-powerset --depth=2 --exclude-features=io-uring test --lib --tests --no-fail-fast -- --nocapture"

actix-tls/Cargo.toml

@@ -117,11 +117,11 @@ bytes = "1"
 env_logger = "0.10"
 futures-util = { version = "0.3.17", default-features = false, features = ["sink"] }
 itertools = "0.12"
-rcgen = "0.11"
+rcgen = "0.12"
 rustls-pemfile = "2"
 tokio-rustls-025 = { package = "tokio-rustls", version = "0.25" }
 trust-dns-resolver = "0.23"
 
 [[example]]
 name = "accept-rustls"
-required-features = ["accept", "rustls-0_22-webpki-roots"]
+required-features = ["accept", "rustls-0_22"]

actix-tls/src/connect/mod.rs

@@ -46,10 +46,7 @@ pub use rustls_0_20 as rustls;
 ))]
 pub mod rustls_0_21;
 
-#[cfg(any(
-    feature = "rustls-0_22-webpki-roots",
-    feature = "rustls-0_22-native-roots",
-))]
+#[cfg(feature = "rustls-0_22")]
 pub mod rustls_0_22;
 
 #[cfg(feature = "native-tls")]

actix-tls/tests/accept-openssl.rs

@@ -12,11 +12,13 @@ use std::{io::Write as _, sync::Arc};
 use actix_rt::net::TcpStream;
 use actix_server::TestServer;
 use actix_service::ServiceFactoryExt as _;
-use actix_tls::accept::openssl::{Acceptor, TlsStream};
+use actix_tls::{
+    accept::openssl::{Acceptor, TlsStream},
+    connect::rustls_0_22::reexports::ClientConfig,
+};
 use actix_utils::future::ok;
 use rustls_pki_types_1::ServerName;
-use tokio_rustls::rustls::{ClientConfig, RootCertStore};
-use tokio_rustls_025 as tokio_rustls;
+use tokio_rustls_025::rustls::RootCertStore;
 
 fn new_cert_and_key() -> (String, String) {
     let cert =
@@ -47,39 +49,40 @@ fn openssl_acceptor(cert: String, key: String) -> tls_openssl::ssl::SslAcceptor
     builder.build()
 }
 
-#[allow(dead_code)]
 mod danger {
+    use rustls_pki_types_1::{CertificateDer, ServerName, UnixTime};
     use tokio_rustls_025::rustls;
 
+    /// Disables certificate verification to allow self-signed certs from rcgen.
     #[derive(Debug)]
     pub struct NoCertificateVerification;
 
     impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification {
         fn verify_server_cert(
             &self,
-            end_entity: &rustls_pki_types_1::CertificateDer::CertificateDer<'_>,
-            intermediates: &[rustls_pki_types_1::CertificateDer::CertificateDer<'_>],
-            server_name: &rustls_pki_types_1::CertificateDer::ServerName<'_>,
-            ocsp_response: &[u8],
-            now: rustls_pki_types_1::CertificateDer::UnixTime,
+            _end_entity: &CertificateDer<'_>,
+            _intermediates: &[CertificateDer<'_>],
+            _server_name: &ServerName<'_>,
+            _ocsp_response: &[u8],
+            _now: UnixTime,
         ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
             Ok(rustls::client::danger::ServerCertVerified::assertion())
         }
 
         fn verify_tls12_signature(
             &self,
-            message: &[u8],
-            cert: &rustls_pki_types_1::CertificateDer<'_>,
-            dss: &rustls::DigitallySignedStruct,
+            _message: &[u8],
+            _cert: &rustls_pki_types_1::CertificateDer<'_>,
+            _dss: &rustls::DigitallySignedStruct,
         ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
             Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
         }
 
         fn verify_tls13_signature(
             &self,
-            message: &[u8],
-            cert: &rustls_pki_types_1::CertificateDer<'_>,
-            dss: &rustls::DigitallySignedStruct,
+            _message: &[u8],
+            _cert: &rustls_pki_types_1::CertificateDer<'_>,
+            _dss: &rustls::DigitallySignedStruct,
         ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
             Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
         }
@@ -134,13 +137,13 @@ async fn accepts_connections() {
     let config = rustls_connector(cert, key);
     let config = Arc::new(config);
 
-    let mut conn = tokio_rustls::rustls::ClientConnection::new(
+    let mut conn = tokio_rustls_025::rustls::ClientConnection::new(
         config,
         ServerName::try_from("localhost").unwrap(),
     )
     .unwrap();
 
-    let mut stream = tokio_rustls::rustls::Stream::new(&mut conn, &mut sock);
+    let mut stream = tokio_rustls_025::rustls::Stream::new(&mut conn, &mut sock);
 
     stream.flush().expect("TLS handshake failed");
 }

actix-tls/tests/accept-rustls.rs

@@ -15,14 +15,13 @@ use actix_rt::net::TcpStream;
 use actix_server::TestServer;
 use actix_service::ServiceFactoryExt as _;
 use actix_tls::{
-    accept::rustls_0_21::{Acceptor, TlsStream},
+    accept::rustls_0_22::{reexports::ServerConfig, Acceptor, TlsStream},
     connect::openssl::reexports::SslConnector,
 };
 use actix_utils::future::ok;
 use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls_pki_types_1::PrivateKeyDer;
 use tls_openssl::ssl::SslVerifyMode;
-use tokio_rustls::rustls::{self, Certificate, PrivateKey, ServerConfig};
-use tokio_rustls_024 as tokio_rustls;
 
 fn new_cert_and_key() -> (String, String) {
     let cert =
@@ -35,7 +34,7 @@ fn new_cert_and_key() -> (String, String) {
     (cert, key)
 }
 
-fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig {
+fn rustls_server_config(cert: String, key: String) -> ServerConfig {
     // Load TLS key and cert files
 
     let cert = &mut BufReader::new(cert.as_bytes());
@@ -47,9 +46,8 @@ fn rustls_server_config(cert: String, key: String) -> rustls::ServerConfig {
         .unwrap();
 
     let mut config = ServerConfig::builder()
-        .with_safe_defaults()
         .with_no_client_auth()
-        .with_single_cert(cert_chain, PrivateKey(keys.remove(0)))
+        .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0)))
         .unwrap();
 
     config.alpn_protocols = vec![b"http/1.1".to_vec()];