rumqttc: TLS Key encoding fix

rumqttc/CHANGELOG.md

@@ -9,9 +9,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Expose `EventLoop::clean` to allow triggering shutdown and subsequent storage of pending requests
+- Support for all variants of TLS key formats currently supported by Rustls: `PKCS#1`, `PKCS#8`, `RFC5915`. In practice we should now support all RSA keys and ECC keys in `DER` and `SEC1` encoding. Previously only `PKCS#1` and `PKCS#8` where supported.
+- TLS Error variants: `NoValidClientCertInChain`, `NoValidKeyInChain`.
 
 ### Changed
 - Synchronous client methods take `&self` instead of `&mut self` (#646)
+- Removed the `Key` enum: users do not need to specify the TLS key variant in the `TlsConfiguration` anymore, this is inferred automatically.
+To update your code simply remove `Key::ECC()` or `Key::RSA()` from the initialization.
 
 ### Deprecated
 

rumqttc/examples/tls2.rs

@@ -4,7 +4,7 @@ use std::error::Error;
 #[cfg(feature = "use-rustls")]
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
-    use rumqttc::{self, AsyncClient, Key, MqttOptions, TlsConfiguration, Transport};
+    use rumqttc::{self, AsyncClient, MqttOptions, TlsConfiguration, Transport};
 
     pretty_env_logger::init();
     color_backtrace::install();
@@ -23,7 +23,7 @@ async fn main() -> Result<(), Box<dyn Error>> {
     let transport = Transport::Tls(TlsConfiguration::Simple {
         ca,
         alpn: None,
-        client_auth: Some((client_cert, Key::RSA(client_key))),
+        client_auth: Some((client_cert, client_key)),
     });
 
     mqttoptions.set_transport(transport);

rumqttc/src/lib.rs

@@ -204,13 +204,6 @@ impl Request {
     }
 }
 
-/// Key type for TLS authentication
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub enum Key {
-    RSA(Vec<u8>),
-    ECC(Vec<u8>),
-}
-
 impl From<Publish> for Request {
     fn from(publish: Publish) -> Request {
         Request::Publish(publish)
@@ -266,7 +259,7 @@ impl Transport {
     #[cfg(feature = "use-rustls")]
     pub fn tls(
         ca: Vec<u8>,
-        client_auth: Option<(Vec<u8>, Key)>,
+        client_auth: Option<(Vec<u8>, Vec<u8>)>,
         alpn: Option<Vec<Vec<u8>>>,
     ) -> Self {
         let config = TlsConfiguration::Simple {
@@ -300,7 +293,7 @@ impl Transport {
     #[cfg_attr(docsrs, doc(cfg(all(feature = "use-rustls", feature = "websocket"))))]
     pub fn wss(
         ca: Vec<u8>,
-        client_auth: Option<(Vec<u8>, Key)>,
+        client_auth: Option<(Vec<u8>, Vec<u8>)>,
         alpn: Option<Vec<Vec<u8>>>,
     ) -> Self {
         let config = TlsConfiguration::Simple {
@@ -336,7 +329,7 @@ pub enum TlsConfiguration {
         /// alpn settings
         alpn: Option<Vec<Vec<u8>>>,
         /// tls client_authentication
-        client_auth: Option<(Vec<u8>, Key)>,
+        client_auth: Option<(Vec<u8>, Vec<u8>)>,
     },
     #[cfg(feature = "use-native-tls")]
     SimpleNative {

rumqttc/src/tls.rs

@@ -9,8 +9,6 @@ use tokio_rustls::rustls::{
 #[cfg(feature = "use-rustls")]
 use tokio_rustls::TlsConnector as RustlsConnector;
 
-#[cfg(feature = "use-rustls")]
-use crate::Key;
 #[cfg(feature = "use-rustls")]
 use std::convert::TryFrom;
 #[cfg(feature = "use-rustls")]
@@ -51,23 +49,26 @@ pub enum Error {
     #[error("TLS error: {0}")]
     TLS(#[from] rustls::Error),
     #[cfg(feature = "use-rustls")]
-    /// No valid certificate in chain
-    #[error("No valid certificate in chain")]
+    /// No valid CA cert found
+    #[error("No valid CA certificate provided")]
     NoValidCertInChain,
+    #[cfg(feature = "use-rustls")]
+    /// No valid client cert found
+    #[error("No valid certificate for client authentication in chain")]
+    NoValidClientCertInChain,
+    #[cfg(feature = "use-rustls")]
+    /// No valid key found
+    #[error("No valid key in chain")]
+    NoValidKeyInChain,
     #[cfg(feature = "use-native-tls")]
     #[error("Native TLS error {0}")]
     NativeTls(#[from] NativeTlsError),
 }
 
-// // The cert handling functions return unit right now, this is a shortcut
-// impl From<()> for Error {
-//     fn from(_: ()) -> Self {
-//         Error::NoValidCertInChain
-//     }
-// }
-
 #[cfg(feature = "use-rustls")]
 pub async fn rustls_connector(tls_config: &TlsConfiguration) -> Result<RustlsConnector, Error> {
+    use rustls_pemfile::Item;
+
     let config = match tls_config {
         TlsConfiguration::Simple {
             ca,
@@ -104,29 +105,26 @@ pub async fn rustls_connector(tls_config: &TlsConfiguration) -> Result<RustlsCon
             let mut config = if let Some(client) = client_auth.as_ref() {
                 let certs =
                     rustls_pemfile::certs(&mut BufReader::new(Cursor::new(client.0.clone())))?;
-                // load appropriate Key as per the user request. The underlying signature algorithm
-                // of key generation determines the Signature Algorithm during the TLS Handskahe.
-                let read_keys = match &client.1 {
-                    Key::RSA(k) => rustls_pemfile::rsa_private_keys(&mut BufReader::new(
-                        Cursor::new(k.clone()),
-                    )),
-                    Key::ECC(k) => rustls_pemfile::pkcs8_private_keys(&mut BufReader::new(
-                        Cursor::new(k.clone()),
-                    )),
-                };
-                let keys = match read_keys {
-                    Ok(v) => v,
-                    Err(_e) => return Err(Error::NoValidCertInChain),
-                };
+                if certs.is_empty() {
+                    return Err(Error::NoValidClientCertInChain);
+                }
 
-                // Get the first key. Error if it's not valid
-                let key = match keys.first() {
-                    Some(k) => k.clone(),
-                    None => return Err(Error::NoValidCertInChain),
+                // Create buffer for key file
+                let mut key_buffer = BufReader::new(Cursor::new(client.1.clone()));
+
+                // Read PEM items until we find a valid key.
+                let key = loop {
+                    let item = rustls_pemfile::read_one(&mut key_buffer)?;
+                    match item {
+                        Some(Item::ECKey(key) | Item::RSAKey(key) | Item::PKCS8Key(key)) => {
+                            break key;
+                        }
+                        None => return Err(Error::NoValidKeyInChain),
+                        _ => {}
+                    }
                 };
 
                 let certs = certs.into_iter().map(Certificate).collect();
-
                 config.with_client_auth_cert(certs, PrivateKey(key))?
             } else {
                 config.with_no_client_auth()