rumqttc: TLS Key encoding fix

rumqttc/CHANGELOG.md

@@ -9,9 +9,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Expose `EventLoop::clean` to allow triggering shutdown and subsequent storage of pending requests
+- Add support for `SEC1` encoded TLS keys (specifically focusing on elliptic curve cryptography (ECC)).
 
 ### Changed
 - Synchronous client methods take `&self` instead of `&mut self` (#646)
+- Removed the `Key` enum: users do not need to specify the TLS key variant in the `TlsConfiguration` anymore, this is inferred automatically.
+To update your code simply remove `Key::ECC()` or `Key::RSA()` from the initialization.
 
 ### Deprecated
 

rumqttc/examples/tls2.rs

@@ -4,7 +4,7 @@ use std::error::Error;
 #[cfg(feature = "use-rustls")]
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
-    use rumqttc::{self, AsyncClient, Key, MqttOptions, TlsConfiguration, Transport};
+    use rumqttc::{self, AsyncClient, MqttOptions, TlsConfiguration, Transport};
 
     pretty_env_logger::init();
     color_backtrace::install();
@@ -23,7 +23,7 @@ async fn main() -> Result<(), Box<dyn Error>> {
     let transport = Transport::Tls(TlsConfiguration::Simple {
         ca,
         alpn: None,
-        client_auth: Some((client_cert, Key::RSA(client_key))),
+        client_auth: Some((client_cert, client_key)),
     });
 
     mqttoptions.set_transport(transport);

rumqttc/src/lib.rs

@@ -204,13 +204,6 @@ impl Request {
     }
 }
 
-/// Key type for TLS authentication
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub enum Key {
-    RSA(Vec<u8>),
-    ECC(Vec<u8>),
-}
-
 impl From<Publish> for Request {
     fn from(publish: Publish) -> Request {
         Request::Publish(publish)
@@ -266,7 +259,7 @@ impl Transport {
     #[cfg(feature = "use-rustls")]
     pub fn tls(
         ca: Vec<u8>,
-        client_auth: Option<(Vec<u8>, Key)>,
+        client_auth: Option<(Vec<u8>, Vec<u8>)>,
         alpn: Option<Vec<Vec<u8>>>,
     ) -> Self {
         let config = TlsConfiguration::Simple {
@@ -336,7 +329,7 @@ pub enum TlsConfiguration {
         /// alpn settings
         alpn: Option<Vec<Vec<u8>>>,
         /// tls client_authentication
-        client_auth: Option<(Vec<u8>, Key)>,
+        client_auth: Option<(Vec<u8>, Vec<u8>)>,
     },
     #[cfg(feature = "use-native-tls")]
     SimpleNative {

rumqttc/src/tls.rs

@@ -9,8 +9,6 @@ use tokio_rustls::rustls::{
 #[cfg(feature = "use-rustls")]
 use tokio_rustls::TlsConnector as RustlsConnector;
 
-#[cfg(feature = "use-rustls")]
-use crate::Key;
 #[cfg(feature = "use-rustls")]
 use std::convert::TryFrom;
 #[cfg(feature = "use-rustls")]
@@ -54,6 +52,9 @@ pub enum Error {
     /// No valid certificate in chain
     #[error("No valid certificate in chain")]
     NoValidCertInChain,
+    /// No valid key found
+    #[error("No valid key")]
+    NoValidKey,
     #[cfg(feature = "use-native-tls")]
     #[error("Native TLS error {0}")]
     NativeTls(#[from] NativeTlsError),
@@ -106,27 +107,19 @@ pub async fn rustls_connector(tls_config: &TlsConfiguration) -> Result<RustlsCon
                     rustls_pemfile::certs(&mut BufReader::new(Cursor::new(client.0.clone())))?;
                 // load appropriate Key as per the user request. The underlying signature algorithm
                 // of key generation determines the Signature Algorithm during the TLS Handskahe.
-                let read_keys = match &client.1 {
-                    Key::RSA(k) => rustls_pemfile::rsa_private_keys(&mut BufReader::new(
-                        Cursor::new(k.clone()),
-                    )),
-                    Key::ECC(k) => rustls_pemfile::pkcs8_private_keys(&mut BufReader::new(
-                        Cursor::new(k.clone()),
-                    )),
-                };
-                let keys = match read_keys {
-                    Ok(v) => v,
-                    Err(_e) => return Err(Error::NoValidCertInChain),
-                };
 
-                // Get the first key. Error if it's not valid
-                let key = match keys.first() {
-                    Some(k) => k.clone(),
-                    None => return Err(Error::NoValidCertInChain),
+                // Create buffer for key file
+                let mut key_buffer = BufReader::new(Cursor::new(client.1.clone()));
+                // We only read the first key in the key file
+                let key = match rustls_pemfile::read_one(&mut key_buffer) {
+                    Ok(Some(rustls_pemfile::Item::RSAKey(key)))
+                    | Ok(Some(rustls_pemfile::Item::PKCS8Key(key)))
+                    | Ok(Some(rustls_pemfile::Item::ECKey(key))) => key,
+                    Ok(None) | Ok(Some(_)) => return Err(Error::NoValidKey),
+                    Err(err) => return Err(Error::Io(err)),
                 };
 
                 let certs = certs.into_iter().map(Certificate).collect();
-
                 config.with_client_auth_cert(certs, PrivateKey(key))?
             } else {
                 config.with_no_client_auth()