From c98654fc37f2752bcb751f5d96b181e985720f97 Mon Sep 17 00:00:00 2001 From: gabrik Date: Thu, 4 Apr 2024 10:23:50 +0200 Subject: [PATCH] refactor(tls-quic): moving shared code into zenoh-link-commons::tls Signed-off-by: gabrik --- io/zenoh-link-commons/Cargo.toml | 2 + io/zenoh-link-commons/src/tls.rs | 150 ++++++++++++++++++ io/zenoh-link/src/lib.rs | 13 +- io/zenoh-links/zenoh-link-quic/src/lib.rs | 103 +----------- io/zenoh-links/zenoh-link-quic/src/unicast.rs | 12 +- io/zenoh-links/zenoh-link-tls/src/lib.rs | 150 +----------------- io/zenoh-links/zenoh-link-tls/src/unicast.rs | 16 +- io/zenoh-transport/Cargo.toml | 1 + io/zenoh-transport/tests/endpoints.rs | 4 +- .../tests/unicast_authenticator.rs | 4 +- io/zenoh-transport/tests/unicast_multilink.rs | 4 +- io/zenoh-transport/tests/unicast_openclose.rs | 4 +- io/zenoh-transport/tests/unicast_transport.rs | 10 +- 13 files changed, 199 insertions(+), 274 deletions(-) diff --git a/io/zenoh-link-commons/Cargo.toml b/io/zenoh-link-commons/Cargo.toml index f2e10616c1..dd045003e4 100644 --- a/io/zenoh-link-commons/Cargo.toml +++ b/io/zenoh-link-commons/Cargo.toml @@ -34,9 +34,11 @@ rustls-webpki = { workspace = true } flume = { workspace = true } tracing = {workspace = true} serde = { workspace = true, features = ["default"] } +secrecy = {workspace = true } zenoh-buffers = { workspace = true } zenoh-codec = { workspace = true } zenoh-core = { workspace = true } +zenoh-config = { workspace = true } zenoh-protocol = { workspace = true } zenoh-result = { workspace = true } zenoh-util = { workspace = true } diff --git a/io/zenoh-link-commons/src/tls.rs b/io/zenoh-link-commons/src/tls.rs index 562b02c81e..4b6a723569 100644 --- a/io/zenoh-link-commons/src/tls.rs +++ b/io/zenoh-link-commons/src/tls.rs @@ -11,6 +11,19 @@ use rustls::{ }; use webpki::ALL_VERIFICATION_ALGS; +use crate::ConfigurationInspector; +use secrecy::ExposeSecret; +use zenoh_config::Config; +use zenoh_protocol::core::endpoint; +use zenoh_result::{bail, ZResult}; + +use config::{ + TLS_CLIENT_AUTH, TLS_CLIENT_CERTIFICATE_BASE64, TLS_CLIENT_CERTIFICATE_FILE, + TLS_CLIENT_PRIVATE_KEY_BASE64, TLS_CLIENT_PRIVATE_KEY_FILE, TLS_ROOT_CA_CERTIFICATE_BASE64, + TLS_ROOT_CA_CERTIFICATE_FILE, TLS_SERVER_CERTIFICATE_BASE64, TLS_SERVER_CERTIFICATE_FILE, + TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_PRIVATE_KEY_BASE_64, TLS_SERVER_PRIVATE_KEY_FILE, +}; + impl ServerCertVerifier for WebPkiVerifierAnyServerName { /// Will verify the certificate is valid in the following ways: /// - Signed by a trusted `RootCertStore` CA @@ -85,3 +98,140 @@ impl WebPkiVerifierAnyServerName { Self { roots } } } + +pub mod config { + pub const TLS_ROOT_CA_CERTIFICATE_FILE: &str = "root_ca_certificate_file"; + pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw"; + pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64"; + + pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file"; + pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw"; + pub const TLS_SERVER_PRIVATE_KEY_BASE_64: &str = "server_private_key_base64"; + + pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file"; + pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw"; + pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64"; + + pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file"; + pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw"; + pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64"; + + pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file"; + pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw"; + pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64"; + + pub const TLS_CLIENT_AUTH: &str = "client_auth"; + + pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; + pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true"; +} + +#[derive(Default, Clone, Copy, Debug)] +pub struct TlsConfigurator; + +impl ConfigurationInspector for TlsConfigurator { + fn inspect_config(&self, config: &Config) -> ZResult { + let mut ps: Vec<(&str, &str)> = vec![]; + + let c = config.transport().link().tls(); + + match (c.root_ca_certificate(), c.root_ca_certificate_base64()) { + (Some(_), Some(_)) => { + bail!("Only one between 'root_ca_certificate' and 'root_ca_certificate_base64' can be present!") + } + (Some(ca_certificate), None) => { + ps.push((TLS_ROOT_CA_CERTIFICATE_FILE, ca_certificate)); + } + (None, Some(ca_certificate)) => { + ps.push(( + TLS_ROOT_CA_CERTIFICATE_BASE64, + ca_certificate.expose_secret(), + )); + } + _ => {} + } + + match (c.server_private_key(), c.server_private_key_base64()) { + (Some(_), Some(_)) => { + bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") + } + (Some(server_private_key), None) => { + ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key)); + } + (None, Some(server_private_key)) => { + ps.push(( + TLS_SERVER_PRIVATE_KEY_BASE_64, + server_private_key.expose_secret(), + )); + } + _ => {} + } + + match (c.server_certificate(), c.server_certificate_base64()) { + (Some(_), Some(_)) => { + bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") + } + (Some(server_certificate), None) => { + ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate)); + } + (None, Some(server_certificate)) => { + ps.push(( + TLS_SERVER_CERTIFICATE_BASE64, + server_certificate.expose_secret(), + )); + } + _ => {} + } + + if let Some(client_auth) = c.client_auth() { + match client_auth { + true => ps.push((TLS_CLIENT_AUTH, "true")), + false => ps.push((TLS_CLIENT_AUTH, "false")), + }; + } + + match (c.client_private_key(), c.client_private_key_base64()) { + (Some(_), Some(_)) => { + bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") + } + (Some(client_private_key), None) => { + ps.push((TLS_CLIENT_PRIVATE_KEY_FILE, client_private_key)); + } + (None, Some(client_private_key)) => { + ps.push(( + TLS_CLIENT_PRIVATE_KEY_BASE64, + client_private_key.expose_secret(), + )); + } + _ => {} + } + + match (c.client_certificate(), c.client_certificate_base64()) { + (Some(_), Some(_)) => { + bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") + } + (Some(client_certificate), None) => { + ps.push((TLS_CLIENT_CERTIFICATE_FILE, client_certificate)); + } + (None, Some(client_certificate)) => { + ps.push(( + TLS_CLIENT_CERTIFICATE_BASE64, + client_certificate.expose_secret(), + )); + } + _ => {} + } + + if let Some(server_name_verification) = c.server_name_verification() { + match server_name_verification { + true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")), + false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")), + }; + } + + let mut s = String::new(); + endpoint::Parameters::extend(ps.drain(..), &mut s); + + Ok(s) + } +} diff --git a/io/zenoh-link/src/lib.rs b/io/zenoh-link/src/lib.rs index 21f26ecf1b..a37eabaef8 100644 --- a/io/zenoh-link/src/lib.rs +++ b/io/zenoh-link/src/lib.rs @@ -19,6 +19,9 @@ //! [Click here for Zenoh's documentation](../zenoh/index.html) use std::collections::HashMap; use zenoh_config::Config; + +#[cfg(any(feature = "transport_quic", feature = "transport_tls"))] +use zenoh_link_commons::tls::TlsConfigurator; use zenoh_result::{bail, ZResult}; #[cfg(feature = "transport_tcp")] @@ -36,16 +39,12 @@ use zenoh_link_udp::{ #[cfg(feature = "transport_tls")] pub use zenoh_link_tls as tls; #[cfg(feature = "transport_tls")] -use zenoh_link_tls::{ - LinkManagerUnicastTls, TlsConfigurator, TlsLocatorInspector, TLS_LOCATOR_PREFIX, -}; +use zenoh_link_tls::{LinkManagerUnicastTls, TlsLocatorInspector, TLS_LOCATOR_PREFIX}; #[cfg(feature = "transport_quic")] pub use zenoh_link_quic as quic; #[cfg(feature = "transport_quic")] -use zenoh_link_quic::{ - LinkManagerUnicastQuic, QuicConfigurator, QuicLocatorInspector, QUIC_LOCATOR_PREFIX, -}; +use zenoh_link_quic::{LinkManagerUnicastQuic, QuicLocatorInspector, QUIC_LOCATOR_PREFIX}; #[cfg(feature = "transport_ws")] pub use zenoh_link_ws as ws; @@ -155,7 +154,7 @@ impl LocatorInspector { #[derive(Default)] pub struct LinkConfigurator { #[cfg(feature = "transport_quic")] - quic_inspector: QuicConfigurator, + quic_inspector: TlsConfigurator, #[cfg(feature = "transport_tls")] tls_inspector: TlsConfigurator, #[cfg(feature = "transport_unixpipe")] diff --git a/io/zenoh-links/zenoh-link-quic/src/lib.rs b/io/zenoh-links/zenoh-link-quic/src/lib.rs index c6d7e16087..113f11ac78 100644 --- a/io/zenoh-links/zenoh-link-quic/src/lib.rs +++ b/io/zenoh-links/zenoh-link-quic/src/lib.rs @@ -18,20 +18,11 @@ //! //! [Click here for Zenoh's documentation](../zenoh/index.html) use async_trait::async_trait; -use config::{ - TLS_ROOT_CA_CERTIFICATE_BASE64, TLS_ROOT_CA_CERTIFICATE_FILE, TLS_SERVER_CERTIFICATE_BASE64, - TLS_SERVER_CERTIFICATE_FILE, TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_PRIVATE_KEY_BASE64, - TLS_SERVER_PRIVATE_KEY_FILE, -}; -use secrecy::ExposeSecret; + use std::net::SocketAddr; -use zenoh_config::Config; use zenoh_core::zconfigurable; -use zenoh_link_commons::{ConfigurationInspector, LocatorInspector}; -use zenoh_protocol::core::{ - endpoint::{Address, Parameters}, - Locator, -}; +use zenoh_link_commons::LocatorInspector; +use zenoh_protocol::core::{endpoint::Address, Locator}; use zenoh_result::{bail, zerror, ZResult}; mod unicast; @@ -64,77 +55,6 @@ impl LocatorInspector for QuicLocatorInspector { } } -#[derive(Default, Clone, Copy, Debug)] -pub struct QuicConfigurator; - -impl ConfigurationInspector for QuicConfigurator { - fn inspect_config(&self, config: &Config) -> ZResult { - let mut ps: Vec<(&str, &str)> = vec![]; - - let c = config.transport().link().tls(); - - match (c.root_ca_certificate(), c.root_ca_certificate_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'root_ca_certificate' and 'root_ca_certificate_base64' can be present!") - } - (Some(ca_certificate), None) => { - ps.push((TLS_ROOT_CA_CERTIFICATE_FILE, ca_certificate)); - } - (None, Some(ca_certificate)) => { - ps.push(( - TLS_ROOT_CA_CERTIFICATE_BASE64, - ca_certificate.expose_secret(), - )); - } - _ => {} - } - - match (c.server_private_key(), c.server_private_key_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") - } - (Some(server_private_key), None) => { - ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key)); - } - (None, Some(server_private_key)) => { - ps.push(( - TLS_SERVER_PRIVATE_KEY_BASE64, - server_private_key.expose_secret(), - )); - } - _ => {} - } - - match (c.server_certificate(), c.server_certificate_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") - } - (Some(server_certificate), None) => { - ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate)); - } - (None, Some(server_certificate)) => { - ps.push(( - TLS_SERVER_CERTIFICATE_BASE64, - server_certificate.expose_secret(), - )); - } - _ => {} - } - - if let Some(server_name_verification) = c.server_name_verification() { - match server_name_verification { - true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")), - false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")), - }; - } - - let mut s = String::new(); - Parameters::extend(ps.drain(..), &mut s); - - Ok(s) - } -} - zconfigurable! { // Default MTU (QUIC PDU) in bytes. static ref QUIC_DEFAULT_MTU: u16 = QUIC_MAX_MTU; @@ -148,23 +68,6 @@ zconfigurable! { static ref QUIC_ACCEPT_THROTTLE_TIME: u64 = 100_000; } -pub mod config { - pub const TLS_ROOT_CA_CERTIFICATE_FILE: &str = "root_ca_certificate_file"; - pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw"; - pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64"; - - pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file"; - pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw"; - pub const TLS_SERVER_PRIVATE_KEY_BASE64: &str = "server_private_key_base64"; - - pub const TLS_SERVER_CERTIFICATE_FILE: &str = "tls_server_certificate_file"; - pub const TLS_SERVER_CERTIFICATE_RAW: &str = "tls_server_certificate_raw"; - pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "tls_server_certificate_base64"; - - pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; - pub const TLS_SERVER_NAME_VERIFICATION_DEFAULT: &str = "true"; -} - async fn get_quic_addr(address: &Address<'_>) -> ZResult { match tokio::net::lookup_host(address.as_str()).await?.next() { Some(addr) => Ok(addr), diff --git a/io/zenoh-links/zenoh-link-quic/src/unicast.rs b/io/zenoh-links/zenoh-link-quic/src/unicast.rs index 8fd7777137..4c10315e61 100644 --- a/io/zenoh-links/zenoh-link-quic/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-quic/src/unicast.rs @@ -14,8 +14,8 @@ use crate::base64_decode; use crate::{ - config::*, get_quic_addr, verify::WebPkiVerifierAnyServerName, ALPN_QUIC_HTTP, - QUIC_ACCEPT_THROTTLE_TIME, QUIC_DEFAULT_MTU, QUIC_LOCATOR_PREFIX, + get_quic_addr, verify::WebPkiVerifierAnyServerName, ALPN_QUIC_HTTP, QUIC_ACCEPT_THROTTLE_TIME, + QUIC_DEFAULT_MTU, QUIC_LOCATOR_PREFIX, }; use async_trait::async_trait; use rustls::{Certificate, PrivateKey}; @@ -29,6 +29,12 @@ use std::time::Duration; use tokio::sync::Mutex as AsyncMutex; use tokio_util::sync::CancellationToken; use zenoh_core::zasynclock; +use zenoh_link_commons::tls::config::{ + TLS_ROOT_CA_CERTIFICATE_BASE64, TLS_ROOT_CA_CERTIFICATE_FILE, TLS_ROOT_CA_CERTIFICATE_RAW, + TLS_SERVER_CERTIFICATE_BASE64, TLS_SERVER_CERTIFICATE_FILE, TLS_SERVER_CERTIFICATE_RAW, + TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_NAME_VERIFICATION_DEFAULT, + TLS_SERVER_PRIVATE_KEY_FILE, TLS_SERVER_PRIVATE_KEY_RAW, +}; use zenoh_link_commons::{ get_ip_interface_names, LinkManagerUnicastTrait, LinkUnicast, LinkUnicastTrait, ListenersUnicastIP, NewLinkChannelSender, @@ -336,7 +342,7 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic { // Private keys let f = if let Some(value) = epconf.get(TLS_SERVER_PRIVATE_KEY_RAW) { value.as_bytes().to_vec() - } else if let Some(b64_key) = epconf.get(TLS_SERVER_PRIVATE_KEY_BASE64) { + } else if let Some(b64_key) = epconf.get(TLS_SERVER_PRIVATE_KEY_RAW) { base64_decode(b64_key)? } else if let Some(value) = epconf.get(TLS_SERVER_PRIVATE_KEY_FILE) { tokio::fs::read(value) diff --git a/io/zenoh-links/zenoh-link-tls/src/lib.rs b/io/zenoh-links/zenoh-link-tls/src/lib.rs index 95d59104b4..460bea400b 100644 --- a/io/zenoh-links/zenoh-link-tls/src/lib.rs +++ b/io/zenoh-links/zenoh-link-tls/src/lib.rs @@ -18,22 +18,11 @@ //! //! [Click here for Zenoh's documentation](../zenoh/index.html) use async_trait::async_trait; -use config::{ - TLS_CLIENT_AUTH, TLS_CLIENT_CERTIFICATE_BASE64, TLS_CLIENT_CERTIFICATE_FILE, - TLS_CLIENT_PRIVATE_KEY_BASE64, TLS_CLIENT_PRIVATE_KEY_FILE, TLS_ROOT_CA_CERTIFICATE_BASE64, - TLS_ROOT_CA_CERTIFICATE_FILE, TLS_SERVER_CERTIFICATE_BASE64, TLS_SERVER_CERTIFICATE_FILE, - TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_PRIVATE_KEY_BASE_64, TLS_SERVER_PRIVATE_KEY_FILE, -}; use rustls_pki_types::ServerName; -use secrecy::ExposeSecret; use std::{convert::TryFrom, net::SocketAddr}; -use zenoh_config::Config; use zenoh_core::zconfigurable; -use zenoh_link_commons::{ConfigurationInspector, LocatorInspector}; -use zenoh_protocol::core::{ - endpoint::{self, Address}, - Locator, -}; +use zenoh_link_commons::LocatorInspector; +use zenoh_protocol::core::{endpoint::Address, Locator}; use zenoh_result::{bail, zerror, ZResult}; mod unicast; @@ -60,115 +49,6 @@ impl LocatorInspector for TlsLocatorInspector { Ok(false) } } -#[derive(Default, Clone, Copy, Debug)] -pub struct TlsConfigurator; - -impl ConfigurationInspector for TlsConfigurator { - fn inspect_config(&self, config: &Config) -> ZResult { - let mut ps: Vec<(&str, &str)> = vec![]; - - let c = config.transport().link().tls(); - - match (c.root_ca_certificate(), c.root_ca_certificate_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'root_ca_certificate' and 'root_ca_certificate_base64' can be present!") - } - (Some(ca_certificate), None) => { - ps.push((TLS_ROOT_CA_CERTIFICATE_FILE, ca_certificate)); - } - (None, Some(ca_certificate)) => { - ps.push(( - TLS_ROOT_CA_CERTIFICATE_BASE64, - ca_certificate.expose_secret(), - )); - } - _ => {} - } - - match (c.server_private_key(), c.server_private_key_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'server_private_key' and 'server_private_key_base64' can be present!") - } - (Some(server_private_key), None) => { - ps.push((TLS_SERVER_PRIVATE_KEY_FILE, server_private_key)); - } - (None, Some(server_private_key)) => { - ps.push(( - TLS_SERVER_PRIVATE_KEY_BASE_64, - server_private_key.expose_secret(), - )); - } - _ => {} - } - - match (c.server_certificate(), c.server_certificate_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'server_certificate' and 'server_certificate_base64' can be present!") - } - (Some(server_certificate), None) => { - ps.push((TLS_SERVER_CERTIFICATE_FILE, server_certificate)); - } - (None, Some(server_certificate)) => { - ps.push(( - TLS_SERVER_CERTIFICATE_BASE64, - server_certificate.expose_secret(), - )); - } - _ => {} - } - - if let Some(client_auth) = c.client_auth() { - match client_auth { - true => ps.push((TLS_CLIENT_AUTH, "true")), - false => ps.push((TLS_CLIENT_AUTH, "false")), - }; - } - - match (c.client_private_key(), c.client_private_key_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'client_private_key' and 'client_private_key_base64' can be present!") - } - (Some(client_private_key), None) => { - ps.push((TLS_CLIENT_PRIVATE_KEY_FILE, client_private_key)); - } - (None, Some(client_private_key)) => { - ps.push(( - TLS_CLIENT_PRIVATE_KEY_BASE64, - client_private_key.expose_secret(), - )); - } - _ => {} - } - - match (c.client_certificate(), c.client_certificate_base64()) { - (Some(_), Some(_)) => { - bail!("Only one between 'client_certificate' and 'client_certificate_base64' can be present!") - } - (Some(client_certificate), None) => { - ps.push((TLS_CLIENT_CERTIFICATE_FILE, client_certificate)); - } - (None, Some(client_certificate)) => { - ps.push(( - TLS_CLIENT_CERTIFICATE_BASE64, - client_certificate.expose_secret(), - )); - } - _ => {} - } - - if let Some(server_name_verification) = c.server_name_verification() { - match server_name_verification { - true => ps.push((TLS_SERVER_NAME_VERIFICATION, "true")), - false => ps.push((TLS_SERVER_NAME_VERIFICATION, "false")), - }; - } - - let mut s = String::new(); - endpoint::Parameters::extend(ps.drain(..), &mut s); - - Ok(s) - } -} zconfigurable! { // Default MTU (TLS PDU) in bytes. @@ -183,32 +63,6 @@ zconfigurable! { static ref TLS_ACCEPT_THROTTLE_TIME: u64 = 100_000; } -pub mod config { - pub const TLS_ROOT_CA_CERTIFICATE_FILE: &str = "root_ca_certificate_file"; - pub const TLS_ROOT_CA_CERTIFICATE_RAW: &str = "root_ca_certificate_raw"; - pub const TLS_ROOT_CA_CERTIFICATE_BASE64: &str = "root_ca_certificate_base64"; - - pub const TLS_SERVER_PRIVATE_KEY_FILE: &str = "server_private_key_file"; - pub const TLS_SERVER_PRIVATE_KEY_RAW: &str = "server_private_key_raw"; - pub const TLS_SERVER_PRIVATE_KEY_BASE_64: &str = "server_private_key_base64"; - - pub const TLS_SERVER_CERTIFICATE_FILE: &str = "server_certificate_file"; - pub const TLS_SERVER_CERTIFICATE_RAW: &str = "server_certificate_raw"; - pub const TLS_SERVER_CERTIFICATE_BASE64: &str = "server_certificate_base64"; - - pub const TLS_CLIENT_PRIVATE_KEY_FILE: &str = "client_private_key_file"; - pub const TLS_CLIENT_PRIVATE_KEY_RAW: &str = "client_private_key_raw"; - pub const TLS_CLIENT_PRIVATE_KEY_BASE64: &str = "client_private_key_base64"; - - pub const TLS_CLIENT_CERTIFICATE_FILE: &str = "client_certificate_file"; - pub const TLS_CLIENT_CERTIFICATE_RAW: &str = "client_certificate_raw"; - pub const TLS_CLIENT_CERTIFICATE_BASE64: &str = "client_certificate_base64"; - - pub const TLS_CLIENT_AUTH: &str = "client_auth"; - - pub const TLS_SERVER_NAME_VERIFICATION: &str = "server_name_verification"; -} - pub async fn get_tls_addr(address: &Address<'_>) -> ZResult { match tokio::net::lookup_host(address.as_str()).await?.next() { Some(addr) => Ok(addr), diff --git a/io/zenoh-links/zenoh-link-tls/src/unicast.rs b/io/zenoh-links/zenoh-link-tls/src/unicast.rs index 9eec2feb2a..5e7eb78e22 100644 --- a/io/zenoh-links/zenoh-link-tls/src/unicast.rs +++ b/io/zenoh-links/zenoh-link-tls/src/unicast.rs @@ -12,8 +12,8 @@ // ZettaScale Zenoh Team, // use crate::{ - base64_decode, config::*, get_tls_addr, get_tls_host, get_tls_server_name, - TLS_ACCEPT_THROTTLE_TIME, TLS_DEFAULT_MTU, TLS_LINGER_TIMEOUT, TLS_LOCATOR_PREFIX, + base64_decode, get_tls_addr, get_tls_host, get_tls_server_name, TLS_ACCEPT_THROTTLE_TIME, + TLS_DEFAULT_MTU, TLS_LINGER_TIMEOUT, TLS_LOCATOR_PREFIX, }; use async_trait::async_trait; use rustls::{ @@ -37,7 +37,17 @@ use tokio_rustls::{TlsAcceptor, TlsConnector, TlsStream}; use tokio_util::sync::CancellationToken; use webpki::anchor_from_trusted_cert; use zenoh_core::zasynclock; -use zenoh_link_commons::tls::WebPkiVerifierAnyServerName; +use zenoh_link_commons::tls::{ + config::{ + TLS_CLIENT_AUTH, TLS_CLIENT_CERTIFICATE_BASE64, TLS_CLIENT_CERTIFICATE_FILE, + TLS_CLIENT_CERTIFICATE_RAW, TLS_CLIENT_PRIVATE_KEY_BASE64, TLS_CLIENT_PRIVATE_KEY_FILE, + TLS_CLIENT_PRIVATE_KEY_RAW, TLS_ROOT_CA_CERTIFICATE_BASE64, TLS_ROOT_CA_CERTIFICATE_FILE, + TLS_ROOT_CA_CERTIFICATE_RAW, TLS_SERVER_CERTIFICATE_BASE64, TLS_SERVER_CERTIFICATE_FILE, + TLS_SERVER_CERTIFICATE_RAW, TLS_SERVER_NAME_VERIFICATION, TLS_SERVER_PRIVATE_KEY_BASE_64, + TLS_SERVER_PRIVATE_KEY_FILE, TLS_SERVER_PRIVATE_KEY_RAW, + }, + WebPkiVerifierAnyServerName, +}; use zenoh_link_commons::{ get_ip_interface_names, LinkManagerUnicastTrait, LinkUnicast, LinkUnicastTrait, ListenersUnicastIP, NewLinkChannelSender, diff --git a/io/zenoh-transport/Cargo.toml b/io/zenoh-transport/Cargo.toml index b3a299e8be..9f6594761e 100644 --- a/io/zenoh-transport/Cargo.toml +++ b/io/zenoh-transport/Cargo.toml @@ -92,3 +92,4 @@ futures-util = { workspace = true } zenoh-util = {workspace = true } zenoh-protocol = { workspace = true, features = ["test"] } futures = { workspace = true } +zenoh-link-commons = { workspace = true } diff --git a/io/zenoh-transport/tests/endpoints.rs b/io/zenoh-transport/tests/endpoints.rs index 6269f78cb9..85e5e4bfef 100644 --- a/io/zenoh-transport/tests/endpoints.rs +++ b/io/zenoh-transport/tests/endpoints.rs @@ -255,7 +255,7 @@ async fn endpoint_udp_unix() { #[cfg(feature = "transport_tls")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn endpoint_tls() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -334,7 +334,7 @@ AXVFFIgCSluyrolaD6CWD9MqOex4YOfJR2bNxI7lFvuK4AwjyUJzT1U1HXib17mM #[cfg(feature = "transport_quic")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn endpoint_quic() { - use zenoh_link::quic::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); diff --git a/io/zenoh-transport/tests/unicast_authenticator.rs b/io/zenoh-transport/tests/unicast_authenticator.rs index a232584cff..62b645123b 100644 --- a/io/zenoh-transport/tests/unicast_authenticator.rs +++ b/io/zenoh-transport/tests/unicast_authenticator.rs @@ -719,7 +719,7 @@ async fn authenticator_unix() { #[cfg(feature = "transport_tls")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn authenticator_tls() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -819,7 +819,7 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== #[cfg(feature = "transport_quic")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn authenticator_quic() { - use zenoh_link::quic::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); diff --git a/io/zenoh-transport/tests/unicast_multilink.rs b/io/zenoh-transport/tests/unicast_multilink.rs index d69a30ac9d..6ae96a79b1 100644 --- a/io/zenoh-transport/tests/unicast_multilink.rs +++ b/io/zenoh-transport/tests/unicast_multilink.rs @@ -529,7 +529,7 @@ mod tests { #[cfg(feature = "transport_tls")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn multilink_tls_only() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -628,7 +628,7 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== #[cfg(feature = "transport_quic")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn multilink_quic_only() { - use zenoh_link::quic::config::*; + use zenoh_link_commons::tls::config::*; // NOTE: this an auto-generated pair of certificate and key. // The target domain is localhost, so it has no real diff --git a/io/zenoh-transport/tests/unicast_openclose.rs b/io/zenoh-transport/tests/unicast_openclose.rs index a671de14a8..d44c514d25 100644 --- a/io/zenoh-transport/tests/unicast_openclose.rs +++ b/io/zenoh-transport/tests/unicast_openclose.rs @@ -559,7 +559,7 @@ async fn openclose_unix_only() { #[cfg(feature = "transport_tls")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn openclose_tls_only() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); // NOTE: this an auto-generated pair of certificate and key. @@ -657,7 +657,7 @@ R+IdLiXcyIkg0m9N8I17p0ljCSkbrgGMD3bbePRTfg== #[cfg(feature = "transport_quic")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn openclose_quic_only() { - use zenoh_link::quic::config::*; + use zenoh_link_commons::tls::config::*; // NOTE: this an auto-generated pair of certificate and key. // The target domain is localhost, so it has no real diff --git a/io/zenoh-transport/tests/unicast_transport.rs b/io/zenoh-transport/tests/unicast_transport.rs index af1dedfbce..0c8ac25c74 100644 --- a/io/zenoh-transport/tests/unicast_transport.rs +++ b/io/zenoh-transport/tests/unicast_transport.rs @@ -991,7 +991,7 @@ async fn transport_unicast_tcp_udp_unix() { #[cfg(all(feature = "transport_tls", target_family = "unix"))] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn transport_unicast_tls_only_server() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -1037,7 +1037,7 @@ async fn transport_unicast_tls_only_server() { #[cfg(feature = "transport_quic")] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn transport_unicast_quic_only_server() { - use zenoh_link::quic::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); // Define the locator @@ -1082,7 +1082,7 @@ async fn transport_unicast_quic_only_server() { #[cfg(all(feature = "transport_tls", target_family = "unix"))] #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn transport_unicast_tls_only_mutual_success() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -1154,7 +1154,7 @@ async fn transport_unicast_tls_only_mutual_success() { #[tokio::test(flavor = "multi_thread", worker_threads = 4)] async fn transport_unicast_tls_only_mutual_no_client_certs_failure() { use std::vec; - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env(); @@ -1222,7 +1222,7 @@ async fn transport_unicast_tls_only_mutual_no_client_certs_failure() { #[cfg(all(feature = "transport_tls", target_family = "unix"))] #[test] fn transport_unicast_tls_only_mutual_wrong_client_certs_failure() { - use zenoh_link::tls::config::*; + use zenoh_link_commons::tls::config::*; zenoh_util::try_init_log_from_env();