fixed #1077 - handle non-standard PKCS8 EC private key PEMs

warp-tech · Oct 4, 2024 · 38bdbad · 38bdbad
1 parent bb285cc
commit 38bdbad
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/warpgate-common/Cargo.toml b/warpgate-common/Cargo.toml
@@ -43,3 +43,4 @@ warpgate-sso = { version = "*", path = "../warpgate-sso" }
 rustls = { version = "0.23", features = ["ring"], default-features = false}
 rustls-pemfile = "1.0"
 webpki = "0.22"
+aho-corasick = "1.1.3"
diff --git a/warpgate-common/src/tls/cert.rs b/warpgate-common/src/tls/cert.rs
@@ -1,6 +1,7 @@
 use std::path::Path;
 use std::sync::Arc;
 
+use aho_corasick::AhoCorasick;
 use poem::listener::RustlsCertificate;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls::sign::{CertifiedKey, SigningKey};
@@ -58,6 +59,16 @@ impl TlsPrivateKey {
     }
 
     pub fn from_bytes(bytes: Vec<u8>) -> Result<Self, RustlsSetupError> {
+        let bytes = {
+            // https://github.com/rustls/rustls/issues/767
+            let ac = AhoCorasick::new(&[b"EC PRIVATE KEY"]).expect("EC PK AhoCorasick");
+            let mut new_bytes = vec![];
+            ac.replace_all_with_bytes(&bytes, &mut new_bytes, |_, _, dst| {
+                dst.extend_from_slice(b"PRIVATE KEY");
+                true
+            });
+            new_bytes
+        };
         let mut key = rustls_pemfile::pkcs8_private_keys(&mut bytes.as_slice())?
             .drain(..)
             .next()