Support Multiple Key Types

[kevinmeziere]

Currently Dropshot ConfigTls expects a key that matches Item::Pkcs8Key. Some certificate authorities do not provide a key pair that matches this.

A concrete example is using a key pair obtained from tailscale cert. Today the only key proved by tailscale is an EC key.

[davepacheco]

Thanks. In the latest release, I think you could use ConfigTls::Dynamic with your own rustls::ServerConfig to do this, right? (The fix in #902 looks simple enough, too.)

[kevinmeziere]

Yea thats the idea, get the key/cert and create a Some ConfigTls::AsBytes. I didn't go the ConfigTls::Dynamic route as it looked like that was maybe looking for its own TLS handler... but I could misunderstanding the usage.

[davepacheco]

Dropshot always constructs a rustls::ServerConfig. When you use ConfigTls::Dynamic, we use the one the caller provides directly:

dropshot/dropshot/src/server.rs

Line 481 in 59f102e

return Ok(raw.clone());

ConfigTls::AsBytes or ConfigTls::AsFile are just shortcuts for a common case. They boil down to:

dropshot/dropshot/src/server.rs

Lines 483 to 537 in 59f102e

	ConfigTls::AsBytes { certs, key } => (
	Box::new(std::io::BufReader::new(certs.as_slice())),
	Box::new(std::io::BufReader::new(key.as_slice())),
	),
	ConfigTls::AsFile { cert_file, key_file } => {
	let certfile = Box::new(std::io::BufReader::new(
	std::fs::File::open(cert_file).map_err(|e| {
	std::io::Error::new(
	std::io::ErrorKind::Other,
	format!(
	"failed to open {}: {}",
	cert_file.display(),
	e
	),
	)
	})?,
	));
	let keyfile = Box::new(std::io::BufReader::new(
	std::fs::File::open(key_file).map_err(|e| {
	std::io::Error::new(
	std::io::ErrorKind::Other,
	format!(
	"failed to open {}: {}",
	key_file.display(),
	e
	),
	)
	})?,
	));
	(certfile, keyfile)
	}
	};
	let certs = rustls_pemfile::certs(&mut cert_reader)
	.collect::<Result<Vec<_>, _>>()
	.map_err(|err| {
	io_error(format!("failed to load certificate: {err}"))
	})?;
	let keys = rustls_pemfile::pkcs8_private_keys(&mut key_reader)
	.collect::<Result<Vec<_>, _>>()
	.map_err(|err| {
	io_error(format!("failed to load private key: {err}"))
	})?;
	let mut keys_iter = keys.into_iter();
	let (Some(private_key), None) = (keys_iter.next(), keys_iter.next())
	else {
	return Err(io_error("expected a single private key".into()));
	};
	let mut cfg = rustls::ServerConfig::builder()
	.with_no_client_auth()
	.with_single_cert(certs, private_key.into())
	.expect("bad certificate/key");
	cfg.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
	Ok(cfg)

So if you need a workaround, you can make your own rustls::ServerConfig using similar code, modified in the way you did in #902 to accept the kind of key you need.

#902 still seems worth doing. I just wanted to let you know in case this unblocks you.

[davepacheco]

Closing this because I think you can do this today with ConfigTls::Dynamic. We can still do #902 but we don't need this open to track it.