Merge pull request #37 from hrvolapeter/rustls-0.20

Upgrade to rustls 0.20

Author: hrvolapeter

Cargo.toml

@@ -19,9 +19,10 @@ webpki-roots = ["hyper-rustls/webpki-roots"]
 base64 = "0.13"
 time = { version = "0.3.5", features = ["serde"] }
 hyper = { version = "0.14.2", features = ["client", "runtime", "http2"] }
-hyper-rustls = { version = "0.22.1", default-features = false, features = ["tokio-runtime"] }
+hyper-rustls = { version = "0.23.0", default-features = false, features = ["native-tokio", "http1", "http2"] }
 log = "0.4"
-rustls = "0.19.0"
+rustls = "0.20.2"
+rustls-pemfile = "0.2.1"
 serde = {version = "1.0", features = ["derive"]}
 serde_json = "1.0"
 tokio = { version = "1.1", features = ["fs"] }

src/error.rs

@@ -18,7 +18,7 @@ pub enum Error {
     /// Error in underlying RustTLS library.
     /// Might signal problem with establishing secure connection using trusted certificates
     #[error("TLS error")]
-    TLSError(rustls::TLSError),
+    TLSError(rustls::Error),
 
     /// Error when establishing connection to OAuth server
     #[error("Could not establish connection with OAuth server")]

src/jwt.rs

@@ -4,7 +4,6 @@ use std::io;
 
 use rustls::{
     self,
-    internal::pemfile,
     sign::{self, SigningKey},
     PrivateKey,
 };
@@ -23,12 +22,12 @@ fn append_base64<T: AsRef<[u8]> + ?Sized>(s: &T, out: &mut String) {
 
 /// Decode a PKCS8 formatted RSA key.
 fn decode_rsa_key(pem_pkcs8: &str) -> Result<PrivateKey, io::Error> {
-    let private_keys = pemfile::pkcs8_private_keys(&mut pem_pkcs8.as_bytes());
+    let private_keys = rustls_pemfile::pkcs8_private_keys(&mut pem_pkcs8.as_bytes());
 
     match private_keys {
         Ok(mut keys) if !keys.is_empty() => {
             keys.truncate(1);
-            Ok(keys.remove(0))
+            Ok(PrivateKey(keys.remove(0)))
         }
         Ok(_) => Err(io::Error::new(
             io::ErrorKind::InvalidInput,
@@ -89,14 +88,14 @@ pub(crate) struct JwtSigner {
 impl JwtSigner {
     pub(crate) fn new(private_key: &str) -> Result<Self, Error> {
         let key = decode_rsa_key(private_key)?;
-        let signing_key = sign::RSASigningKey::new(&key).map_err(|_| Error::SignerInit)?;
+        let signing_key = sign::RsaSigningKey::new(&key).map_err(|_| Error::SignerInit)?;
         let signer = signing_key
             .choose_scheme(&[rustls::SignatureScheme::RSA_PKCS1_SHA256])
             .ok_or(Error::SignerSchemeError)?;
         Ok(JwtSigner { signer })
     }
 
-    pub(crate) fn sign_claims(&self, claims: &Claims) -> Result<String, rustls::TLSError> {
+    pub(crate) fn sign_claims(&self, claims: &Claims) -> Result<String, rustls::Error> {
         let mut jwt_head = Self::encode_claims(claims);
         let signature = self.signer.sign(jwt_head.as_bytes())?;
         jwt_head.push('.');

src/lib.rs

@@ -80,7 +80,7 @@ pub use types::Token;
 use std::path::Path;
 
 use hyper::Client;
-use hyper_rustls::HttpsConnector;
+use hyper_rustls::HttpsConnectorBuilder;
 
 /// Initialize GCP authentication based on a credentials file
 ///
@@ -95,11 +95,12 @@ async fn get_authentication_manager(
     credential_path: Option<&Path>,
 ) -> Result<AuthenticationManager, Error> {
     #[cfg(feature = "webpki-roots")]
-    let https = HttpsConnector::with_webpki_roots();
+    let https = HttpsConnectorBuilder::new().with_webpki_roots();
     #[cfg(not(feature = "webpki-roots"))]
-    let https = HttpsConnector::with_native_roots();
+    let https = HttpsConnectorBuilder::new().with_native_roots();
 
-    let client = Client::builder().build::<_, hyper::Body>(https);
+    let client =
+        Client::builder().build::<_, hyper::Body>(https.https_only().enable_http2().build());
 
     let custom = match credential_path {
         Some(path) => CustomServiceAccount::from_file(path).await,