saluki_tls/

lib.rs

//! Transport Layer Security (TLS) configuration and helpers.

use std::sync::{Arc, Mutex, OnceLock};

use rustls::{
    client::{
        danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
        Resumption,
    },
    crypto::CryptoProvider,
    pki_types::{CertificateDer, ServerName, UnixTime},
    version::{TLS12, TLS13},
    ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme, SupportedProtocolVersion,
};
use saluki_error::{generic_error, GenericError};
use tracing::debug;

/// Tracks if the default cryptography provider for `rustls` has been set.
static DEFAULT_CRYPTO_PROVIDER_SET: OnceLock<()> = OnceLock::new();

/// Default root certificate store to use for TLS when one isn't explicitly provided.
static DEFAULT_ROOT_CERT_STORE_MUTEX: Mutex<()> = Mutex::new(());
static DEFAULT_ROOT_CERT_STORE: OnceLock<Arc<RootCertStore>> = OnceLock::new();

// Various defaults for TLS configuration.
const DEFAULT_MAX_TLS12_RESUMPTION_SESSIONS: usize = 8;
const TLS12_PLUS_PROTOCOL_VERSIONS: &[&SupportedProtocolVersion] = &[&TLS13, &TLS12];
const TLS13_PROTOCOL_VERSIONS: &[&SupportedProtocolVersion] = &[&TLS13];

/// Minimum TLS protocol version to use for client connections.
#[derive(Clone, Copy, Debug, Default, Eq, PartialEq)]
pub enum TlsMinimumVersion {
    /// TLS 1.2 or newer.
    #[default]
    Tls12,

    /// TLS 1.3 or newer.
    Tls13,
}

impl TlsMinimumVersion {
    const fn protocol_versions(self) -> &'static [&'static SupportedProtocolVersion] {
        match self {
            Self::Tls12 => TLS12_PLUS_PROTOCOL_VERSIONS,
            Self::Tls13 => TLS13_PROTOCOL_VERSIONS,
        }
    }
}

/// A certificate verifier that accepts all server certificates without validation.
///
/// This is inherently insecure and should only be used for local/development connections where the
/// server's identity is already established through other means (for example, connecting via Unix domain socket
/// to a local process).
#[derive(Debug)]
struct AcceptAllServerCertVerifier {
    provider: Arc<CryptoProvider>,
}

impl ServerCertVerifier for AcceptAllServerCertVerifier {
    fn verify_server_cert(
        &self, _end_entity: &CertificateDer<'_>, _intermediates: &[CertificateDer<'_>], _server_name: &ServerName<'_>,
        _ocsp_response: &[u8], _now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn verify_tls13_signature(
        &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(message, cert, dss, &self.provider.signature_verification_algorithms)
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
        self.provider.signature_verification_algorithms.supported_schemes()
    }
}

/// A TLS client configuration builder.
///
/// Exposes various options for configuring a client's TLS configuration that would otherwise be cumbersome to
/// configure, and provides sane defaults for many common options.
///
/// # Missing
///
/// - ability to configure client authentication
pub struct ClientTLSConfigBuilder {
    max_tls12_resumption_sessions: Option<usize>,
    min_tls_version: TlsMinimumVersion,
    root_cert_store: Option<RootCertStore>,
    danger_accept_invalid_certs: bool,
}

impl ClientTLSConfigBuilder {
    pub fn new() -> Self {
        Self {
            max_tls12_resumption_sessions: None,
            min_tls_version: TlsMinimumVersion::default(),
            root_cert_store: None,
            danger_accept_invalid_certs: false,
        }
    }

    /// Sets the maximum number of TLS 1.2 sessions to cache.
    ///
    /// Defaults to 8.
    pub fn with_max_tls12_resumption_sessions(mut self, max: usize) -> Self {
        self.max_tls12_resumption_sessions = Some(max);
        self
    }

    /// Sets the root certificate store to use for the client.
    ///
    /// Defaults to the "default" root certificate store initialized from the platform. (See [`load_platform_root_certificates`].)
    pub fn with_root_cert_store(mut self, store: RootCertStore) -> Self {
        self.root_cert_store = Some(store);
        self
    }

    /// Sets the minimum TLS protocol version to allow for client connections.
    ///
    /// Defaults to TLS 1.2.
    pub fn with_min_tls_version(mut self, version: TlsMinimumVersion) -> Self {
        self.min_tls_version = version;
        self
    }

    /// Disables server certificate verification entirely.
    ///
    /// This is inherently insecure and should only be used for local/development connections where
    /// the server's identity is already established through other means (for example, connecting via Unix
    /// domain socket to a local process).
    pub fn danger_accept_invalid_certs(mut self) -> Self {
        self.danger_accept_invalid_certs = true;
        self
    }

    /// Builds the client TLS configuration.
    ///
    /// # Errors
    ///
    /// If the default root cert store (see [`load_platform_root_certificates`]) hasn't been initialized, and a root
    /// cert store hasn't been provided, or if the resulting configuration isn't FIPS compliant, an error will be
    /// returned.
    pub fn build(self) -> Result<ClientConfig, GenericError> {
        let max_tls12_resumption_sessions = self
            .max_tls12_resumption_sessions
            .unwrap_or(DEFAULT_MAX_TLS12_RESUMPTION_SESSIONS);
        let protocol_versions = self.min_tls_version.protocol_versions();

        let mut config = if self.danger_accept_invalid_certs {
            let crypto_provider = CryptoProvider::get_default()
                .map(Arc::clone)
                .ok_or_else(|| generic_error!("Default cryptography provider not yet installed."))?;
            let verifier = Arc::new(AcceptAllServerCertVerifier {
                provider: crypto_provider,
            });

            ClientConfig::builder_with_protocol_versions(protocol_versions)
                .dangerous()
                .with_custom_certificate_verifier(verifier)
                .with_no_client_auth()
        } else {
            let root_cert_store = self.root_cert_store.map(Arc::new).map(Ok).unwrap_or_else(|| {
                DEFAULT_ROOT_CERT_STORE
                    .get()
                    .map(Arc::clone)
                    .ok_or(generic_error!("Default TLS root certificate store not initialized."))
            })?;

            ClientConfig::builder_with_protocol_versions(protocol_versions)
                .with_root_certificates(root_cert_store)
                .with_no_client_auth()
        };

        // One unfortunate thing is that by creating `config` above, it assigns the default value for `Resumption` before
        // we reset it down here... which means the big, beefy default one gets allocated and then immediately thrown
        // away.
        config.resumption = Resumption::in_memory_sessions(max_tls12_resumption_sessions);

        // Do our final check that this configuration is FIPS compliant.
        #[cfg(feature = "fips")]
        if !config.fips() {
            return Err(generic_error!("Client TLS configuration is not FIPS compliant."));
        }

        Ok(config)
    }
}

/// Initializes the default TLS cryptography provider used by `rustls`.
///
/// This explicitly sets the [AWS-LC][aws_lc] provider as the default provider for all future TLS configurations, which
/// provides the ability to run in FIPS mode for FIPS-compliant builds.
///
/// This is the only supported cryptography provider in Saluki.
///
/// # Errors
///
/// If the default cryptography provider has already been set, an error will be returned.
///
/// [aws_lc]: https://github.com/aws/aws-lc-rs
pub fn initialize_default_crypto_provider() -> Result<(), GenericError> {
    if DEFAULT_CRYPTO_PROVIDER_SET.get().is_some() {
        return Err(generic_error!("Default TLS cryptography provider already initialized."));
    }

    // Set the process-wide default `CryptoProvider` to AWS-LC.
    //
    // This locks in AWS-LC as the default provider for all future TLS configurations, regardless of whether they use
    // the configuration builders here or not. (The main caveat is that it's only relevant if `rustls` is being used.)
    rustls::crypto::aws_lc_rs::default_provider()
        .install_default()
        .map_err(|_| generic_error!("Failed to install AWS-LC as default cryptography provider. This is likely due to a conflicting provider already being installed."))?;

    // With the process-wide default having been set, mark it as having been set.
    DEFAULT_CRYPTO_PROVIDER_SET
        .set(())
        .expect("should be impossible for DEFAULT_CRYPTO_PROVIDER_SET to be initialized twice");

    Ok(())
}

/// Initializes the default root certificate store from the platform's native certificate store.
///
/// ## Environment Variables
///
/// | Environment Variable | Description                                                                           |
/// |----------------------|---------------------------------------------------------------------------------------|
/// | SSL_CERT_FILE        | File containing an arbitrary number of certificates in PEM format.                    |
/// | SSL_CERT_DIR         | Directory utilizing the hierarchy and naming convention used by OpenSSL's `c_rehash`. |
///
/// If **either** (or **both**) are set, certificates are only loaded from the locations specified via environment
/// variables and not the platform- native certificate store.
///
/// ## Certificate Validity
///
/// All certificates are expected to be in PEM format. A file may contain multiple certificates.
///
/// Example:
///
/// ```text
/// -----BEGIN CERTIFICATE-----
/// MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
/// CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
/// R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
/// MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
/// ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
/// EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
/// +1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
/// ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
/// AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
/// zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
/// tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
/// /q4AaOeMSQ+2b1tbFfLn
/// -----END CERTIFICATE-----
/// -----BEGIN CERTIFICATE-----
/// MIIBtjCCAVugAwIBAgITBmyf1XSXNmY/Owua2eiedgPySjAKBggqhkjOPQQDAjA5
/// MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
/// Um9vdCBDQSAzMB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
/// A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3Qg
/// Q0EgMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCmXp8ZBf8ANm+gBG1bG8lKl
/// ui2yEujSLtf6ycXYqm0fc4E7O5hrOXwzpcVOho6AF2hiRVd9RFgdszflZwjrZt6j
/// QjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBSr
/// ttvXBp43rDCGB5Fwx5zEGbF4wDAKBggqhkjOPQQDAgNJADBGAiEA4IWSoxe3jfkr
/// BqWTrBqYaGFy+uGh0PsceGCmQ5nFuMQCIQCcAu/xlJyzlvnrxir4tiz+OpAUFteM
/// YyRIHN8wfdVoOw==
/// -----END CERTIFICATE-----
///
/// ```
///
/// For reasons of compatibility, an attempt is made to skip invalid sections of a certificate file but this means it's
/// also possible for a malformed certificate to be skipped.
///
/// If a certificate isn't loaded, and no error is reported, check if:
///
/// 1. the certificate is in PEM format (see example above)
/// 2. *BEGIN CERTIFICATE* line starts with exactly five hyphens (`'-'`)
/// 3. *END CERTIFICATE* line ends with exactly five hyphens (`'-'`)
/// 4. there is a line break after the certificate.
///
/// ## Errors
///
/// If errors occur during certificate loading and no certificates were ultimately added to the store, an error is
/// returned. Missing files or directories referenced by `SSL_CERT_FILE`/`SSL_CERT_DIR` are tolerated and treated as
/// "no certificates available" rather than as a load failure.
///
/// [c_rehash]: https://www.openssl.org/docs/manmaster/man1/c_rehash.html
pub fn load_platform_root_certificates() -> Result<(), GenericError> {
    let _guard = DEFAULT_ROOT_CERT_STORE_MUTEX
        .lock()
        .map_err(|_| generic_error!("Default TLS root certificate store update lock poisoned."))?;
    if DEFAULT_ROOT_CERT_STORE.get().is_some() {
        return Err(generic_error!(
            "Default TLS root certificate store already initialized."
        ));
    }

    let root_cert_store = load_platform_root_certificates_inner()?;

    // The reason it should be impossible is that we intentionally only set it _here_, and we do so after acquiring the
    // mutex, and only then do we make sure that it hasn't been set before proceeding to try to set it.
    DEFAULT_ROOT_CERT_STORE
        .set(Arc::new(root_cert_store))
        .expect("should be impossible for DEFAULT_ROOT_CERT_STORE to be initialized twice");

    Ok(())
}

/// Builds a `RootCertStore` from the platform's native certificate store.
///
/// Behaves identically to [`load_platform_root_certificates`] with respect to which certificates are loaded, but
/// returns the constructed store instead of writing it into the process-wide default.
///
/// # Errors
///
/// If errors occur during certificate loading and no certificates were ultimately added to the store, an error is
/// returned. Otherwise, even if some certificates failed to parse, the store is returned with whatever certificates were
/// successfully added. Missing files or directories referenced by `SSL_CERT_FILE`/`SSL_CERT_DIR` are tolerated and do
/// not produce an error.
pub fn load_platform_root_certificates_inner() -> Result<RootCertStore, GenericError> {
    let mut root_cert_store = RootCertStore::empty();

    let mut result = rustls_native_certs::load_native_certs();

    // Drop "not found" IO errors before evaluating success or failure: a missing `SSL_CERT_FILE` or `SSL_CERT_DIR`
    // should look like "no certificates available" rather than a load failure, since callers may simply not have set
    // those env vars on this host.
    result.errors.retain(|err| {
        !matches!(
            &err.kind,
            rustls_native_certs::ErrorKind::Io { inner, .. } if inner.kind() == std::io::ErrorKind::NotFound,
        )
    });

    // For whatever certificates we _did_ get back, try and add them to the root certificate store.
    let (added, failed) = root_cert_store.add_parsable_certificates(result.certs);
    if failed == 0 && added > 0 {
        debug!(
            "Added {} certificates from environment to the default root certificate store.",
            added
        );
    } else if failed > 0 && added > 0 {
        debug!("Added {} certificates from environment to the default root certificate store, but failed to add {} certificates.", added, failed);
    } else {
        // When we don't manage to add any certificates, it either means that:
        // - we found no certificates to add
        // - we hit an error when loading the certificates
        // - we hit an error when trying to add the certificates to our root certificate store
        //
        // We only consider this operation to have truly failed if there were errors during the initial loading of the
        // certificates.
        if !result.errors.is_empty() {
            let joined_errors = result
                .errors
                .iter()
                .map(|e| e.to_string())
                .collect::<Vec<_>>()
                .join(", ");

            return Err(generic_error!(
                "Failed to load certificates from platform's native certificate store: {}",
                joined_errors
            ));
        }
    }

    Ok(root_cert_store)
}

#[cfg(test)]
mod tests {
    use rustls::ProtocolVersion;

    use super::TlsMinimumVersion;

    #[test]
    fn tls12_minimum_enables_tls12_and_tls13() {
        let versions = TlsMinimumVersion::Tls12.protocol_versions();

        assert_eq!(versions.len(), 2);
        assert_eq!(versions[0].version, ProtocolVersion::TLSv1_3);
        assert_eq!(versions[1].version, ProtocolVersion::TLSv1_2);
    }

    #[test]
    fn tls13_minimum_enables_tls13_only() {
        let versions = TlsMinimumVersion::Tls13.protocol_versions();

        assert_eq!(versions.len(), 1);
        assert_eq!(versions[0].version, ProtocolVersion::TLSv1_3);
    }
}