chore: rework TLS code in test server (#23566)

In order to make the reqwest/rustls upgrade more straightforward, we
refactor the test server to depend on deno_tls.

Cargo.lock

@@ -6555,6 +6555,7 @@ dependencies = [
  "base64",
  "bytes",
  "console_static_text",
+ "deno_tls",
  "deno_unsync",
  "denokv_proto",
  "fastwebsockets",
@@ -6580,8 +6581,6 @@ dependencies = [
  "prost-build",
  "regex",
  "reqwest",
- "rustls-pemfile",
- "rustls-tokio-stream",
  "semver 1.0.14",
  "serde",
  "serde_json",

ext/tls/lib.rs

@@ -3,7 +3,7 @@
 pub use deno_native_certs;
 pub use rustls;
 pub use rustls_pemfile;
-pub use rustls_tokio_stream;
+pub use rustls_tokio_stream::*;
 pub use webpki;
 pub use webpki_roots;
 
@@ -15,12 +15,9 @@ use rustls::client::HandshakeSignatureValid;
 use rustls::client::ServerCertVerified;
 use rustls::client::ServerCertVerifier;
 use rustls::client::WebPkiVerifier;
-use rustls::Certificate;
 use rustls::ClientConfig;
 use rustls::DigitallySignedStruct;
 use rustls::Error;
-use rustls::PrivateKey;
-use rustls::RootCertStore;
 use rustls::ServerName;
 use rustls_pemfile::certs;
 use rustls_pemfile::ec_private_keys;
@@ -33,6 +30,10 @@ use std::io::Cursor;
 use std::sync::Arc;
 use std::time::SystemTime;
 
+pub type Certificate = rustls::Certificate;
+pub type PrivateKey = rustls::PrivateKey;
+pub type RootCertStore = rustls::RootCertStore;
+
 /// Lazily resolves the root cert store.
 ///
 /// This was done because the root cert store is not needed in all cases
@@ -263,7 +264,7 @@ pub fn load_certs(
     return Err(cert_not_found_err());
   }
 
-  Ok(certs.into_iter().map(Certificate).collect())
+  Ok(certs.into_iter().map(rustls::Certificate).collect())
 }
 
 fn key_decode_err() -> AnyError {
@@ -281,19 +282,19 @@ fn cert_not_found_err() -> AnyError {
 /// Starts with -----BEGIN RSA PRIVATE KEY-----
 fn load_rsa_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
   let keys = rsa_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(PrivateKey).collect())
+  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
 }
 
 /// Starts with -----BEGIN EC PRIVATE KEY-----
 fn load_ec_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
   let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(PrivateKey).collect())
+  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
 }
 
 /// Starts with -----BEGIN PRIVATE KEY-----
 fn load_pkcs8_keys(mut bytes: &[u8]) -> Result<Vec<PrivateKey>, AnyError> {
   let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?;
-  Ok(keys.into_iter().map(PrivateKey).collect())
+  Ok(keys.into_iter().map(rustls::PrivateKey).collect())
 }
 
 fn filter_invalid_encoding_err(

tests/integration/cert_tests.rs

@@ -2,7 +2,7 @@
 
 use deno_tls::rustls;
 use deno_tls::rustls_pemfile;
-use deno_tls::rustls_tokio_stream::TlsStream;
+use deno_tls::TlsStream;
 use std::io::BufReader;
 use std::io::Cursor;
 use std::io::Read;

tests/util/server/Cargo.toml

@@ -19,6 +19,7 @@ async-stream = "0.3.3"
 base64.workspace = true
 bytes.workspace = true
 console_static_text.workspace = true
+deno_tls.workspace = true
 deno_unsync = "0"
 denokv_proto.workspace = true
 fastwebsockets.workspace = true
@@ -43,8 +44,6 @@ pretty_assertions.workspace = true
 prost.workspace = true
 regex.workspace = true
 reqwest.workspace = true
-rustls-pemfile.workspace = true
-rustls-tokio-stream.workspace = true
 semver = "=1.0.14"
 serde.workspace = true
 serde_json.workspace = true

tests/util/server/src/https.rs

@@ -1,12 +1,14 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 use anyhow::anyhow;
+use deno_tls::load_certs;
+use deno_tls::load_private_keys;
+use deno_tls::rustls;
+use deno_tls::RootCertStore;
+use deno_tls::TlsStream;
 use futures::Stream;
 use futures::StreamExt;
-use rustls::Certificate;
-use rustls::PrivateKey;
-use rustls_tokio_stream::rustls;
-use rustls_tokio_stream::TlsStream;
 use std::io;
+use std::io::Read;
 use std::num::NonZeroUsize;
 use std::result::Result;
 use std::sync::Arc;
@@ -68,65 +70,43 @@ pub fn get_tls_config(
   let key_file = std::fs::File::open(key_path)?;
   let ca_file = std::fs::File::open(ca_path)?;
 
-  let certs: Vec<Certificate> = {
-    let mut cert_reader = io::BufReader::new(cert_file);
-    rustls_pemfile::certs(&mut cert_reader)
-      .unwrap()
-      .into_iter()
-      .map(Certificate)
-      .collect()
-  };
+  let err_map = |x| io::Error::new(io::ErrorKind::InvalidData, x);
+  let certs =
+    load_certs(&mut io::BufReader::new(cert_file)).map_err(err_map)?;
 
   let mut ca_cert_reader = io::BufReader::new(ca_file);
-  let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader)
-    .expect("Cannot load CA certificate")
-    .remove(0);
+  let ca_cert = load_certs(&mut ca_cert_reader).map_err(err_map)?.remove(0);
 
   let mut key_reader = io::BufReader::new(key_file);
-  let key = {
-    let pkcs8_key = rustls_pemfile::pkcs8_private_keys(&mut key_reader)
-      .expect("Cannot load key file");
-    let rsa_key = rustls_pemfile::rsa_private_keys(&mut key_reader)
-      .expect("Cannot load key file");
-    if !pkcs8_key.is_empty() {
-      Some(pkcs8_key[0].clone())
-    } else if !rsa_key.is_empty() {
-      Some(rsa_key[0].clone())
-    } else {
-      None
+  let mut key = vec![];
+  key_reader.read_to_end(&mut key)?;
+  let key = load_private_keys(&key).map_err(err_map)?.remove(0);
+
+  let mut root_cert_store = RootCertStore::empty();
+  root_cert_store.add(&ca_cert).unwrap();
+
+  // Allow (but do not require) client authentication.
+
+  let mut config = rustls::ServerConfig::builder()
+    .with_safe_defaults()
+    .with_client_cert_verifier(Arc::new(
+      rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
+        root_cert_store,
+      ),
+    ))
+    .with_single_cert(certs, key)
+    .map_err(|e| anyhow!("Error setting cert: {:?}", e))
+    .unwrap();
+
+  match http_versions {
+    SupportedHttpVersions::All => {
+      config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
     }
-  };
-
-  match key {
-    Some(key) => {
-      let mut root_cert_store = rustls::RootCertStore::empty();
-      root_cert_store.add(&rustls::Certificate(ca_cert)).unwrap();
-
-      // Allow (but do not require) client authentication.
-
-      let mut config = rustls::ServerConfig::builder()
-        .with_safe_defaults()
-        .with_client_cert_verifier(Arc::new(
-          rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(
-            root_cert_store,
-          ),
-        ))
-        .with_single_cert(certs, PrivateKey(key))
-        .map_err(|e| anyhow!("Error setting cert: {:?}", e))
-        .unwrap();
-
-      match http_versions {
-        SupportedHttpVersions::All => {
-          config.alpn_protocols = vec!["h2".into(), "http/1.1".into()];
-        }
-        SupportedHttpVersions::Http1Only => {}
-        SupportedHttpVersions::Http2Only => {
-          config.alpn_protocols = vec!["h2".into()];
-        }
-      }
-
-      Ok(Arc::new(config))
+    SupportedHttpVersions::Http1Only => {}
+    SupportedHttpVersions::Http2Only => {
+      config.alpn_protocols = vec!["h2".into()];
     }
-    None => Err(io::Error::new(io::ErrorKind::Other, "Cannot find key")),
   }
+
+  Ok(Arc::new(config))
 }

tests/util/server/src/servers/grpc.rs

@@ -1,10 +1,10 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
+use deno_tls::TlsStream;
 use futures::StreamExt;
 use h2;
 use hyper::header::HeaderName;
 use hyper::header::HeaderValue;
-use rustls_tokio_stream::TlsStream;
 use tokio::net::TcpStream;
 use tokio::task::LocalSet;
 

tests/util/server/src/servers/hyper_utils.rs

@@ -1,6 +1,7 @@
 // Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.
 
 use bytes::Bytes;
+use deno_tls::TlsStream;
 use futures::Future;
 use futures::FutureExt;
 use futures::Stream;
@@ -69,7 +70,7 @@ pub async fn run_server_with_acceptor<'a, A, F, S>(
   error_msg: &'static str,
   kind: ServerKind,
 ) where
-  A: Stream<Item = io::Result<rustls_tokio_stream::TlsStream>> + ?Sized,
+  A: Stream<Item = io::Result<TlsStream>> + ?Sized,
   F: Fn(Request<hyper::body::Incoming>) -> S + Copy + 'static,
   S: Future<Output = HandlerOutput> + 'static,
 {