chore(tls): Refactor parsing Certificate

Author: tottoto

tonic/src/transport/channel/service/tls.rs

@@ -1,5 +1,4 @@
 use std::fmt;
-use std::io::Cursor;
 use std::sync::Arc;
 
 use hyper_util::rt::TokioIo;
@@ -10,7 +9,7 @@ use tokio_rustls::{
 };
 
 use super::io::BoxedIo;
-use crate::transport::service::tls::{add_certs_from_pem, load_identity, TlsError, ALPN_H2};
+use crate::transport::service::tls::{load_identity, TlsError, ALPN_H2};
 use crate::transport::tls::{Certificate, Identity};
 
 #[derive(Clone)]
@@ -43,7 +42,7 @@ impl TlsConnector {
         }
 
         for cert in ca_certs {
-            add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?;
+            roots.add_parsable_certificates(cert.parse()?);
         }
 
         let builder = builder.with_root_certificates(roots);

tonic/src/transport/server/service/tls.rs

@@ -1,4 +1,4 @@
-use std::{fmt, io::Cursor, sync::Arc};
+use std::{fmt, sync::Arc};
 
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::{
@@ -9,7 +9,7 @@ use tokio_rustls::{
 
 use crate::transport::{
     server::Connected,
-    service::tls::{add_certs_from_pem, load_identity, ALPN_H2},
+    service::tls::{load_identity, ALPN_H2},
     Certificate, Identity,
 };
 
@@ -30,7 +30,7 @@ impl TlsAcceptor {
             None => builder.with_no_client_auth(),
             Some(cert) => {
                 let mut roots = RootCertStore::empty();
-                add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?;
+                roots.add_parsable_certificates(cert.parse()?);
                 let verifier = if client_auth_optional {
                     WebPkiClientVerifier::builder(roots.into()).allow_unauthenticated()
                 } else {

tonic/src/transport/service/tls.rs

@@ -1,11 +1,8 @@
 use std::{fmt, io::Cursor};
 
-use tokio_rustls::rustls::{
-    pki_types::{CertificateDer, PrivateKeyDer},
-    RootCertStore,
-};
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
-use crate::transport::Identity;
+use crate::transport::{Certificate, Identity};
 
 /// h2 alpn in plain format for rustls.
 pub(crate) const ALPN_H2: &[u8] = b"h2";
@@ -34,6 +31,15 @@ impl fmt::Display for TlsError {
 
 impl std::error::Error for TlsError {}
 
+impl Certificate {
+    pub(crate) fn parse(&self) -> Result<Vec<CertificateDer<'static>>, TlsError> {
+        let mut cert = Cursor::new(&self.pem);
+        rustls_pemfile::certs(&mut cert)
+            .collect::<Result<Vec<_>, _>>()
+            .map_err(|_| TlsError::CertificateParseError)
+    }
+}
+
 pub(crate) fn load_identity(
     identity: Identity,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), TlsError> {
@@ -47,16 +53,3 @@ pub(crate) fn load_identity(
 
     Ok((cert, key))
 }
-
-pub(crate) fn add_certs_from_pem(
-    mut certs: &mut dyn std::io::BufRead,
-    roots: &mut RootCertStore,
-) -> Result<(), crate::Error> {
-    for cert in rustls_pemfile::certs(&mut certs).collect::<Result<Vec<_>, _>>()? {
-        roots
-            .add(cert)
-            .map_err(|_| TlsError::CertificateParseError)?;
-    }
-
-    Ok(())
-}