kumo_server_common/
tls_helpers.rs1use anyhow::Context;
2use data_loader::KeySource;
3use rustls::pki_types::pem::PemObject;
4use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
5use rustls::ServerConfig;
6use std::sync::Arc;
7
8pub async fn make_server_config(
9 hostname: &str,
10 tls_private_key: &Option<KeySource>,
11 tls_certificate: &Option<KeySource>,
12) -> anyhow::Result<Arc<ServerConfig>> {
13 let mut certificates = vec![];
14 let private_key = match tls_private_key {
15 Some(key) => PrivateKeyDer::from_pem_slice(&key.get().await?)
16 .with_context(|| format!("loading private key from {key:?}"))?,
17 None => {
18 let key = rcgen::generate_simple_self_signed(vec![hostname.to_string()])?;
19 certificates.push(CertificateDer::from_slice(key.cert.der()).into_owned());
20 PrivateKeyDer::from(PrivatePkcs8KeyDer::from(key.key_pair.serialize_der()))
21 }
22 };
23
24 if let Some(cert_file) = tls_certificate {
25 let data = cert_file.get().await?;
26 certificates = CertificateDer::pem_slice_iter(&data)
27 .collect::<Result<Vec<_>, _>>()
28 .with_context(|| format!("loading certificates from {cert_file:?}"))?;
29 }
30
31 let config = ServerConfig::builder()
32 .with_no_client_auth()
33 .with_single_cert(certificates, private_key)?;
34
35 Ok(Arc::new(config))
36}