diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs index 9ed8a5a1f5..be8cabadc1 100644 --- a/ext/tls/lib.rs +++ b/ext/tls/lib.rs @@ -23,6 +23,7 @@ use rustls::PrivateKey; use rustls::RootCertStore; use rustls::ServerName; use rustls_pemfile::certs; +use rustls_pemfile::ec_private_keys; use rustls_pemfile::pkcs8_private_keys; use rustls_pemfile::rsa_private_keys; use serde::Deserialize; @@ -290,6 +291,12 @@ fn load_rsa_keys(mut bytes: &[u8]) -> Result, AnyError> { Ok(keys.into_iter().map(PrivateKey).collect()) } +/// Starts with -----BEGIN EC PRIVATE KEY----- +fn load_ec_keys(mut bytes: &[u8]) -> Result, AnyError> { + let keys = ec_private_keys(&mut bytes).map_err(|_| key_decode_err())?; + Ok(keys.into_iter().map(PrivateKey).collect()) +} + /// Starts with -----BEGIN PRIVATE KEY----- fn load_pkcs8_keys(mut bytes: &[u8]) -> Result, AnyError> { let keys = pkcs8_private_keys(&mut bytes).map_err(|_| key_decode_err())?; @@ -314,6 +321,10 @@ pub fn load_private_keys(bytes: &[u8]) -> Result, AnyError> { keys = load_pkcs8_keys(bytes)?; } + if keys.is_empty() { + keys = load_ec_keys(bytes)?; + } + if keys.is_empty() { return Err(key_not_found_err()); } diff --git a/tests/testdata/tls/README.md b/tests/testdata/tls/README.md index 19bbaec35d..721ecbc321 100644 --- a/tests/testdata/tls/README.md +++ b/tests/testdata/tls/README.md @@ -38,6 +38,14 @@ openssl x509 -req -sha256 -days 36135 -in localhost.csr -CA RootCA.pem -CAkey Ro Note that the country / state / city / name in the first command can be customized. +Generate localhost_ecc.key, localhost_ecc.csr, and localhost_ecc.crt: + +```shell +openssl ecparam -genkey -name prime256v1 -noout --out localhost_ecc.key +openssl req -new -key localhost_ecc.key -out localhost_ecc.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local" +openssl x509 -req -sha256 -days 36135 -in localhost_ecc.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.txt -out localhost_ecc.crt +``` + For testing purposes we need following files: - `RootCA.crt` @@ -45,3 +53,5 @@ For testing purposes we need following files: - `RootCA.pem` - `localhost.crt` - `localhost.key` +- `localhost_ecc.crt` +- `localhost_ecc.key` diff --git a/tests/testdata/tls/localhost_ecc.crt b/tests/testdata/tls/localhost_ecc.crt new file mode 100644 index 0000000000..b9393b93ef --- /dev/null +++ b/tests/testdata/tls/localhost_ecc.crt @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICqjCCAZKgAwIBAgIULvZQk8us6eYdpKZraHVkW8YKL/IwDQYJKoZIhvcNAQEL +BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAgFw0y +NDA0MDYwNzM4MDlaGA8yMTIzMDMxNDA3MzgwOVowbTELMAkGA1UEBhMCVVMxEjAQ +BgNVBAgMCVlvdXJTdGF0ZTERMA8GA1UEBwwIWW91ckNpdHkxHTAbBgNVBAoMFEV4 +YW1wbGUtQ2VydGlmaWNhdGVzMRgwFgYDVQQDDA9sb2NhbGhvc3QubG9jYWwwWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAATWOALcgzz4LbNikhjVGpkOCUmR8NahjfFw +9pNBuyZnaTcjfeGfiPaV0iQqvTuQnmL+fTBw8PKxzlKGpzsodQaWo1EwTzAfBgNV +HSMEGDAWgBTzut+pwwDfqmMYcI9KNWRDhxcIpTAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIE8DAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBABWp +5LsGj5mWGIy7XpksXb0k2e3fUh+CobNl4JbvE7em68nuyojm0+/vEs8Bpd9vJaUo +tU1btyTO8xUlOGeyNa9Ddd2gj3oB8IGMjxhazWTSDseZ/WqBt6OudPMmnj+jPRQL +8Hb0vyXfmabZnWO9WH9/tcCoGdUdKo2KYN/7M2ojSeRq/4BIL08lC2SVX8DlBG40 +8aj3FJo9xsUG59NI31iXVN1UPEN2pakKRJdSVdpbBjxDaEoLw/TB02gqfA43T1fU +wKz+0UYxSCjeW0lOZ3wlaNN2KqiHLuQ6ePG5kqD8aRufmYWK/ImlO/ZiSX60GiPu +K1cC6aWEohOhx+k424Y= +-----END CERTIFICATE----- diff --git a/tests/testdata/tls/localhost_ecc.csr b/tests/testdata/tls/localhost_ecc.csr new file mode 100644 index 0000000000..646c12034f --- /dev/null +++ b/tests/testdata/tls/localhost_ecc.csr @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBKDCBzwIBADBtMQswCQYDVQQGEwJVUzESMBAGA1UECAwJWW91clN0YXRlMREw +DwYDVQQHDAhZb3VyQ2l0eTEdMBsGA1UECgwURXhhbXBsZS1DZXJ0aWZpY2F0ZXMx +GDAWBgNVBAMMD2xvY2FsaG9zdC5sb2NhbDBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABNY4AtyDPPgts2KSGNUamQ4JSZHw1qGN8XD2k0G7JmdpNyN94Z+I9pXSJCq9 +O5CeYv59MHDw8rHOUoanOyh1BpagADAKBggqhkjOPQQDAgNIADBFAiBhQS10Z4WC +nWEeW1WW1JjFSEZLnM/+SwFRnd5qi4XDOgIhAKANBw+FekrP0NppVCLN/RC7DTra +jFvKH2rUuewC6iXR +-----END CERTIFICATE REQUEST----- diff --git a/tests/testdata/tls/localhost_ecc.key b/tests/testdata/tls/localhost_ecc.key new file mode 100644 index 0000000000..f1efd4b071 --- /dev/null +++ b/tests/testdata/tls/localhost_ecc.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEILL8H0x2ZP/ZZ+CwmKLS/zRleO7k7NBgWH0P767zYvlVoAoGCCqGSM49 +AwEHoUQDQgAE1jgC3IM8+C2zYpIY1RqZDglJkfDWoY3xcPaTQbsmZ2k3I33hn4j2 +ldIkKr07kJ5i/n0wcPDysc5Shqc7KHUGlg== +-----END EC PRIVATE KEY----- diff --git a/tests/unit/tls_test.ts b/tests/unit/tls_test.ts index 84c5e0f306..81d8de3150 100644 --- a/tests/unit/tls_test.ts +++ b/tests/unit/tls_test.ts @@ -1633,3 +1633,16 @@ Deno.test( }, Deno.errors.InvalidData); }, ); + +Deno.test( + { permissions: { net: true, read: true } }, + function listenTLSEcKey() { + const listener = Deno.listenTls({ + hostname: "localhost", + port: 0, + certFile: "tests/testdata/tls/localhost_ecc.crt", + keyFile: "tests/testdata/tls/localhost_ecc.key", + }); + listener.close(); + }, +);