aws
Add client authentication support for rustls
Description of changes:
This PR adds support of client authentication to s2n-quic-rustls
Call-outs:
Testing:
I can write an example for it, but I'm not sure how it's tested automatically yet.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Note that it is already possible to do client authentication in s2n-quic using rustls. Here's an example of how it's done: https://github.com/aws/s2n-quic/tree/main/examples/rustls-mtls. It involves implementing a TLS provider in order to enable client auth in rustls. Is there some reason why that example doesn't work for you/why you need to add this feature to the s2n-quic-rustls crate?
Edit: Actually, we should probably enable client auth in rustls without having to impl the TLS provider. The rustls client auth example we have is a bit heavy handed.
Of course anyone can use their own Provider to implement mTLS, but why not to make it into the s2n-quic-rustls, so that it can be as easy as using s2n-quic-tls?
We're wanting to update the rustls dependency first (see #2143) and then we can get this change in
I'll continue this PR after #2143 merged, and I want to resolve #1957 in this PR too.
The rustls-mtls example was updated to demonstrate the stuffes introduced in this PR.
Some off-topic thoughts: IntoCertificate and IntoPrivateKey make it easier to deal with certificates and keys. However, their behavior depends on the filename extension and performs sync filesystem I/O. Probably it'd be better to expose some low-level API that accepts CertificateDer and PrivateKeyDer instead.
I'll continue this PR after https://github.com/aws/s2n-quic/pull/2143 merged, and I want to resolve https://github.com/aws/s2n-quic/issues/1957 in this PR too.
Regarding #1957, correct me if I'm wrong, but it seems not only an issue for rustls, but also applies to s2n-tls. Some change to Connection needs to be made before it can be implemented, which is out of my ability and interest currently.