replace openssl with p12

Cargo.toml

@@ -22,7 +22,7 @@ tls = ["tokio-native-tls"]
 # Noise support
 noise = ["snowstorm", "base64"]
 #QUIC support
-quic = ["quinn", "rustls", "rustls-pemfile", "openssl", "futures-util"]
+quic = ["quinn", "rustls", "rustls-pemfile", "p12", "futures-util"]
 
 # Configuration hot-reload support
 hot-reload = ["notify"]
@@ -76,7 +76,7 @@ atty = "0.2"
 quinn = { version = "0.8.0", optional = true}
 rustls = { version = "*", default-features = false, features = ["quic"], optional = true }
 rustls-pemfile = { version = "*", optional = true }
-openssl = { version = "*", optional = true }
+p12 = { versio = "0.4.0", optional = true }
 futures-util = { version = "*", optional = true}
 
 [build-dependencies]

src/transport/quic.rs

@@ -12,7 +12,7 @@ use crate::config::{TlsConfig, TransportConfig};
 use anyhow::{anyhow, Context, Result};
 use async_trait::async_trait;
 use futures_util::{StreamExt};
-use openssl::pkcs12::Pkcs12;
+use p12::PFX;
 use quinn::{Connecting, Connection, Endpoint, EndpointConfig, Incoming};
 use tokio::fs;
 use tokio::io::{AsyncWrite, ReadBuf};
@@ -163,33 +163,22 @@ impl Transport for QuicTransport {
             .await
             .with_context(|| "Failed to read the `quic.pkcs12`")?;
 
-        let pkcs12 =
-            Pkcs12::from_der(buf.as_slice()).with_context(|| "Failed to open `quic.pkcs12`")?;
+        let pfx = PFX::parse(buf.as_slice()).with_context(|| "Failed to parse `quic.pkcs12`")?;
 
+        let keys = pfx.key_bags(self.config.pkcs12_password.as_ref()
+            .with_context(|| "Expected `quic.pkcs12_password` value to be set")?)
+            .with_context(|| "Could not decrypt  `quic.pkcs12 with `quic.pkcs12_password`")?;
 
-        let parsed = pkcs12
-            .parse(self.config.pkcs12_password.as_ref()
+        let certs = pfx.cert_bags(self.config.pkcs12_password.as_ref()
                 .with_context(|| "Config `quic.pkcs12_password` was not provided")?)
             .with_context(|| "Could not decrypt  `quic.pkcs12` using `quic.pkcs12_password`")?;
 
-        let mut chain: Vec<rustls::Certificate> = parsed
-            .chain
-            .unwrap()
+        let chain: Vec<rustls::Certificate> = certs
             .into_iter()
-            .map(|cert| rustls::Certificate(cert.to_der().unwrap()))
-            .rev()
+            .map(|cert_bytes| rustls::Certificate(cert_bytes))
             .collect();
-        chain.insert(
-            0,
-            rustls::Certificate(
-                parsed
-                    .cert
-                    .to_der()
-                    .with_context(|| "Could not encode server cert as PEM")?,
-            ),
-        );
-
-        let key = rustls::PrivateKey(parsed.pkey.private_key_to_der().unwrap());
+        let key = rustls::PrivateKey(keys.into_iter().next()
+            .with_context(|| "No keys found in `quic.pkcs12`")?);
 
         let mut server_crypto = rustls::ServerConfig::builder()
             .with_safe_defaults()
@@ -204,7 +193,7 @@ impl Transport for QuicTransport {
             .unwrap()
             .datagram_receive_buffer_size(Some(65536))
             .datagram_send_buffer_size(65536)
-            .max_idle_timeout(Some(Duration::from_secs(KEEPALIVE_INTERVAL_SECS).try_into()?));
+            .max_idle_timeout(Some(Duration::from_secs(TIMEOUT_SECS).try_into()?));
 
         server_config.use_retry(true);
         let socket = UdpSocket::bind(addr).await?.into_std()?;