Add Certificate newtype that supports CA chains.

Author: reyk

.ci/certs/ca-chain.crt

@@ -0,0 +1,65 @@
+ISRG Root X1 (self-signed):
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----
+Let's Encrypt Authority X3 (Signed by ISRG Root X1):
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----

elasticsearch/src/cert.rs

@@ -16,8 +16,9 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-//! Certificate components
-pub use reqwest::Certificate;
+
+use crate::error::Error;
+use std::{io::BufRead, ops::Deref, vec};
 
 /// Validation applied to a SSL/TLS certificate, to establish a HTTPS connection.
 ///
@@ -182,3 +183,88 @@ pub enum CertificateValidation {
     /// attempting to resolve TLS errors, and **its use on production clusters is strongly discouraged**.
     None,
 }
+
+/// Start marker for PEM encoded certificates.
+const BEGIN_CERTIFICATE: &str = "-----BEGIN CERTIFICATE-----";
+
+/// End marker for PEM encoded certificates.
+const END_CERTIFICATE: &str = "-----END CERTIFICATE-----";
+
+/// Represents a server X509 certificate chain.
+pub struct Certificate(Vec<reqwest::Certificate>);
+
+impl Certificate {
+    /// Create a `Certificate` chain from PEM encoded certificates.
+    ///
+    /// The `pem` input data may contain one or more PEM encoded CA certificates.
+    ///
+    /// # Optional
+    /// This requires the `native-tls`, or `rustls-tls` feature to be enabled.
+    #[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
+    pub fn from_pem(pem: &[u8]) -> Result<Self, Error> {
+        let reader = std::io::BufReader::new(std::io::Cursor::new(pem));
+
+        // Split the PEM cert into parts without validating the
+        // contents as this will be done by the
+        // `reqwest::Certificate::from_pem` call itself.
+        let mut certs = Vec::new();
+        let mut cert = Vec::new();
+        let mut begin = false;
+        for line in reader.lines() {
+            let line = line?;
+            match line.as_ref() {
+                BEGIN_CERTIFICATE if !begin => {
+                    begin = true;
+                    cert.push(line);
+                }
+                END_CERTIFICATE if begin => {
+                    begin = false;
+                    cert.push(line);
+                    certs.push(reqwest::Certificate::from_pem(cert.join("\n").as_bytes())?);
+                    cert = Vec::new();
+                }
+                _ if begin => cert.push(line),
+                _ => {}
+            }
+        }
+
+        if certs.is_empty() {
+            Err(Error::lib(
+                "could not find PEM certificate in input data".to_string(),
+            ))
+        } else {
+            Ok(Self(certs))
+        }
+    }
+
+    /// Create a `Certificate` from a binary DER encoded certificate.
+    ///
+    /// # Optional
+    /// This requires the `native-tls`, or `rustls-tls` feature to be enabled.
+    #[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
+    pub fn from_der(der: &[u8]) -> Result<Self, Error> {
+        Ok(Self(vec![reqwest::Certificate::from_der(der)?]))
+    }
+
+    /// Append a `Certificate` to the chain.
+    pub fn append(&mut self, mut cert: Self) {
+        self.0.append(&mut cert.0);
+    }
+}
+
+impl IntoIterator for Certificate {
+    type Item = reqwest::Certificate;
+    type IntoIter = vec::IntoIter<Self::Item>;
+
+    fn into_iter(self) -> Self::IntoIter {
+        self.0.into_iter()
+    }
+}
+
+impl Deref for Certificate {
+    type Target = Vec<reqwest::Certificate>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}

elasticsearch/src/http/transport.rs

@@ -216,10 +216,17 @@ impl TransportBuilder {
             client_builder = match v {
                 CertificateValidation::Default => client_builder,
                 #[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
-                CertificateValidation::Full(c) => client_builder.add_root_certificate(c),
+                CertificateValidation::Full(chain) => {
+                    chain.into_iter().fold(client_builder, |client_builder, c| {
+                        client_builder.add_root_certificate(c)
+                    })
+                }
                 #[cfg(feature = "native-tls")]
-                CertificateValidation::Certificate(c) => client_builder
-                    .add_root_certificate(c)
+                CertificateValidation::Certificate(chain) => chain
+                    .into_iter()
+                    .fold(client_builder, |client_builder, c| {
+                        client_builder.add_root_certificate(c)
+                    })
                     .danger_accept_invalid_hostnames(true),
                 CertificateValidation::None => client_builder.danger_accept_invalid_certs(true),
             }

elasticsearch/tests/cert.rs

@@ -27,6 +27,7 @@ use os_type::OSType;
 // TODO: These tests require a cluster configured with Security. Figure out best way to surface this e.g. test category, naming convention, etc.
 
 static CA_CERT: &[u8] = include_bytes!("../../.ci/certs/ca.crt");
+static CA_CHAIN_CERT: &[u8] = include_bytes!("../../.ci/certs/ca-chain.crt");
 static TESTNODE_SAN_CERT: &[u8] = include_bytes!("../../.ci/certs/testnode_san.crt");
 static TESTNODE_CERT: &[u8] = include_bytes!("../../.ci/certs/testnode.crt");
 
@@ -90,6 +91,20 @@ async fn full_certificate_ca_validation() -> Result<(), failure::Error> {
     Ok(())
 }
 
+/// Try to load a certificate chain.
+#[tokio::test]
+#[cfg(any(feature = "native-tls", feature = "rustls-tls"))]
+async fn full_certificate_ca_chain_validation() -> Result<(), failure::Error> {
+    let mut cert = Certificate::from_pem(CA_CHAIN_CERT)?;
+    cert.append(Certificate::from_pem(CA_CERT)?);
+    assert_eq!(cert.len(), 3, "expected three certificates in CA chain");
+    let builder =
+        client::create_default_builder().cert_validation(CertificateValidation::Full(cert));
+    let client = client::create(builder);
+    let _response = client.ping().send().await?;
+    Ok(())
+}
+
 /// Certificate provided by the server is the one given to the client and hostname matches
 #[tokio::test]
 #[cfg(all(windows, any(feature = "native-tls", feature = "rustls-tls")))]