RUST-1122 Fix x509 auth for pkcs8 keys and Atlas free tier (#532) (#536)

abr-egn · web-flow · commit d2d7e50af255 · 2021-12-14T14:04:58.000-05:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -46,6 +46,7 @@ md-5 = "0.9.1"
 os_info = { version = "3.0.1", default-features = false }
 percent-encoding = "2.0.0"
 rand = { version = "0.7.2", features = ["small_rng"] }
+rustls-pemfile = "0.2.1"
 serde_with = "1.3.1"
 sha-1 = "0.9.4"
 sha2 = "0.9.3"
diff --git a/src/client/auth/x509.rs b/src/client/auth/x509.rs
@@ -51,16 +51,20 @@ pub(super) async fn authenticate_stream(
     server_api: Option<&ServerApi>,
     server_first: impl Into<Option<Document>>,
 ) -> Result<()> {
-    let server_response = match server_first.into() {
-        Some(server_first) => server_first,
+    let server_response: Document = match server_first.into() {
+        Some(_) => return Ok(()),
         None => {
             send_client_first(conn, credential, server_api)
                 .await?
                 .raw_response
         }
     };
 
-    if server_response.get_str("dbname") != Ok("$external") {
+    if server_response
+        .get("ok")
+        .and_then(crate::bson_util::get_int)
+        != Some(1)
+    {
         return Err(Error::authentication_error(
             "MONGODB-X509",
             "Authentication failed",
diff --git a/src/client/options/mod.rs b/src/client/options/mod.rs
@@ -22,6 +22,7 @@ use rustls::{
     ServerCertVerifier,
     TLSError,
 };
+use rustls_pemfile::{read_one, Item};
 use serde::{
     de::{Error, Unexpected},
     Deserialize,
@@ -615,19 +616,23 @@ impl TlsOptions {
             };
 
             file.seek(SeekFrom::Start(0))?;
-            let key = match pemfile::rsa_private_keys(&mut file) {
-                Ok(key) => key,
-                Err(()) => {
-                    return Err(ErrorKind::ParseError {
-                        data_type: "PEM-encoded RSA key".to_string(),
-                        file_path: path,
+            let key = loop {
+                match read_one(&mut file) {
+                    Ok(Some(Item::PKCS8Key(bytes))) | Ok(Some(Item::RSAKey(bytes))) => {
+                        break rustls::PrivateKey(bytes)
+                    }
+                    Ok(Some(_)) => continue,
+                    Ok(None) | Err(_) => {
+                        return Err(ErrorKind::ParseError {
+                            data_type: "PEM-encoded keys".to_string(),
+                            file_path: path,
+                        }
+                        .into())
                     }
-                    .into())
                 }
             };
 
-            // TODO: Get rid of unwrap.
-            config.set_single_client_cert(certs, key.into_iter().next().unwrap())?;
+            config.set_single_client_cert(certs, key)?;
         }
 
         Ok(config)
