Resolves PR comments

Author: SirCipher

runtime/swimos_remote/src/tls/config/mod.rs

@@ -12,6 +12,9 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use rustls::crypto::CryptoProvider;
+use std::sync::Arc;
+
 /// Supported certificate formats for TLS connections.
 pub enum CertFormat {
     Pem,
@@ -60,9 +63,11 @@ impl PrivateKey {
         Self::new(CertFormat::Pem, body)
     }
 }
-/// Combined TLS configuration (both server and client)/
+/// Combined TLS configuration (both server and client).
 pub struct TlsConfig {
+    /// Configuration parameters for a TLS client.
     pub client: ClientConfig,
+    /// Configuration parameters for a TLS server.
     pub server: ServerConfig,
 }
 
@@ -74,17 +79,26 @@ impl TlsConfig {
 
 /// Configuration parameters for a TLS server.
 pub struct ServerConfig {
+    /// A chain of TLS certificates (starting with the server certificate and ending with the CA).
     pub chain: CertChain,
+    /// An unvalidated private key for a server.
     pub key: PrivateKey,
+    /// Whether to enable a [`KeyLog`] implementation that opens a file whose name is given by the
+    /// `SSLKEYLOGFILE` environment variable, and writes keys into it. While this may be enabled,
+    /// if `SSLKEYLOGFILE` is not set, it will do nothing.
     pub enable_log_file: bool,
+    /// Process-wide [`CryptoProvider`] that must already have been installed as the default
+    /// provider.
+    pub provider: Arc<CryptoProvider>,
 }
 
 impl ServerConfig {
-    pub fn new(chain: CertChain, key: PrivateKey) -> Self {
+    pub fn new(chain: CertChain, key: PrivateKey, provider: Arc<CryptoProvider>) -> Self {
         ServerConfig {
             chain,
             key,
             enable_log_file: false,
+            provider,
         }
     }
 }

runtime/swimos_remote/src/tls/net/server.rs

@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use std::sync::OnceLock;
 use std::{net::SocketAddr, sync::Arc};
 
 use crate::net::{
@@ -23,7 +22,6 @@ use futures::{
     stream::{unfold, BoxStream, FuturesUnordered},
     Future, FutureExt, Stream, StreamExt, TryStreamExt,
 };
-use rustls::crypto::CryptoProvider;
 use rustls::pki_types::PrivateKeyDer;
 use rustls::KeyLogFile;
 use rustls_pemfile::Item;
@@ -36,22 +34,6 @@ use crate::tls::{
     maybe::MaybeTlsStream,
 };
 
-static PROVIDER: OnceLock<Arc<CryptoProvider>> = OnceLock::new();
-
-fn provider() -> Arc<CryptoProvider> {
-    PROVIDER
-        .get_or_init(|| {
-            let provider = rustls::crypto::ring::default_provider();
-            // This will fail if the provider has been initialised elsewhere unexpectedly.
-            provider
-                .clone()
-                .install_default()
-                .expect("Crypto Provider has already been initialised elsewhere.");
-            Arc::new(provider)
-        })
-        .clone()
-}
-
 /// [`ServerConnections`] implementation that only supports secure connections.
 #[derive(Clone)]
 pub struct RustlsServerNetworking {
@@ -92,6 +74,7 @@ impl TryFrom<ServerConfig> for RustlsServerNetworking {
             chain: CertChain(certs),
             key,
             enable_log_file,
+            provider,
         } = config;
 
         let mut chain = vec![];
@@ -115,7 +98,7 @@ impl TryFrom<ServerConfig> for RustlsServerNetworking {
             }
         };
 
-        let mut config = rustls::ServerConfig::builder_with_provider(provider())
+        let mut config = rustls::ServerConfig::builder_with_provider(provider)
             .with_safe_default_protocol_versions()?
             .with_no_client_auth()
             .with_single_cert(chain, server_key)

runtime/swimos_remote/src/tls/net/tests.rs

@@ -46,11 +46,18 @@ fn make_server_config() -> ServerConfig {
         CertificateFile::der(ca_cert),
     ]);
 
+    let provider = rustls::crypto::aws_lc_rs::default_provider();
+    provider
+        .clone()
+        .install_default()
+        .expect("Crypto Provider has already been initialised elsewhere.");
+
     let key = PrivateKey::der(server_key);
     ServerConfig {
         chain,
         key,
         enable_log_file: false,
+        provider: Arc::new(provider),
     }
 }