Rustls and pem files: possibility of hard coding?

I'm currently using rustls and rustls_pemfile like this:

let mut root_cert_store = rustls::RootCertStore::empty();
let mut pem = std::io::BufReader::new(std::fs::File::open("cert.pem").unwrap());
let certs = rustls_pemfile::certs(&mut pem).unwrap();
for cert in certs.into_iter().map(rustls::Certificate) {
    root_cert_store.add(&cert).unwrap();
}

let tls_config = rustls::ClientConfig::builder()
    .with_safe_defaults()
    .with_root_certificates(root_cert_store)
    .with_no_client_auth();

That .pem file was converted from a .crt downloaded from Digital Ocean, and converted using the following command:

openssl x509 -in ca-certificate.crt -out cert.pem -outform PEM

This is the only way to properly connect to a managed DO PostgreSQL instance. Unfortunately, I did not want to ship my binary with a .pem file, or deal with I/O at all. Is there an interface that would allow me to hardcode the PEM file as a string constant and send it to rustls?

include_bytes! can embed any file into the executable as a &'static [u8]. You can also write a build script to generate the file at compile time if you need to.

I'm not a crypto expert, so I can't speak to whether or not this is a good idea from a security perspective.

2 Likes

Neither am I, but if the PEM file contains private key data then it's a vulnerability waiting to be exploited.

If it only contains a public key on the other hand then it's perfectly fine, if a bit lacking in configurability eg for key updates.

4 Likes

Not an expert here either, but keep in mind that this is not encryption, only mild obfuscation at best. Like hiding your money in the cookie jar. A determined snooper can look for something that looks like the content of a pem file in your binary (you can try opening it with a hex editor), and it will be clear as day. A separate file or storage will at least let you switch it out if you need to, without having to compile again.

2 Likes

Thank you! This worked great. Also a neat feature to know. :slight_smile:

It's fine to include the private key as long as you treat the compiled binary as a secret

3 Likes