Fix self-signed certificate generation

Cargo.toml

@@ -11,7 +11,7 @@ exclude = ["tests/*"]
 categories = ["database"]
 
 [package.metadata.docs.rs]
-features = ["etl", "chrono", "rust_decimal", "uuid"]
+features = ["etl", "chrono", "rust_decimal", "uuid", "compression", "migrate"]
 
 [features]
 # ############################################
@@ -63,6 +63,7 @@ async-compression = { version = "0.4.12", features = [
     "zlib",
 ], optional = true }
 rustls = { version = "0.23.12", default-features = false, features = [
+    "std",
     "tls12",
 ], optional = true }
 native-tls = { version = "0.2.12", optional = true }

src/connection/etl/tls/mod.rs

@@ -4,7 +4,7 @@ mod native_tls;
 mod rustls;
 mod sync_socket;
 
-use rcgen::{Certificate, CertificateParams, KeyPair, PKCS_RSA_SHA256};
+use rcgen::{CertificateParams, KeyPair};
 use rsa::{
     pkcs8::{EncodePrivateKey, LineEnding},
     RsaPrivateKey,
@@ -23,15 +23,18 @@ compile_error!("Only enable one of 'etl_antive_tls' or 'etl_rustls' features");
 
 #[allow(unreachable_code)]
 pub fn tls_with_socket_maker() -> Result<impl WithSocketMaker, SqlxError> {
-    let cert = make_cert()?;
+    let key_pair = make_key()?;
+    let cert = CertificateParams::default()
+        .self_signed(&key_pair)
+        .to_sqlx_err()?;
 
     #[cfg(feature = "etl_native_tls")]
-    return NativeTlsSocketSpawner::new(&cert);
+    return NativeTlsSocketSpawner::new(&cert, &key_pair);
     #[cfg(feature = "etl_rustls")]
-    return RustlsSocketSpawner::new(&cert);
+    return RustlsSocketSpawner::new(&cert, &key_pair);
 }
 
-pub fn make_cert() -> Result<Certificate, SqlxError> {
+fn make_key() -> Result<KeyPair, SqlxError> {
     let mut rng = rand::thread_rng();
     let bits = 2048;
     let private_key = RsaPrivateKey::new(&mut rng, bits).to_sqlx_err()?;
@@ -41,13 +44,7 @@ pub fn make_cert() -> Result<Certificate, SqlxError> {
         .map_err(From::from)
         .map_err(SqlxError::Tls)?;
 
-    let key_pair = KeyPair::from_pem(&key).to_sqlx_err()?;
-
-    let mut params = CertificateParams::default();
-    params.alg = &PKCS_RSA_SHA256;
-    params.key_pair = Some(key_pair);
-
-    Certificate::from_params(params).to_sqlx_err()
+    KeyPair::from_pem(&key).to_sqlx_err()
 }
 
 impl<T> ExaResultExt<T> for Result<T, rcgen::Error> {

src/connection/etl/tls/native_tls.rs

@@ -8,7 +8,7 @@ use std::{
 
 use futures_core::future::BoxFuture;
 use native_tls::{HandshakeError, Identity, TlsAcceptor, TlsStream};
-use rcgen::Certificate;
+use rcgen::{Certificate, KeyPair};
 use sqlx_core::{
     error::Error as SqlxError,
     io::ReadBuf,
@@ -26,11 +26,11 @@ use crate::{
 pub struct NativeTlsSocketSpawner(Arc<TlsAcceptor>);
 
 impl NativeTlsSocketSpawner {
-    pub fn new(cert: &Certificate) -> Result<Self, SqlxError> {
+    pub fn new(cert: &Certificate, key_pair: &KeyPair) -> Result<Self, SqlxError> {
         tracing::trace!("creating 'native-tls' socket spawner");
 
-        let tls_cert = cert.serialize_pem().to_sqlx_err()?;
-        let key = cert.serialize_private_key_pem();
+        let tls_cert = cert.pem();
+        let key = key_pair.serialize_pem();
 
         let ident = Identity::from_pkcs8(tls_cert.as_bytes(), key.as_bytes()).to_sqlx_err()?;
         let acceptor = TlsAcceptor::new(ident).to_sqlx_err()?;

src/connection/etl/tls/rustls.rs

@@ -7,8 +7,8 @@ use std::{
 };
 
 use futures_core::future::BoxFuture;
-use rcgen::Certificate;
-use rustls::{Certificate as RustlsCert, PrivateKey, ServerConfig, ServerConnection};
+use rcgen::{Certificate, KeyPair};
+use rustls::{pki_types::PrivateKeyDer, ServerConfig, ServerConnection};
 use sqlx_core::{
     error::Error as SqlxError,
     io::ReadBuf,
@@ -26,16 +26,15 @@ use crate::{
 pub struct RustlsSocketSpawner(Arc<ServerConfig>);
 
 impl RustlsSocketSpawner {
-    pub fn new(cert: &Certificate) -> Result<Self, SqlxError> {
+    pub fn new(cert: &Certificate, key_pair: &KeyPair) -> Result<Self, SqlxError> {
         tracing::trace!("creating 'rustls' socket spawner");
 
-        let tls_cert = RustlsCert(cert.serialize_der().to_sqlx_err()?);
-        let key = PrivateKey(cert.serialize_private_key_der());
+        let tls_cert = cert.der().clone();
+        let key = PrivateKeyDer::Pkcs8(key_pair.serialize_der().into());
 
         let config = {
             Arc::new(
                 ServerConfig::builder()
-                    .with_safe_defaults()
                     .with_no_client_auth()
                     .with_single_cert(vec![tls_cert], key)
                     .to_sqlx_err()?,