fixed #1077 - handle non-standard PKCS8 EC private key PEMs

Cargo.lock

@@ -5762,6 +5762,7 @@ dependencies = [
 name = "warpgate-common"
 version = "0.10.2"
 dependencies = [
+ "aho-corasick",
  "anyhow",
  "argon2",
  "async-trait",

warpgate-common/Cargo.toml

@@ -43,3 +43,4 @@ warpgate-sso = { version = "*", path = "../warpgate-sso" }
 rustls = { version = "0.23", features = ["ring"], default-features = false}
 rustls-pemfile = "1.0"
 webpki = "0.22"
+aho-corasick = "1.1.3"

warpgate-common/src/tls/cert.rs

@@ -1,6 +1,7 @@
 use std::path::Path;
 use std::sync::Arc;
 
+use aho_corasick::AhoCorasick;
 use poem::listener::RustlsCertificate;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use rustls::sign::{CertifiedKey, SigningKey};
@@ -58,6 +59,16 @@ impl TlsPrivateKey {
     }
 
     pub fn from_bytes(bytes: Vec<u8>) -> Result<Self, RustlsSetupError> {
+        let bytes = {
+            // https://github.com/rustls/rustls/issues/767
+            let ac = AhoCorasick::new(&[b"EC PRIVATE KEY"]).expect("EC PK AhoCorasick");
+            let mut new_bytes = vec![];
+            ac.replace_all_with_bytes(&bytes, &mut new_bytes, |_, _, dst| {
+                dst.extend_from_slice(b"PRIVATE KEY");
+                true
+            });
+            new_bytes
+        };
         let mut key = rustls_pemfile::pkcs8_private_keys(&mut bytes.as_slice())?
             .drain(..)
             .next()