-
Notifications
You must be signed in to change notification settings - Fork 143
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updates for released versions of rustls 0.20 and rustls-native-certs 0.6
Convenience functions for rustls client configuration are now in a ConfigBuilderExt trait extending rustls::ConfigBuilder. Disables sct validation with certificate transparency logs, which can't be enabled (in a way that would be as compatible as chromium) without a bunch of intrusive policies to deal with validity/expiration. Parts of ConfigBuilderExt::with_native_roots come from rustls::RootCertStore::add_parsable_certificates, which cannot be used directly due to a newtype in rustls-native-certs.
- Loading branch information
Showing
6 changed files
with
89 additions
and
74 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; | ||
|
||
/// Methods for configuring roots | ||
/// | ||
/// This adds methods (gated by crate features) for easily configuring | ||
/// TLS server roots a rustls ClientConfig will trust. | ||
pub trait ConfigBuilderExt { | ||
/// This configures the platform's trusted certs, as implemented by | ||
/// rustls-native-certs | ||
#[cfg(feature = "rustls-native-certs")] | ||
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] | ||
fn with_native_roots(self) -> ClientConfig; | ||
|
||
/// This configures the webpki roots, which are Mozilla's set of | ||
/// trusted roots as packaged by webpki-roots. | ||
#[cfg(feature = "webpki-roots")] | ||
#[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] | ||
fn with_webpki_roots(self) -> ClientConfig; | ||
} | ||
|
||
impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> { | ||
#[cfg(feature = "rustls-native-certs")] | ||
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))] | ||
fn with_native_roots(self) -> ClientConfig { | ||
let mut roots = rustls::RootCertStore::empty(); | ||
let mut valid_count = 0; | ||
let mut invalid_count = 0; | ||
|
||
for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") | ||
{ | ||
let cert = rustls::Certificate(cert.0); | ||
match roots.add(&cert) { | ||
Ok(_) => valid_count += 1, | ||
Err(err) => { | ||
log::trace!("invalid cert der {:?}", cert.0); | ||
log::debug!("certificate parsing failed: {:?}", err); | ||
invalid_count += 1 | ||
} | ||
} | ||
} | ||
log::debug!( | ||
"with_native_roots processed {} valid and {} invalid certs", | ||
valid_count, invalid_count | ||
); | ||
assert!(!roots.is_empty(), "no CA certificates found"); | ||
|
||
self.with_root_certificates(roots).with_no_client_auth() | ||
} | ||
|
||
#[cfg(feature = "webpki-roots")] | ||
#[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))] | ||
fn with_webpki_roots(self) -> ClientConfig { | ||
let mut roots = rustls::RootCertStore::empty(); | ||
roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| { | ||
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( | ||
ta.subject, | ||
ta.spki, | ||
ta.name_constraints, | ||
) | ||
})); | ||
self.with_root_certificates(roots).with_no_client_auth() | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters