From 17a41523edf3745ab8fdb1ce21facb8781ab33bd Mon Sep 17 00:00:00 2001 From: Leonardo Lima Date: Fri, 27 Sep 2024 14:00:30 -0300 Subject: [PATCH] fix: `NoCertificateVerification` implementation It updates the `NoCertificateVerification` implementation of `rustls::client::danger::ServerCertVerifier` trait, it keeps the usage of both `ServerCertVerified::assertion()` and `HandshakeSignatureValid::assertion()` usage, but now instead of having an empty vector vector of supported `SignatureScheme`, it uses the ones supported by the used `CryptoProvider`. --- src/raw_client.rs | 45 +++++++++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/src/raw_client.rs b/src/raw_client.rs index e278c84..3cf7326 100644 --- a/src/raw_client.rs +++ b/src/raw_client.rs @@ -299,23 +299,29 @@ impl RawClient { ))] mod danger { use crate::raw_client::ServerName; - use rustls::client::danger::ServerCertVerified; - use rustls::pki_types::CertificateDer; - use rustls::pki_types::UnixTime; - use rustls::Error; + use rustls::pki_types::{CertificateDer, UnixTime}; + use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified}; + use rustls::crypto::CryptoProvider; + use rustls::DigitallySignedStruct; #[derive(Debug)] - pub struct NoCertificateVerification {} + pub struct NoCertificateVerification(CryptoProvider); + + impl NoCertificateVerification { + pub fn new(provider: CryptoProvider) -> Self { + Self(provider) + } + } impl rustls::client::danger::ServerCertVerifier for NoCertificateVerification { fn verify_server_cert( &self, - _end_entity: &CertificateDer, - _intermediates: &[CertificateDer], - _server_name: &ServerName, - _ocsp_response: &[u8], + _end_entity: &CertificateDer<'_>, + _intermediates: &[CertificateDer<'_>], + _server_name: &ServerName<'_>, + _ocsp: &[u8], _now: UnixTime, - ) -> Result { + ) -> Result { Ok(ServerCertVerified::assertion()) } @@ -323,22 +329,22 @@ mod danger { &self, _message: &[u8], _cert: &CertificateDer<'_>, - _dss: &rustls::DigitallySignedStruct, - ) -> Result { - Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) } fn verify_tls13_signature( &self, _message: &[u8], _cert: &CertificateDer<'_>, - _dss: &rustls::DigitallySignedStruct, - ) -> Result { - Ok(rustls::client::danger::HandshakeSignatureValid::assertion()) + _dss: &DigitallySignedStruct, + ) -> Result { + Ok(HandshakeSignatureValid::assertion()) } fn supported_verify_schemes(&self) -> Vec { - vec![] + self.0.signature_verification_algorithms.supported_schemes() } } } @@ -420,7 +426,10 @@ impl RawClient { builder .dangerous() .with_custom_certificate_verifier(std::sync::Arc::new( - danger::NoCertificateVerification {}, + #[cfg(feature = "use-rustls")] + danger::NoCertificateVerification::new(rustls::crypto::aws_lc_rs::default_provider()), + #[cfg(feature = "use-rustls-ring")] + danger::NoCertificateVerification::new(rustls::crypto::aws_lc_rs::default_provider()), )) .with_no_client_auth() };