Skip to content

Commit

Permalink
Add built-in support for rustls-platform-verifier
Browse files Browse the repository at this point in the history
  • Loading branch information
djc committed Jan 24, 2024
1 parent bd4f31b commit 475a729
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 1 deletion.
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le
log = { version = "0.4.4", optional = true }
pki-types = { package = "rustls-pki-types", version = "1" }
rustls-native-certs = { version = "0.7", optional = true }
rustls-platform-verifier = { version = "0.2", optional = true }
rustls = { version = "0.22", default-features = false }
tokio = "1.0"
tokio-rustls = { version = "0.25", default-features = false }
Expand Down
25 changes: 24 additions & 1 deletion src/config.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
#[cfg(feature = "rustls-platform-verifier")]
use std::sync::Arc;

#[cfg(any(
feature = "rustls-platform-verifier",
feature = "rustls-native-certs",
feature = "webpki-roots"
))]
use rustls::client::WantsClientCert;
use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};

Expand All @@ -7,6 +14,14 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
/// This adds methods (gated by crate features) for easily configuring
/// TLS server roots a rustls ClientConfig will trust.
pub trait ConfigBuilderExt {
/// Use the platform's native verifier to verify server certificates.
///
/// See the documentation for [rustls-platform-verifier] for more details.
///
/// [rustls-platform-verifier]: https://docs.rs/rustls-platform-verifier
#[cfg(feature = "rustls-platform-verifier")]
fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;

/// This configures the platform's trusted certs, as implemented by
/// rustls-native-certs
///
Expand All @@ -22,6 +37,14 @@ pub trait ConfigBuilderExt {
}

impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
#[cfg(feature = "rustls-platform-verifier")]
fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
self.dangerous()
.with_custom_certificate_verifier(Arc::new(
rustls_platform_verifier::Verifier::default(),
))
}

#[cfg(feature = "rustls-native-certs")]
#[cfg_attr(not(feature = "logging"), allow(unused_variables))]
fn with_native_roots(self) -> std::io::Result<ConfigBuilder<ClientConfig, WantsClientCert>> {
Expand Down
12 changes: 12 additions & 0 deletions src/connector/builder.rs
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,18 @@ impl ConnectorBuilder<WantsTlsConfig> {
ConnectorBuilder(WantsSchemes { tls_config: config })
}

/// Use rustls' default crypto provider and other defaults, and the platform verifier
///
/// See [`ConfigBuilderExt::with_platform_verifier()`].
#[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))]
pub fn with_platform_verifier(self) -> ConnectorBuilder<WantsSchemes> {
self.with_tls_config(
ClientConfig::builder()
.with_platform_verifier()
.with_no_client_auth(),
)
}

/// Shorthand for using rustls' default crypto provider and safe defaults, with
/// native roots.
///
Expand Down

0 comments on commit 475a729

Please sign in to comment.