Skip to content

Commit

Permalink
Add built-in support for rustls-platform-verifier
Browse files Browse the repository at this point in the history
  • Loading branch information
djc committed Jan 24, 2024
1 parent ad93d22 commit f669de5
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 1 deletion.
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le
log = { version = "0.4.4", optional = true }
pki-types = { package = "rustls-pki-types", version = "1" }
rustls-native-certs = { version = "0.7", optional = true }
rustls-platform-verifier = { version = "0.2", optional = true }
rustls = { version = "0.22", default-features = false }
tokio = "1.0"
tokio-rustls = { version = "0.25", default-features = false }
Expand Down
17 changes: 16 additions & 1 deletion src/config.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
#[cfg(feature = "rustls-platform-verifier")]
use std::sync::Arc;

#[cfg(any(feature = "rustls-platform-verifier", feature = "rustls-native-certs", feature = "webpki-roots"))]
use rustls::client::WantsClientCert;
use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};

Expand All @@ -7,6 +10,10 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
/// This adds methods (gated by crate features) for easily configuring
/// TLS server roots a rustls ClientConfig will trust.
pub trait ConfigBuilderExt {
/// Use the platform's native verifier to verify server certificates.
#[cfg(feature = "rustls-platform-verifier")]
fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;

/// This configures the platform's trusted certs, as implemented by
/// rustls-native-certs
///
Expand All @@ -22,6 +29,14 @@ pub trait ConfigBuilderExt {
}

impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
#[cfg(feature = "rustls-platform-verifier")]
fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
self.dangerous()
.with_custom_certificate_verifier(Arc::new(
rustls_platform_verifier::Verifier::default(),
))
}

#[cfg(feature = "rustls-native-certs")]
#[cfg_attr(not(feature = "logging"), allow(unused_variables))]
fn with_native_roots(self) -> std::io::Result<ConfigBuilder<ClientConfig, WantsClientCert>> {
Expand Down
12 changes: 12 additions & 0 deletions src/connector/builder.rs
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,18 @@ impl ConnectorBuilder<WantsTlsConfig> {
ConnectorBuilder(WantsSchemes { tls_config: config })
}

/// Use rustls' default crypto provider and other defaults, and the platform verifier
///
/// See [`ConfigBuilderExt::with_platform_verifier()'].
#[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))]
pub fn with_platform_verifier(self) -> ConnectorBuilder<WantsSchemes> {
self.with_tls_config(
ClientConfig::builder()
.with_platform_verifier()
.with_no_client_auth(),
)
}

/// Shorthand for using rustls' default crypto provider and safe defaults, with
/// native roots.
///
Expand Down

0 comments on commit f669de5

Please sign in to comment.