Add MTLS Support #657
Closed
Add MTLS Support #657
Commits on Sep 11, 2018
-
* Add an optional configuration for Rocket.toml, ca_certs, to take in a directory and use it for MTLS. * Update Cargo.toml to point to fork of hyper-sync-rustls with updates for MTLS.
-
Make TLS peer certificates available to Request
* Save peer certificates from network stream to Data * Add peer_certs field to Request * Move certificates from Data to Request
-
-
Add client certificate verification.
* Lookup domain name associated with client's IP Address. * Verify that the domain name match the certificate common name.
-
* Clean up code. * Added better comments.
-
Make MTLS certificate store path optional.
* Make cert_store_path optional. * Modify code sample to reflect changes.
-
Consolidate TLS and MTLS and add retrievable certificate information.
* Move mtls.rs contents into tls.rs. * Parse certificat into MutualTlsUser. * Create getter methods for MutualTlsUser. * Generate MutualTlsUser from first accepted certificate from array the client provides.
-
-
Make MutualTlsUser more robust.
* Add more comments explaining sections of code. * Add documentation and examples. * Remove public key and signature from MutualTlsUser. * Improve error handling to not panic when generating a new MutualTlsUser. * Replace unwraps with exceptions to specify what failed.
-
-
* Combine lines of code that can be together and simplify get_not_before and get_not_after method names. * Remove methods referenced in comments that are no longer implemented.
-
-
-
* Use combinators instead of explicit matches where possible * Remove some clone() calls * Return references instead of copies
-
-
Move name validation logic into
tlsThis keeps the internals of the name validation out of the `from_request` logic for `MutualTlsUser`, which is currently still in the core rocket lib to avoid circular dependencies.
-
Remove certificate parsing from MutualTlsUser
Even without exposing the certificate details, MutualTlsUser provides a guard that only allows authenticated clients to connect. Removing the certificate parsing will allow this functionality to be added before all the details of parsing the certificates have been figured out. * Remove all fields and methods from MutualTlsUser * Remove openssl dependency * Update tests
-
Expose subject name for
MutualTlsUserThis is not necessarily the value stored in the subject name of the certificate, but it is the name for which the provided certifcate was validated.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.