refactor: remove webpki
feature, prepare for next refactor
This commit is contained in:
parent
2feb039c11
commit
9806eb6a02
4 changed files with 13 additions and 110 deletions
10
Cargo.lock
generated
10
Cargo.lock
generated
|
@ -890,7 +890,6 @@ dependencies = [
|
|||
"tokio",
|
||||
"tokio-rustls 0.26.0",
|
||||
"url",
|
||||
"webpki-roots",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -1112,15 +1111,6 @@ dependencies = [
|
|||
"wasm-bindgen",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "webpki-roots"
|
||||
version = "0.26.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd"
|
||||
dependencies = [
|
||||
"rustls-pki-types",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "winapi"
|
||||
version = "0.3.9"
|
||||
|
|
|
@ -21,7 +21,6 @@ url = "2.5.2"
|
|||
|
||||
tokio = { version = "1.39.2", features = ["io-util", "net"] }
|
||||
tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] }
|
||||
webpki-roots = { version = "0.26.3", optional = true }
|
||||
|
||||
dashmap = { version = "6.0.1", optional = true }
|
||||
hickory-client = { version = "0.24.1", optional = true }
|
||||
|
@ -30,7 +29,6 @@ hickory-client = { version = "0.24.1", optional = true }
|
|||
tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }
|
||||
|
||||
[features]
|
||||
webpki = ["dep:webpki-roots"]
|
||||
file-sscv = ["dep:dashmap", "tokio/fs"]
|
||||
|
||||
dane = ["hickory"]
|
||||
|
@ -47,4 +45,4 @@ path = "examples/simple.rs"
|
|||
[[example]]
|
||||
name = "main"
|
||||
path = "examples/main.rs"
|
||||
required-features = ["file-sscv"]
|
||||
required-features = ["file-sscv", "hickory"]
|
||||
|
|
|
@ -15,8 +15,6 @@ use tokio_rustls::rustls::{
|
|||
|
||||
pub struct CustomCertVerifier {
|
||||
pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
|
||||
pub(crate) webpki_verifier: Option<Arc<rustls::client::WebPkiServerVerifier>>,
|
||||
pub(crate) ss_allowed: bool,
|
||||
pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
|
||||
}
|
||||
|
||||
|
@ -29,50 +27,18 @@ impl ServerCertVerifier for CustomCertVerifier {
|
|||
_ocsp_response: &[u8],
|
||||
now: UnixTime,
|
||||
) -> Result<ServerCertVerified, rustls::Error> {
|
||||
// if webpki CA certs enabled
|
||||
#[cfg(feature = "webpki")]
|
||||
if let Some(wv) = &self.webpki_verifier {
|
||||
match wv.verify_server_cert(
|
||||
end_entity,
|
||||
_intermediates,
|
||||
server_name,
|
||||
_ocsp_response,
|
||||
now,
|
||||
) {
|
||||
Ok(verified) => {
|
||||
return Ok(verified);
|
||||
}
|
||||
Err(
|
||||
e @ rustls::Error::InvalidCertificate(rustls::CertificateError::UnknownIssuer),
|
||||
) => {
|
||||
if !self.ss_allowed {
|
||||
return Err(e);
|
||||
}
|
||||
// go ahead, verify as self-signed
|
||||
}
|
||||
Err(e) => {
|
||||
// any other error, probably related to invalid cert
|
||||
return Err(e);
|
||||
}
|
||||
}
|
||||
// TODO: certificate validation (domain, expiry, etc.)
|
||||
|
||||
if self
|
||||
.ss_verifier
|
||||
.verify(end_entity, server_name.to_str().as_ref(), now)?
|
||||
{
|
||||
Ok(ServerCertVerified::assertion())
|
||||
} else {
|
||||
Err(rustls::Error::InvalidCertificate(
|
||||
rustls::CertificateError::ApplicationVerificationFailure,
|
||||
))
|
||||
}
|
||||
|
||||
// TODO: certificate validation when webpki_verifier is not used
|
||||
|
||||
// if self-signed certs enabled
|
||||
if self.ss_allowed {
|
||||
// TODO: check if expired or provide handy API to check it
|
||||
// (probably with rustls-webpki's webpki::Cert)
|
||||
if self
|
||||
.ss_verifier
|
||||
.verify(end_entity, server_name.to_str().as_ref(), now)?
|
||||
{
|
||||
return Ok(ServerCertVerified::assertion());
|
||||
}
|
||||
}
|
||||
|
||||
// both disabled (shouldn't happen)
|
||||
Err(rustls::Error::UnsupportedNameType) // not sure if chosen correct enum item
|
||||
}
|
||||
|
||||
fn verify_tls12_signature(
|
||||
|
@ -112,10 +78,6 @@ impl ServerCertVerifier for CustomCertVerifier {
|
|||
|
||||
impl std::fmt::Debug for CustomCertVerifier {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
write!(
|
||||
f,
|
||||
"CustomCertVerifier {{ provider: {:?}, webpki_verifier: {:?} }}",
|
||||
self.provider, self.webpki_verifier
|
||||
)
|
||||
write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -12,9 +12,6 @@ use crate::dns::DnsClient;
|
|||
|
||||
use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion};
|
||||
|
||||
#[cfg(feature = "webpki")]
|
||||
use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor};
|
||||
|
||||
/// Builder for creating configured [`Client`] instance
|
||||
pub struct ClientBuilder {
|
||||
root_certs: rustls::RootCertStore,
|
||||
|
@ -63,33 +60,10 @@ impl ClientBuilder {
|
|||
let tls_config = if let Some(cv) = self.custom_verifier {
|
||||
tls_config.dangerous().with_custom_certificate_verifier(cv)
|
||||
} else if let Some(ssv) = self.ss_verifier {
|
||||
let webpki_verifier = {
|
||||
#[cfg(feature = "webpki")]
|
||||
if !self.root_certs.is_empty() {
|
||||
Some(
|
||||
WebPkiServerVerifier::builder_with_provider(
|
||||
Arc::new(self.root_certs),
|
||||
provider.clone(),
|
||||
)
|
||||
.build()
|
||||
// panics only if roots are empty (that is checked above)
|
||||
// or CRLs couldn't be parsed (we didn't provide any)
|
||||
.unwrap(),
|
||||
)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "webpki"))]
|
||||
None
|
||||
};
|
||||
|
||||
tls_config
|
||||
.dangerous()
|
||||
.with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
|
||||
provider: provider.clone(),
|
||||
webpki_verifier,
|
||||
ss_allowed: true,
|
||||
ss_verifier: ssv,
|
||||
}))
|
||||
} else {
|
||||
|
@ -117,27 +91,6 @@ impl ClientBuilder {
|
|||
self
|
||||
}
|
||||
|
||||
/// Include webpki trust anchors.
|
||||
/// Not recommended (useless) as most Gemini capsules use self-signed
|
||||
/// TLS certs and properly configured TOFU policy is enough.
|
||||
#[cfg(feature = "webpki")]
|
||||
pub fn with_webpki_roots(mut self) -> Self {
|
||||
self.root_certs
|
||||
.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||
self
|
||||
}
|
||||
|
||||
/// Include custom trust anchors.
|
||||
/// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`].
|
||||
#[cfg(feature = "webpki")]
|
||||
pub fn with_custom_roots(
|
||||
mut self,
|
||||
iter: impl IntoIterator<Item = TrustAnchor<'static>>,
|
||||
) -> Self {
|
||||
self.root_certs.extend(iter);
|
||||
self
|
||||
}
|
||||
|
||||
/// Include a self-signed cert verifier.
|
||||
/// If you only need a known_hosts file, consider using
|
||||
/// [`crate::certs::file_sscv::FileBasedCertVerifier`],
|
||||
|
|
Loading…
Reference in a new issue