diff --git a/Cargo.lock b/Cargo.lock index 10f25df..5b239bc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -890,7 +890,6 @@ dependencies = [ "tokio", "tokio-rustls 0.26.0", "url", - "webpki-roots", ] [[package]] @@ -1112,15 +1111,6 @@ dependencies = [ "wasm-bindgen", ] -[[package]] -name = "webpki-roots" -version = "0.26.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "winapi" version = "0.3.9" diff --git a/Cargo.toml b/Cargo.toml index 1c1c5ff..39ab814 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -21,7 +21,6 @@ url = "2.5.2" tokio = { version = "1.39.2", features = ["io-util", "net"] } tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] } -webpki-roots = { version = "0.26.3", optional = true } dashmap = { version = "6.0.1", optional = true } hickory-client = { version = "0.24.1", optional = true } @@ -30,7 +29,6 @@ hickory-client = { version = "0.24.1", optional = true } tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] } [features] -webpki = ["dep:webpki-roots"] file-sscv = ["dep:dashmap", "tokio/fs"] dane = ["hickory"] @@ -47,4 +45,4 @@ path = "examples/simple.rs" [[example]] name = "main" path = "examples/main.rs" -required-features = ["file-sscv"] +required-features = ["file-sscv", "hickory"] diff --git a/src/certs/verifier.rs b/src/certs/verifier.rs index 87f058f..d8fcd29 100644 --- a/src/certs/verifier.rs +++ b/src/certs/verifier.rs @@ -15,8 +15,6 @@ use tokio_rustls::rustls::{ pub struct CustomCertVerifier { pub(crate) provider: Arc, - pub(crate) webpki_verifier: Option>, - pub(crate) ss_allowed: bool, pub(crate) ss_verifier: Box, } @@ -29,50 +27,18 @@ impl ServerCertVerifier for CustomCertVerifier { _ocsp_response: &[u8], now: UnixTime, ) -> Result { - // if webpki CA certs enabled - #[cfg(feature = "webpki")] - if let Some(wv) = &self.webpki_verifier { - match wv.verify_server_cert( - end_entity, - _intermediates, - server_name, - _ocsp_response, - now, - ) { - Ok(verified) => { - return Ok(verified); - } - Err( - e @ rustls::Error::InvalidCertificate(rustls::CertificateError::UnknownIssuer), - ) => { - if !self.ss_allowed { - return Err(e); - } - // go ahead, verify as self-signed - } - Err(e) => { - // any other error, probably related to invalid cert - return Err(e); - } - } + // TODO: certificate validation (domain, expiry, etc.) + + if self + .ss_verifier + .verify(end_entity, server_name.to_str().as_ref(), now)? + { + Ok(ServerCertVerified::assertion()) + } else { + Err(rustls::Error::InvalidCertificate( + rustls::CertificateError::ApplicationVerificationFailure, + )) } - - // TODO: certificate validation when webpki_verifier is not used - - // if self-signed certs enabled - if self.ss_allowed { - // TODO: check if expired or provide handy API to check it - // (probably with rustls-webpki's webpki::Cert) - if self - .ss_verifier - .verify(end_entity, server_name.to_str().as_ref(), now)? - { - return Ok(ServerCertVerified::assertion()); - } - } - - // both disabled (shouldn't happen) - Err(rustls::Error::UnsupportedNameType) // not sure if chosen correct enum item } fn verify_tls12_signature( @@ -112,10 +78,6 @@ impl ServerCertVerifier for CustomCertVerifier { impl std::fmt::Debug for CustomCertVerifier { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - write!( - f, - "CustomCertVerifier {{ provider: {:?}, webpki_verifier: {:?} }}", - self.provider, self.webpki_verifier - ) + write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider) } } diff --git a/src/client/builder.rs b/src/client/builder.rs index d49e863..bc4eebb 100644 --- a/src/client/builder.rs +++ b/src/client/builder.rs @@ -12,9 +12,6 @@ use crate::dns::DnsClient; use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion}; -#[cfg(feature = "webpki")] -use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor}; - /// Builder for creating configured [`Client`] instance pub struct ClientBuilder { root_certs: rustls::RootCertStore, @@ -63,33 +60,10 @@ impl ClientBuilder { let tls_config = if let Some(cv) = self.custom_verifier { tls_config.dangerous().with_custom_certificate_verifier(cv) } else if let Some(ssv) = self.ss_verifier { - let webpki_verifier = { - #[cfg(feature = "webpki")] - if !self.root_certs.is_empty() { - Some( - WebPkiServerVerifier::builder_with_provider( - Arc::new(self.root_certs), - provider.clone(), - ) - .build() - // panics only if roots are empty (that is checked above) - // or CRLs couldn't be parsed (we didn't provide any) - .unwrap(), - ) - } else { - None - } - - #[cfg(not(feature = "webpki"))] - None - }; - tls_config .dangerous() .with_custom_certificate_verifier(Arc::new(CustomCertVerifier { provider: provider.clone(), - webpki_verifier, - ss_allowed: true, ss_verifier: ssv, })) } else { @@ -117,27 +91,6 @@ impl ClientBuilder { self } - /// Include webpki trust anchors. - /// Not recommended (useless) as most Gemini capsules use self-signed - /// TLS certs and properly configured TOFU policy is enough. - #[cfg(feature = "webpki")] - pub fn with_webpki_roots(mut self) -> Self { - self.root_certs - .extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); - self - } - - /// Include custom trust anchors. - /// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`]. - #[cfg(feature = "webpki")] - pub fn with_custom_roots( - mut self, - iter: impl IntoIterator>, - ) -> Self { - self.root_certs.extend(iter); - self - } - /// Include a self-signed cert verifier. /// If you only need a known_hosts file, consider using /// [`crate::certs::file_sscv::FileBasedCertVerifier`],