refactor: remove webpki feature, prepare for next refactor

2024-08-20 10:51:42 +04:00 · 2024-08-20 10:51:42 +04:00 · 9806eb6a02
commit 9806eb6a02
parent 2feb039c11
4 changed files with 13 additions and 110 deletions
--- a/src/certs/verifier.rs
+++ b/src/certs/verifier.rs
@ -15,8 +15,6 @@ use tokio_rustls::rustls::{

 pub struct CustomCertVerifier {
    pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
-    pub(crate) webpki_verifier: Option<Arc<rustls::client::WebPkiServerVerifier>>,
-    pub(crate) ss_allowed: bool,
    pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
 }

@ -29,50 +27,18 @@ impl ServerCertVerifier for CustomCertVerifier {
        _ocsp_response: &[u8],
        now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
-        // if webpki CA certs enabled
-        #[cfg(feature = "webpki")]
-        if let Some(wv) = &self.webpki_verifier {
-            match wv.verify_server_cert(
-                end_entity,
-                _intermediates,
-                server_name,
-                _ocsp_response,
-                now,
-            ) {
-                Ok(verified) => {
-                    return Ok(verified);
-                }
-                Err(
-                    e @ rustls::Error::InvalidCertificate(rustls::CertificateError::UnknownIssuer),
-                ) => {
-                    if !self.ss_allowed {
-                        return Err(e);
-                    }
-                    // go ahead, verify as self-signed
-                }
-                Err(e) => {
-                    // any other error, probably related to invalid cert
-                    return Err(e);
-                }
-            }
+        // TODO: certificate validation (domain, expiry, etc.)
+
+        if self
+            .ss_verifier
+            .verify(end_entity, server_name.to_str().as_ref(), now)?
+        {
+            Ok(ServerCertVerified::assertion())
+        } else {
+            Err(rustls::Error::InvalidCertificate(
+                rustls::CertificateError::ApplicationVerificationFailure,
+            ))
        }
-
-        // TODO: certificate validation when webpki_verifier is not used
-
-        // if self-signed certs enabled
-        if self.ss_allowed {
-            // TODO: check if expired or provide handy API to check it
-            // (probably with rustls-webpki's webpki::Cert)
-            if self
-                .ss_verifier
-                .verify(end_entity, server_name.to_str().as_ref(), now)?
-            {
-                return Ok(ServerCertVerified::assertion());
-            }
-        }
-
-        // both disabled (shouldn't happen)
-        Err(rustls::Error::UnsupportedNameType) // not sure if chosen correct enum item
    }

    fn verify_tls12_signature(
@ -112,10 +78,6 @@ impl ServerCertVerifier for CustomCertVerifier {

 impl std::fmt::Debug for CustomCertVerifier {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "CustomCertVerifier {{ provider: {:?}, webpki_verifier: {:?} }}",
-            self.provider, self.webpki_verifier
-        )
+        write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
    }
 }
--- a/src/client/builder.rs
+++ b/src/client/builder.rs
@ -12,9 +12,6 @@ use crate::dns::DnsClient;

 use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion};

-#[cfg(feature = "webpki")]
-use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor};
-
 /// Builder for creating configured [`Client`] instance
 pub struct ClientBuilder {
    root_certs: rustls::RootCertStore,
@ -63,33 +60,10 @@ impl ClientBuilder {
        let tls_config = if let Some(cv) = self.custom_verifier {
            tls_config.dangerous().with_custom_certificate_verifier(cv)
        } else if let Some(ssv) = self.ss_verifier {
-            let webpki_verifier = {
-                #[cfg(feature = "webpki")]
-                if !self.root_certs.is_empty() {
-                    Some(
-                        WebPkiServerVerifier::builder_with_provider(
-                            Arc::new(self.root_certs),
-                            provider.clone(),
-                        )
-                        .build()
-                        // panics only if roots are empty (that is checked above)
-                        // or CRLs couldn't be parsed (we didn't provide any)
-                        .unwrap(),
-                    )
-                } else {
-                    None
-                }
-
-                #[cfg(not(feature = "webpki"))]
-                None
-            };
-
            tls_config
                .dangerous()
                .with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
                    provider: provider.clone(),
-                    webpki_verifier,
-                    ss_allowed: true,
                    ss_verifier: ssv,
                }))
        } else {
@ -117,27 +91,6 @@ impl ClientBuilder {
        self
    }

-    /// Include webpki trust anchors.
-    /// Not recommended (useless) as most Gemini capsules use self-signed
-    /// TLS certs and properly configured TOFU policy is enough.
-    #[cfg(feature = "webpki")]
-    pub fn with_webpki_roots(mut self) -> Self {
-        self.root_certs
-            .extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        self
-    }
-
-    /// Include custom trust anchors.
-    /// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`].
-    #[cfg(feature = "webpki")]
-    pub fn with_custom_roots(
-        mut self,
-        iter: impl IntoIterator<Item = TrustAnchor<'static>>,
-    ) -> Self {
-        self.root_certs.extend(iter);
-        self
-    }
-
    /// Include a self-signed cert verifier.
    /// If you only need a known_hosts file, consider using
    /// [`crate::certs::file_sscv::FileBasedCertVerifier`],