refactor: move webpki into separate feature, reorder deps
This commit is contained in:
parent
6e4722d060
commit
cc8a62c19e
4 changed files with 48 additions and 43 deletions
16
Cargo.toml
16
Cargo.toml
|
@ -12,15 +12,18 @@ categories = ["network-programming"]
|
|||
[dependencies]
|
||||
base16ct = "0.2.0"
|
||||
base64ct = "1.6.0"
|
||||
bytes = "1.7.1"
|
||||
dashmap = { version = "6.0.1", optional = true }
|
||||
mime = "0.3.17"
|
||||
num_enum = "0.7.3"
|
||||
sha2 = "0.10.8"
|
||||
|
||||
num_enum = "0.7.3"
|
||||
bytes = "1.7.1"
|
||||
mime = "0.3.17"
|
||||
url = "2.5.2"
|
||||
|
||||
tokio = { version = "1.39.2", features = ["io-util", "net"] }
|
||||
tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] }
|
||||
url = "2.5.2"
|
||||
webpki-roots = "0.26.3"
|
||||
webpki-roots = { version = "0.26.3", optional = true }
|
||||
|
||||
dashmap = { version = "6.0.1", optional = true }
|
||||
|
||||
[[example]]
|
||||
name = "simple"
|
||||
|
@ -35,4 +38,5 @@ required-features = ["file-sscv"]
|
|||
tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }
|
||||
|
||||
[features]
|
||||
webpki = ["dep:webpki-roots"]
|
||||
file-sscv = ["dep:dashmap", "tokio/fs"]
|
||||
|
|
|
@ -24,15 +24,21 @@ impl ServerCertVerifier for CustomCertVerifier {
|
|||
fn verify_server_cert(
|
||||
&self,
|
||||
end_entity: &CertificateDer<'_>,
|
||||
intermediates: &[CertificateDer<'_>],
|
||||
_intermediates: &[CertificateDer<'_>],
|
||||
server_name: &ServerName<'_>,
|
||||
ocsp_response: &[u8],
|
||||
_ocsp_response: &[u8],
|
||||
now: UnixTime,
|
||||
) -> Result<ServerCertVerified, rustls::Error> {
|
||||
// if webpki CA certs enabled
|
||||
#[cfg(feature = "webpki")]
|
||||
if let Some(wv) = &self.webpki_verifier {
|
||||
match wv.verify_server_cert(end_entity, intermediates, server_name, ocsp_response, now)
|
||||
{
|
||||
match wv.verify_server_cert(
|
||||
end_entity,
|
||||
_intermediates,
|
||||
server_name,
|
||||
_ocsp_response,
|
||||
now,
|
||||
) {
|
||||
Ok(verified) => {
|
||||
return Ok(verified);
|
||||
}
|
||||
|
|
|
@ -7,12 +7,10 @@ use crate::{
|
|||
Client,
|
||||
};
|
||||
|
||||
use tokio_rustls::rustls::{
|
||||
self,
|
||||
client::{danger::ServerCertVerifier, WebPkiServerVerifier},
|
||||
pki_types::TrustAnchor,
|
||||
SupportedProtocolVersion,
|
||||
};
|
||||
use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion};
|
||||
|
||||
#[cfg(feature = "webpki")]
|
||||
use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor};
|
||||
|
||||
/// Builder for creating configured [`Client`] instance
|
||||
pub struct ClientBuilder {
|
||||
|
@ -58,24 +56,32 @@ impl ClientBuilder {
|
|||
let tls_config = if let Some(cv) = self.custom_verifier {
|
||||
tls_config.dangerous().with_custom_certificate_verifier(cv)
|
||||
} else if let Some(ssv) = self.ss_verifier {
|
||||
let webpki_verifier = {
|
||||
#[cfg(feature = "webpki")]
|
||||
if !self.root_certs.is_empty() {
|
||||
Some(
|
||||
WebPkiServerVerifier::builder_with_provider(
|
||||
Arc::new(self.root_certs),
|
||||
provider.clone(),
|
||||
)
|
||||
.build()
|
||||
// panics only if roots are empty (that is checked above)
|
||||
// or CRLs couldn't be parsed (we didn't provide any)
|
||||
.unwrap(),
|
||||
)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "webpki"))]
|
||||
None
|
||||
};
|
||||
|
||||
tls_config
|
||||
.dangerous()
|
||||
.with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
|
||||
provider: provider.clone(),
|
||||
webpki_verifier: if !self.root_certs.is_empty() {
|
||||
Some(
|
||||
WebPkiServerVerifier::builder_with_provider(
|
||||
Arc::new(self.root_certs),
|
||||
provider,
|
||||
)
|
||||
.build()
|
||||
// panics only if roots are empty (that is checked above)
|
||||
// or CRLs couldn't be parsed (we didn't provide any)
|
||||
.unwrap(),
|
||||
)
|
||||
} else {
|
||||
None
|
||||
},
|
||||
webpki_verifier,
|
||||
ss_allowed: true,
|
||||
ss_verifier: ssv,
|
||||
}))
|
||||
|
@ -102,6 +108,7 @@ impl ClientBuilder {
|
|||
/// Include webpki trust anchors.
|
||||
/// Not recommended (useless) as most Gemini capsules use self-signed
|
||||
/// TLS certs and properly configured TOFU policy is enough.
|
||||
#[cfg(feature = "webpki")]
|
||||
pub fn with_webpki_roots(mut self) -> Self {
|
||||
self.root_certs
|
||||
.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||
|
@ -110,6 +117,7 @@ impl ClientBuilder {
|
|||
|
||||
/// Include custom trust anchors.
|
||||
/// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`].
|
||||
#[cfg(feature = "webpki")]
|
||||
pub fn with_custom_roots(
|
||||
mut self,
|
||||
iter: impl IntoIterator<Item = TrustAnchor<'static>>,
|
||||
|
|
|
@ -25,19 +25,6 @@ pub struct Client {
|
|||
connector: TlsConnector,
|
||||
}
|
||||
|
||||
impl Default for Client {
|
||||
/// Create a Client with webpki_roots trust anchors and no client auth cert.
|
||||
/// Will be possibly removed in next versions.
|
||||
fn default() -> Self {
|
||||
let roots =
|
||||
rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||
let config = rustls::ClientConfig::builder()
|
||||
.with_root_certificates(roots)
|
||||
.with_no_client_auth();
|
||||
Client::from(config)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<rustls::ClientConfig> for Client {
|
||||
/// Create a Client from a Rustls config.
|
||||
#[inline]
|
||||
|
|
Loading…
Reference in a new issue