From cc8a62c19ee1dd4495484c94f7310eaa0e277ec1 Mon Sep 17 00:00:00 2001 From: DarkCat09 Date: Fri, 9 Aug 2024 17:37:16 +0400 Subject: [PATCH] refactor: move webpki into separate feature, reorder deps --- Cargo.toml | 16 +++++++++------ src/certs/verifier.rs | 14 +++++++++---- src/client/builder.rs | 48 +++++++++++++++++++++++++------------------ src/client/mod.rs | 13 ------------ 4 files changed, 48 insertions(+), 43 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 2f65bc1..4f7c73c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,15 +12,18 @@ categories = ["network-programming"] [dependencies] base16ct = "0.2.0" base64ct = "1.6.0" -bytes = "1.7.1" -dashmap = { version = "6.0.1", optional = true } -mime = "0.3.17" -num_enum = "0.7.3" sha2 = "0.10.8" + +num_enum = "0.7.3" +bytes = "1.7.1" +mime = "0.3.17" +url = "2.5.2" + tokio = { version = "1.39.2", features = ["io-util", "net"] } tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] } -url = "2.5.2" -webpki-roots = "0.26.3" +webpki-roots = { version = "0.26.3", optional = true } + +dashmap = { version = "6.0.1", optional = true } [[example]] name = "simple" @@ -35,4 +38,5 @@ required-features = ["file-sscv"] tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] } [features] +webpki = ["dep:webpki-roots"] file-sscv = ["dep:dashmap", "tokio/fs"] diff --git a/src/certs/verifier.rs b/src/certs/verifier.rs index d09935f..87f058f 100644 --- a/src/certs/verifier.rs +++ b/src/certs/verifier.rs @@ -24,15 +24,21 @@ impl ServerCertVerifier for CustomCertVerifier { fn verify_server_cert( &self, end_entity: &CertificateDer<'_>, - intermediates: &[CertificateDer<'_>], + _intermediates: &[CertificateDer<'_>], server_name: &ServerName<'_>, - ocsp_response: &[u8], + _ocsp_response: &[u8], now: UnixTime, ) -> Result { // if webpki CA certs enabled + #[cfg(feature = "webpki")] if let Some(wv) = &self.webpki_verifier { - match wv.verify_server_cert(end_entity, intermediates, server_name, ocsp_response, now) - { + match wv.verify_server_cert( + end_entity, + _intermediates, + server_name, + _ocsp_response, + now, + ) { Ok(verified) => { return Ok(verified); } diff --git a/src/client/builder.rs b/src/client/builder.rs index fe2ce5e..4725ad9 100644 --- a/src/client/builder.rs +++ b/src/client/builder.rs @@ -7,12 +7,10 @@ use crate::{ Client, }; -use tokio_rustls::rustls::{ - self, - client::{danger::ServerCertVerifier, WebPkiServerVerifier}, - pki_types::TrustAnchor, - SupportedProtocolVersion, -}; +use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion}; + +#[cfg(feature = "webpki")] +use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor}; /// Builder for creating configured [`Client`] instance pub struct ClientBuilder { @@ -58,24 +56,32 @@ impl ClientBuilder { let tls_config = if let Some(cv) = self.custom_verifier { tls_config.dangerous().with_custom_certificate_verifier(cv) } else if let Some(ssv) = self.ss_verifier { + let webpki_verifier = { + #[cfg(feature = "webpki")] + if !self.root_certs.is_empty() { + Some( + WebPkiServerVerifier::builder_with_provider( + Arc::new(self.root_certs), + provider.clone(), + ) + .build() + // panics only if roots are empty (that is checked above) + // or CRLs couldn't be parsed (we didn't provide any) + .unwrap(), + ) + } else { + None + } + + #[cfg(not(feature = "webpki"))] + None + }; + tls_config .dangerous() .with_custom_certificate_verifier(Arc::new(CustomCertVerifier { provider: provider.clone(), - webpki_verifier: if !self.root_certs.is_empty() { - Some( - WebPkiServerVerifier::builder_with_provider( - Arc::new(self.root_certs), - provider, - ) - .build() - // panics only if roots are empty (that is checked above) - // or CRLs couldn't be parsed (we didn't provide any) - .unwrap(), - ) - } else { - None - }, + webpki_verifier, ss_allowed: true, ss_verifier: ssv, })) @@ -102,6 +108,7 @@ impl ClientBuilder { /// Include webpki trust anchors. /// Not recommended (useless) as most Gemini capsules use self-signed /// TLS certs and properly configured TOFU policy is enough. + #[cfg(feature = "webpki")] pub fn with_webpki_roots(mut self) -> Self { self.root_certs .extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); @@ -110,6 +117,7 @@ impl ClientBuilder { /// Include custom trust anchors. /// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`]. + #[cfg(feature = "webpki")] pub fn with_custom_roots( mut self, iter: impl IntoIterator>, diff --git a/src/client/mod.rs b/src/client/mod.rs index 820c3ba..423a074 100644 --- a/src/client/mod.rs +++ b/src/client/mod.rs @@ -25,19 +25,6 @@ pub struct Client { connector: TlsConnector, } -impl Default for Client { - /// Create a Client with webpki_roots trust anchors and no client auth cert. - /// Will be possibly removed in next versions. - fn default() -> Self { - let roots = - rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); - let config = rustls::ClientConfig::builder() - .with_root_certificates(roots) - .with_no_client_auth(); - Client::from(config) - } -} - impl From for Client { /// Create a Client from a Rustls config. #[inline]