Compare commits

..

3 commits

6 changed files with 99 additions and 129 deletions

7
Cargo.lock generated
View file

@ -702,7 +702,7 @@ dependencies = [
"once_cell", "once_cell",
"ring 0.17.8", "ring 0.17.8",
"rustls-pki-types", "rustls-pki-types",
"rustls-webpki 0.102.6", "rustls-webpki 0.102.7",
"subtle", "subtle",
"zeroize", "zeroize",
] ]
@ -734,9 +734,9 @@ dependencies = [
[[package]] [[package]]
name = "rustls-webpki" name = "rustls-webpki"
version = "0.102.6" version = "0.102.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e6b52d4fda176fd835fdc55a835d4a89b8499cad995885a21149d5ad62f852e" checksum = "84678086bd54edf2b415183ed7a94d0efb049f1b646a33e22a36f3794be6ae56"
dependencies = [ dependencies = [
"ring 0.17.8", "ring 0.17.8",
"rustls-pki-types", "rustls-pki-types",
@ -887,6 +887,7 @@ dependencies = [
"hickory-client", "hickory-client",
"mime", "mime",
"num_enum", "num_enum",
"rustls-webpki 0.102.7",
"sha2", "sha2",
"tokio", "tokio",
"tokio-rustls 0.26.0", "tokio-rustls 0.26.0",

View file

@ -25,6 +25,7 @@ tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring
dashmap = { version = "6.0.1", optional = true } dashmap = { version = "6.0.1", optional = true }
hickory-client = { version = "0.24.1", optional = true } hickory-client = { version = "0.24.1", optional = true }
async-trait = "0.1.81" async-trait = "0.1.81"
rustls-webpki = "0.102.7"
[dev-dependencies] [dev-dependencies]
tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] } tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }

View file

@ -1,88 +0,0 @@
//! Custom verifier for Rustls accepting any TLS cert
//! (usually called "insecure mode")
use std::sync::Arc;
use tokio_rustls::rustls::{
self,
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
crypto::CryptoProvider,
};
/// Custom verifier for Rustls accepting any TLS certificate
#[derive(Debug)]
pub struct AllowAllCertVerifier(Arc<CryptoProvider>);
impl Default for AllowAllCertVerifier {
/// Same as [`AllowAllCertVerifier::new()`].
fn default() -> Self {
Self::new()
}
}
impl AllowAllCertVerifier {
/// Constructor for this verifier.
pub fn new() -> Self {
AllowAllCertVerifier(
CryptoProvider::get_default()
.cloned()
.unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
)
}
}
impl From<Arc<CryptoProvider>> for AllowAllCertVerifier {
#[inline]
fn from(value: Arc<CryptoProvider>) -> Self {
AllowAllCertVerifier(value)
}
}
impl ServerCertVerifier for AllowAllCertVerifier {
#[inline]
fn verify_server_cert(
&self,
_end_entity: &rustls::pki_types::CertificateDer<'_>,
_intermediates: &[rustls::pki_types::CertificateDer<'_>],
_server_name: &rustls::pki_types::ServerName<'_>,
_ocsp_response: &[u8],
_now: rustls::pki_types::UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
Ok(ServerCertVerified::assertion())
}
#[inline]
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &rustls::pki_types::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
rustls::crypto::verify_tls12_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
#[inline]
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &rustls::pki_types::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> {
rustls::crypto::verify_tls13_signature(
message,
cert,
dss,
&self.0.signature_verification_algorithms,
)
}
#[inline]
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
self.0.signature_verification_algorithms.supported_schemes()
}
}

View file

@ -1,7 +1,7 @@
//! Everything related to TLS certs verification //! Everything related to TLS certs verification
pub mod allow_all;
pub mod fingerprint; pub mod fingerprint;
pub mod verifier;
#[cfg(feature = "file-sscv")] #[cfg(feature = "file-sscv")]
pub mod file_sscv; pub mod file_sscv;

View file

@ -1,83 +1,139 @@
//! Internal custom Rustls verifier //! Custom verifier for Rustls allowing self-signed certs
//! allowing verification both with webpki trust roots (when enabled) //! but performing other required checks;
//! and with implementaions of our own [`SelfsignedCertVerifier`] //! mostly for internal use
use crate::certs::SelfsignedCertVerifier;
use std::sync::Arc; use std::sync::Arc;
pub use tokio_rustls::rustls::pki_types::{CertificateDer, ServerName, UnixTime};
use tokio_rustls::rustls::{ use tokio_rustls::rustls::{
self, self,
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
crypto::CryptoProvider,
}; };
pub struct CustomCertVerifier { use webpki::EndEntityCert;
pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>, /// Custom verifier for Rustls accepting any TLS certificate
#[derive(Debug)]
pub struct InternalCertVerifier(Arc<CryptoProvider>);
impl Default for InternalCertVerifier {
/// Same as [`AllowAllCertVerifier::new()`].
fn default() -> Self {
Self::new()
}
} }
impl ServerCertVerifier for CustomCertVerifier { impl InternalCertVerifier {
/// Constructor for this verifier.
pub fn new() -> Self {
InternalCertVerifier(
CryptoProvider::get_default()
.cloned()
.unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
)
}
}
impl From<Arc<CryptoProvider>> for InternalCertVerifier {
#[inline]
fn from(value: Arc<CryptoProvider>) -> Self {
InternalCertVerifier(value)
}
}
impl ServerCertVerifier for InternalCertVerifier {
fn verify_server_cert( fn verify_server_cert(
&self, &self,
end_entity: &CertificateDer<'_>, end_entity: &rustls::pki_types::CertificateDer<'_>,
_intermediates: &[CertificateDer<'_>], _intermediates: &[rustls::pki_types::CertificateDer<'_>],
server_name: &ServerName<'_>, server_name: &rustls::pki_types::ServerName<'_>,
_ocsp_response: &[u8], _ocsp_response: &[u8],
now: UnixTime, now: rustls::pki_types::UnixTime,
) -> Result<ServerCertVerified, rustls::Error> { ) -> Result<ServerCertVerified, rustls::Error> {
// TODO: certificate validation (domain, expiry, etc.) let cert = EndEntityCert::try_from(end_entity).map_err(pki_error)?;
match cert.verify_for_usage(
self.0.signature_verification_algorithms.all,
&[], // no trusted anchors (i.e. CAs)
&[], // i think there's no point in passing intermediates without CAs
now, // `now` as the time for expiration check
webpki::KeyUsage::server_auth(),
None, // no CRLs
None, // no verify_path callback
) {
Ok(_) => Ok(()), // unreachable
Err(webpki::Error::UnknownIssuer) => {
// trust anchors verification is done after
// any other issuer-independent checks (including expiration),
// so this error can be safely ignored as
// we are working with self-signed certificates.
// for reference -- fn webpki::verify_cert::build_chain_inner
// (NOTE: should be re-checked on every rustls update)
Ok(())
}
Err(e) => Err(e),
}
.map_err(pki_error)?;
cert.verify_is_valid_for_subject_name(server_name)
.map_err(pki_error)?;
if self
.ss_verifier
.verify(end_entity, server_name.to_str().as_ref(), now)?
{
Ok(ServerCertVerified::assertion()) Ok(ServerCertVerified::assertion())
} else {
Err(rustls::Error::InvalidCertificate(
rustls::CertificateError::ApplicationVerificationFailure,
))
}
} }
#[inline]
fn verify_tls12_signature( fn verify_tls12_signature(
&self, &self,
message: &[u8], message: &[u8],
cert: &CertificateDer<'_>, cert: &rustls::pki_types::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct, dss: &rustls::DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> { ) -> Result<HandshakeSignatureValid, rustls::Error> {
rustls::crypto::verify_tls12_signature( rustls::crypto::verify_tls12_signature(
message, message,
cert, cert,
dss, dss,
&self.provider.signature_verification_algorithms, &self.0.signature_verification_algorithms,
) )
} }
#[inline]
fn verify_tls13_signature( fn verify_tls13_signature(
&self, &self,
message: &[u8], message: &[u8],
cert: &CertificateDer<'_>, cert: &rustls::pki_types::CertificateDer<'_>,
dss: &rustls::DigitallySignedStruct, dss: &rustls::DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, rustls::Error> { ) -> Result<HandshakeSignatureValid, rustls::Error> {
rustls::crypto::verify_tls13_signature( rustls::crypto::verify_tls13_signature(
message, message,
cert, cert,
dss, dss,
&self.provider.signature_verification_algorithms, &self.0.signature_verification_algorithms,
) )
} }
#[inline]
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> { fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
self.provider self.0.signature_verification_algorithms.supported_schemes()
.signature_verification_algorithms
.supported_schemes()
} }
} }
impl std::fmt::Debug for CustomCertVerifier { pub fn pki_error(e: webpki::Error) -> rustls::CertificateError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { // partially copied from private fn rustls::webpki::pki_error(e)
write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider) use rustls::{CertificateError, OtherError};
use webpki::Error::*;
match e {
BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding,
CertNotValidYet => CertificateError::NotValidYet,
CertExpired | InvalidCertValidity => CertificateError::Expired,
UnknownIssuer => CertificateError::UnknownIssuer,
CertNotValidForName => CertificateError::NotValidForName,
CertRevoked => CertificateError::Revoked,
UnknownRevocationStatus => CertificateError::UnknownRevocationStatus,
InvalidSignatureForPublicKey
| UnsupportedSignatureAlgorithm
| UnsupportedSignatureAlgorithmForPublicKey => CertificateError::BadSignature,
_ => CertificateError::Other(OtherError(Arc::new(e))),
} }
} }

View file

@ -3,7 +3,7 @@
use std::sync::Arc; use std::sync::Arc;
use crate::{ use crate::{
certs::{allow_all::AllowAllCertVerifier, SelfsignedCertVerifier}, certs::{verifier::InternalCertVerifier, SelfsignedCertVerifier},
Client, Client,
}; };
@ -56,7 +56,7 @@ impl ClientBuilder {
}) })
.unwrap() .unwrap()
.dangerous() .dangerous()
.with_custom_certificate_verifier(Arc::new(AllowAllCertVerifier::from(provider))); .with_custom_certificate_verifier(Arc::new(InternalCertVerifier::from(provider)));
// TODO // TODO
let tls_config = tls_config.with_no_client_auth(); let tls_config = tls_config.with_no_client_auth();