feat: actual cert verification ignoring UnknownIssuer

refactor: rename allow_all->verifier, AllowAll->InternalCertVerifier
refactor: delete unused certs::verifier
2024-08-28 19:03:13 +04:00 · 2024-08-28 17:19:18 +04:00 · 2024-08-28 17:17:04 +04:00
6 changed files with 99 additions and 129 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -702,7 +702,7 @@ dependencies = [
 "once_cell",
 "ring 0.17.8",
 "rustls-pki-types",
- "rustls-webpki 0.102.6",
+ "rustls-webpki 0.102.7",
 "subtle",
 "zeroize",
 ]
@ -734,9 +734,9 @@ dependencies = [
 [[package]]
 name = "rustls-webpki"
-version = "0.102.6"
+version = "0.102.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e6b52d4fda176fd835fdc55a835d4a89b8499cad995885a21149d5ad62f852e"
+checksum = "84678086bd54edf2b415183ed7a94d0efb049f1b646a33e22a36f3794be6ae56"
 dependencies = [
 "ring 0.17.8",
 "rustls-pki-types",
@ -887,6 +887,7 @@ dependencies = [
 "hickory-client",
 "mime",
 "num_enum",
 "rustls-webpki 0.102.7",
 "sha2",
 "tokio",
 "tokio-rustls 0.26.0",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -25,6 +25,7 @@ tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring
 dashmap = { version = "6.0.1", optional = true }
 hickory-client = { version = "0.24.1", optional = true }
 async-trait = "0.1.81"
 rustls-webpki = "0.102.7"
 [dev-dependencies]
 tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }
--- a/src/certs/allow_all.rs
+++ b/src/certs/allow_all.rs
@ -1,88 +0,0 @@
 //! Custom verifier for Rustls accepting any TLS cert
 //! (usually called "insecure mode")
 use std::sync::Arc;
 use tokio_rustls::rustls::{
    self,
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
    crypto::CryptoProvider,
 };
 /// Custom verifier for Rustls accepting any TLS certificate
 #[derive(Debug)]
 pub struct AllowAllCertVerifier(Arc<CryptoProvider>);
 impl Default for AllowAllCertVerifier {
    /// Same as [`AllowAllCertVerifier::new()`].
    fn default() -> Self {
        Self::new()
    }
 }
 impl AllowAllCertVerifier {
    /// Constructor for this verifier.
    pub fn new() -> Self {
        AllowAllCertVerifier(
            CryptoProvider::get_default()
                .cloned()
                .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
        )
    }
 }
 impl From<Arc<CryptoProvider>> for AllowAllCertVerifier {
    #[inline]
    fn from(value: Arc<CryptoProvider>) -> Self {
        AllowAllCertVerifier(value)
    }
 }
 impl ServerCertVerifier for AllowAllCertVerifier {
    #[inline]
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::pki_types::CertificateDer<'_>,
        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        Ok(ServerCertVerified::assertion())
    }
    #[inline]
    fn verify_tls12_signature(
        &self,
        message: &[u8],
        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(
            message,
            cert,
            dss,
            &self.0.signature_verification_algorithms,
        )
    }
    #[inline]
    fn verify_tls13_signature(
        &self,
        message: &[u8],
        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(
            message,
            cert,
            dss,
            &self.0.signature_verification_algorithms,
        )
    }
    #[inline]
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        self.0.signature_verification_algorithms.supported_schemes()
    }
 }
--- a/src/certs/mod.rs
+++ b/src/certs/mod.rs
@ -1,7 +1,7 @@
 //! Everything related to TLS certs verification
 pub mod allow_all;
 pub mod fingerprint;
 pub mod verifier;
 #[cfg(feature = "file-sscv")]
 pub mod file_sscv;
--- a/src/certs/verifier.rs
+++ b/src/certs/verifier.rs
@ -1,83 +1,139 @@
-//! Internal custom Rustls verifier
+//! Custom verifier for Rustls allowing self-signed certs
-//! allowing verification both with webpki trust roots (when enabled)
+//! but performing other required checks;
-//! and with implementaions of our own [`SelfsignedCertVerifier`]
+//! mostly for internal use
 use crate::certs::SelfsignedCertVerifier;
 use std::sync::Arc;
 pub use tokio_rustls::rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use tokio_rustls::rustls::{
    self,
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
    crypto::CryptoProvider,
 };
-pub struct CustomCertVerifier {
+use webpki::EndEntityCert;
-    pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
+
-    pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
+/// Custom verifier for Rustls accepting any TLS certificate
 #[derive(Debug)]
 pub struct InternalCertVerifier(Arc<CryptoProvider>);
 impl Default for InternalCertVerifier {
    /// Same as [`AllowAllCertVerifier::new()`].
    fn default() -> Self {
        Self::new()
    }
 }
-impl ServerCertVerifier for CustomCertVerifier {
+impl InternalCertVerifier {
    /// Constructor for this verifier.
    pub fn new() -> Self {
        InternalCertVerifier(
            CryptoProvider::get_default()
                .cloned()
                .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
        )
    }
 }
 impl From<Arc<CryptoProvider>> for InternalCertVerifier {
    #[inline]
    fn from(value: Arc<CryptoProvider>) -> Self {
        InternalCertVerifier(value)
    }
 }
 impl ServerCertVerifier for InternalCertVerifier {
    fn verify_server_cert(
        &self,
-        end_entity: &CertificateDer<'_>,
+        end_entity: &rustls::pki_types::CertificateDer<'_>,
-        _intermediates: &[CertificateDer<'_>],
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
-        server_name: &ServerName<'_>,
+        server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
-        now: UnixTime,
+        now: rustls::pki_types::UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
-        // TODO: certificate validation (domain, expiry, etc.)
+        let cert = EndEntityCert::try_from(end_entity).map_err(pki_error)?;
-        if self
+        match cert.verify_for_usage(
-            .ss_verifier
+            self.0.signature_verification_algorithms.all,
-            .verify(end_entity, server_name.to_str().as_ref(), now)?
+            &[], // no trusted anchors (i.e. CAs)
-        {
+            &[], // i think there's no point in passing intermediates without CAs
-            Ok(ServerCertVerified::assertion())
+            now, // `now` as the time for expiration check
-        } else {
+            webpki::KeyUsage::server_auth(),
-            Err(rustls::Error::InvalidCertificate(
+            None, // no CRLs
-                rustls::CertificateError::ApplicationVerificationFailure,
+            None, // no verify_path callback
-            ))
+        ) {
            Ok(_) => Ok(()), // unreachable
            Err(webpki::Error::UnknownIssuer) => {
                // trust anchors verification is done after
                // any other issuer-independent checks (including expiration),
                // so this error can be safely ignored as
                // we are working with self-signed certificates.
                // for reference -- fn webpki::verify_cert::build_chain_inner
                // (NOTE: should be re-checked on every rustls update)
                Ok(())
            }
            Err(e) => Err(e),
        }
        .map_err(pki_error)?;
        cert.verify_is_valid_for_subject_name(server_name)
            .map_err(pki_error)?;
        Ok(ServerCertVerified::assertion())
    }
    #[inline]
    fn verify_tls12_signature(
        &self,
        message: &[u8],
-        cert: &CertificateDer<'_>,
+        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(
            message,
            cert,
            dss,
-            &self.provider.signature_verification_algorithms,
+            &self.0.signature_verification_algorithms,
        )
    }
    #[inline]
    fn verify_tls13_signature(
        &self,
        message: &[u8],
-        cert: &CertificateDer<'_>,
+        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(
            message,
            cert,
            dss,
-            &self.provider.signature_verification_algorithms,
+            &self.0.signature_verification_algorithms,
        )
    }
    #[inline]
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
-        self.provider
+        self.0.signature_verification_algorithms.supported_schemes()
            .signature_verification_algorithms
            .supported_schemes()
    }
 }
-impl std::fmt::Debug for CustomCertVerifier {
+pub fn pki_error(e: webpki::Error) -> rustls::CertificateError {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+    // partially copied from private fn rustls::webpki::pki_error(e)
-        write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
+    use rustls::{CertificateError, OtherError};
    use webpki::Error::*;
    match e {
        BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding,
        CertNotValidYet => CertificateError::NotValidYet,
        CertExpired | InvalidCertValidity => CertificateError::Expired,
        UnknownIssuer => CertificateError::UnknownIssuer,
        CertNotValidForName => CertificateError::NotValidForName,
        CertRevoked => CertificateError::Revoked,
        UnknownRevocationStatus => CertificateError::UnknownRevocationStatus,
        InvalidSignatureForPublicKey
        | UnsupportedSignatureAlgorithm
        | UnsupportedSignatureAlgorithmForPublicKey => CertificateError::BadSignature,
        _ => CertificateError::Other(OtherError(Arc::new(e))),
    }
 }
--- a/src/client/builder.rs
+++ b/src/client/builder.rs
@ -3,7 +3,7 @@
 use std::sync::Arc;
 use crate::{
-    certs::{allow_all::AllowAllCertVerifier, SelfsignedCertVerifier},
+    certs::{verifier::InternalCertVerifier, SelfsignedCertVerifier},
    Client,
 };
@ -56,7 +56,7 @@ impl ClientBuilder {
            })
            .unwrap()
            .dangerous()
-            .with_custom_certificate_verifier(Arc::new(AllowAllCertVerifier::from(provider)));
+            .with_custom_certificate_verifier(Arc::new(InternalCertVerifier::from(provider)));
        // TODO
        let tls_config = tls_config.with_no_client_auth();
Author	SHA1	Message	Date
DarkCat09	8e8fa85206	feat: actual cert verification ignoring UnknownIssuer	2024-08-28 19:03:13 +04:00
DarkCat09	0e8d023880	refactor: rename allow_all->verifier, AllowAll->InternalCertVerifier	2024-08-28 17:19:18 +04:00
DarkCat09	73addc33ca	refactor: delete unused certs::verifier	2024-08-28 17:17:04 +04:00