feat: actual cert verification ignoring UnknownIssuer

refactor: rename allow_all->verifier, AllowAll->InternalCertVerifier
refactor: delete unused certs::verifier
2024-08-28 19:03:13 +04:00 · 2024-08-28 17:19:18 +04:00 · 2024-08-28 17:17:04 +04:00
6 changed files with 99 additions and 129 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -702,7 +702,7 @@ dependencies = [
 "once_cell",
 "ring 0.17.8",
 "rustls-pki-types",
- "rustls-webpki 0.102.6",
+ "rustls-webpki 0.102.7",
 "subtle",
 "zeroize",
 ]
@ -734,9 +734,9 @@ dependencies = [

 [[package]]
 name = "rustls-webpki"
-version = "0.102.6"
+version = "0.102.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e6b52d4fda176fd835fdc55a835d4a89b8499cad995885a21149d5ad62f852e"
+checksum = "84678086bd54edf2b415183ed7a94d0efb049f1b646a33e22a36f3794be6ae56"
 dependencies = [
 "ring 0.17.8",
 "rustls-pki-types",
@ -887,6 +887,7 @@ dependencies = [
 "hickory-client",
 "mime",
 "num_enum",
+ "rustls-webpki 0.102.7",
 "sha2",
 "tokio",
 "tokio-rustls 0.26.0",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -25,6 +25,7 @@ tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring
 dashmap = { version = "6.0.1", optional = true }
 hickory-client = { version = "0.24.1", optional = true }
 async-trait = "0.1.81"
+rustls-webpki = "0.102.7"

 [dev-dependencies]
 tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }
--- a/src/certs/allow_all.rs
+++ b/src/certs/allow_all.rs
@ -1,88 +0,0 @@
-//! Custom verifier for Rustls accepting any TLS cert
-//! (usually called "insecure mode")
-
-use std::sync::Arc;
-
-use tokio_rustls::rustls::{
-    self,
-    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    crypto::CryptoProvider,
-};
-
-/// Custom verifier for Rustls accepting any TLS certificate
-#[derive(Debug)]
-pub struct AllowAllCertVerifier(Arc<CryptoProvider>);
-
-impl Default for AllowAllCertVerifier {
-    /// Same as [`AllowAllCertVerifier::new()`].
-    fn default() -> Self {
-        Self::new()
-    }
-}
-
-impl AllowAllCertVerifier {
-    /// Constructor for this verifier.
-    pub fn new() -> Self {
-        AllowAllCertVerifier(
-            CryptoProvider::get_default()
-                .cloned()
-                .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
-        )
-    }
-}
-
-impl From<Arc<CryptoProvider>> for AllowAllCertVerifier {
-    #[inline]
-    fn from(value: Arc<CryptoProvider>) -> Self {
-        AllowAllCertVerifier(value)
-    }
-}
-
-impl ServerCertVerifier for AllowAllCertVerifier {
-    #[inline]
-    fn verify_server_cert(
-        &self,
-        _end_entity: &rustls::pki_types::CertificateDer<'_>,
-        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
-        _server_name: &rustls::pki_types::ServerName<'_>,
-        _ocsp_response: &[u8],
-        _now: rustls::pki_types::UnixTime,
-    ) -> Result<ServerCertVerified, rustls::Error> {
-        Ok(ServerCertVerified::assertion())
-    }
-
-    #[inline]
-    fn verify_tls12_signature(
-        &self,
-        message: &[u8],
-        cert: &rustls::pki_types::CertificateDer<'_>,
-        dss: &rustls::DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, rustls::Error> {
-        rustls::crypto::verify_tls12_signature(
-            message,
-            cert,
-            dss,
-            &self.0.signature_verification_algorithms,
-        )
-    }
-
-    #[inline]
-    fn verify_tls13_signature(
-        &self,
-        message: &[u8],
-        cert: &rustls::pki_types::CertificateDer<'_>,
-        dss: &rustls::DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, rustls::Error> {
-        rustls::crypto::verify_tls13_signature(
-            message,
-            cert,
-            dss,
-            &self.0.signature_verification_algorithms,
-        )
-    }
-
-    #[inline]
-    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
-        self.0.signature_verification_algorithms.supported_schemes()
-    }
-}
--- a/src/certs/mod.rs
+++ b/src/certs/mod.rs
@ -1,7 +1,7 @@
 //! Everything related to TLS certs verification

-pub mod allow_all;
 pub mod fingerprint;
+pub mod verifier;

 #[cfg(feature = "file-sscv")]
 pub mod file_sscv;
--- a/src/certs/verifier.rs
+++ b/src/certs/verifier.rs
@ -1,83 +1,139 @@
-//! Internal custom Rustls verifier
-//! allowing verification both with webpki trust roots (when enabled)
-//! and with implementaions of our own [`SelfsignedCertVerifier`]
-
-use crate::certs::SelfsignedCertVerifier;
+//! Custom verifier for Rustls allowing self-signed certs
+//! but performing other required checks;
+//! mostly for internal use

 use std::sync::Arc;

-pub use tokio_rustls::rustls::pki_types::{CertificateDer, ServerName, UnixTime};
-
 use tokio_rustls::rustls::{
    self,
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+    crypto::CryptoProvider,
 };

-pub struct CustomCertVerifier {
-    pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
-    pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
+use webpki::EndEntityCert;
+
+/// Custom verifier for Rustls accepting any TLS certificate
+#[derive(Debug)]
+pub struct InternalCertVerifier(Arc<CryptoProvider>);
+
+impl Default for InternalCertVerifier {
+    /// Same as [`AllowAllCertVerifier::new()`].
+    fn default() -> Self {
+        Self::new()
+    }
 }

-impl ServerCertVerifier for CustomCertVerifier {
+impl InternalCertVerifier {
+    /// Constructor for this verifier.
+    pub fn new() -> Self {
+        InternalCertVerifier(
+            CryptoProvider::get_default()
+                .cloned()
+                .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
+        )
+    }
+}
+
+impl From<Arc<CryptoProvider>> for InternalCertVerifier {
+    #[inline]
+    fn from(value: Arc<CryptoProvider>) -> Self {
+        InternalCertVerifier(value)
+    }
+}
+
+impl ServerCertVerifier for InternalCertVerifier {
    fn verify_server_cert(
        &self,
-        end_entity: &CertificateDer<'_>,
-        _intermediates: &[CertificateDer<'_>],
-        server_name: &ServerName<'_>,
+        end_entity: &rustls::pki_types::CertificateDer<'_>,
+        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
+        server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
-        now: UnixTime,
+        now: rustls::pki_types::UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
-        // TODO: certificate validation (domain, expiry, etc.)
+        let cert = EndEntityCert::try_from(end_entity).map_err(pki_error)?;
+
+        match cert.verify_for_usage(
+            self.0.signature_verification_algorithms.all,
+            &[], // no trusted anchors (i.e. CAs)
+            &[], // i think there's no point in passing intermediates without CAs
+            now, // `now` as the time for expiration check
+            webpki::KeyUsage::server_auth(),
+            None, // no CRLs
+            None, // no verify_path callback
+        ) {
+            Ok(_) => Ok(()), // unreachable
+            Err(webpki::Error::UnknownIssuer) => {
+                // trust anchors verification is done after
+                // any other issuer-independent checks (including expiration),
+                // so this error can be safely ignored as
+                // we are working with self-signed certificates.
+                // for reference -- fn webpki::verify_cert::build_chain_inner
+                // (NOTE: should be re-checked on every rustls update)
+                Ok(())
+            }
+            Err(e) => Err(e),
+        }
+        .map_err(pki_error)?;
+
+        cert.verify_is_valid_for_subject_name(server_name)
+            .map_err(pki_error)?;

-        if self
-            .ss_verifier
-            .verify(end_entity, server_name.to_str().as_ref(), now)?
-        {
        Ok(ServerCertVerified::assertion())
-        } else {
-            Err(rustls::Error::InvalidCertificate(
-                rustls::CertificateError::ApplicationVerificationFailure,
-            ))
-        }
    }

+    #[inline]
    fn verify_tls12_signature(
        &self,
        message: &[u8],
-        cert: &CertificateDer<'_>,
+        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls12_signature(
            message,
            cert,
            dss,
-            &self.provider.signature_verification_algorithms,
+            &self.0.signature_verification_algorithms,
        )
    }

+    #[inline]
    fn verify_tls13_signature(
        &self,
        message: &[u8],
-        cert: &CertificateDer<'_>,
+        cert: &rustls::pki_types::CertificateDer<'_>,
        dss: &rustls::DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        rustls::crypto::verify_tls13_signature(
            message,
            cert,
            dss,
-            &self.provider.signature_verification_algorithms,
+            &self.0.signature_verification_algorithms,
        )
    }

+    #[inline]
    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
-        self.provider
-            .signature_verification_algorithms
-            .supported_schemes()
+        self.0.signature_verification_algorithms.supported_schemes()
    }
 }

-impl std::fmt::Debug for CustomCertVerifier {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
+pub fn pki_error(e: webpki::Error) -> rustls::CertificateError {
+    // partially copied from private fn rustls::webpki::pki_error(e)
+    use rustls::{CertificateError, OtherError};
+    use webpki::Error::*;
+    match e {
+        BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding,
+        CertNotValidYet => CertificateError::NotValidYet,
+        CertExpired | InvalidCertValidity => CertificateError::Expired,
+        UnknownIssuer => CertificateError::UnknownIssuer,
+        CertNotValidForName => CertificateError::NotValidForName,
+        CertRevoked => CertificateError::Revoked,
+        UnknownRevocationStatus => CertificateError::UnknownRevocationStatus,
+
+        InvalidSignatureForPublicKey
+        | UnsupportedSignatureAlgorithm
+        | UnsupportedSignatureAlgorithmForPublicKey => CertificateError::BadSignature,
+
+        _ => CertificateError::Other(OtherError(Arc::new(e))),
    }
 }
--- a/src/client/builder.rs
+++ b/src/client/builder.rs
@ -3,7 +3,7 @@
 use std::sync::Arc;

 use crate::{
-    certs::{allow_all::AllowAllCertVerifier, SelfsignedCertVerifier},
+    certs::{verifier::InternalCertVerifier, SelfsignedCertVerifier},
    Client,
 };

@ -56,7 +56,7 @@ impl ClientBuilder {
            })
            .unwrap()
            .dangerous()
-            .with_custom_certificate_verifier(Arc::new(AllowAllCertVerifier::from(provider)));
+            .with_custom_certificate_verifier(Arc::new(InternalCertVerifier::from(provider)));

        // TODO
        let tls_config = tls_config.with_no_client_auth();
Author	SHA1	Message	Date
DarkCat09	8e8fa85206	feat: actual cert verification ignoring UnknownIssuer	2024-08-28 19:03:13 +04:00
DarkCat09	0e8d023880	refactor: rename allow_all->verifier, AllowAll->InternalCertVerifier	2024-08-28 17:19:18 +04:00
DarkCat09	73addc33ca	refactor: delete unused certs::verifier	2024-08-28 17:17:04 +04:00