Compare commits
3 commits
32b888b3c1
...
8e8fa85206
Author | SHA1 | Date | |
---|---|---|---|
8e8fa85206 | |||
0e8d023880 | |||
73addc33ca |
6 changed files with 99 additions and 129 deletions
7
Cargo.lock
generated
7
Cargo.lock
generated
|
@ -702,7 +702,7 @@ dependencies = [
|
|||
"once_cell",
|
||||
"ring 0.17.8",
|
||||
"rustls-pki-types",
|
||||
"rustls-webpki 0.102.6",
|
||||
"rustls-webpki 0.102.7",
|
||||
"subtle",
|
||||
"zeroize",
|
||||
]
|
||||
|
@ -734,9 +734,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "rustls-webpki"
|
||||
version = "0.102.6"
|
||||
version = "0.102.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8e6b52d4fda176fd835fdc55a835d4a89b8499cad995885a21149d5ad62f852e"
|
||||
checksum = "84678086bd54edf2b415183ed7a94d0efb049f1b646a33e22a36f3794be6ae56"
|
||||
dependencies = [
|
||||
"ring 0.17.8",
|
||||
"rustls-pki-types",
|
||||
|
@ -887,6 +887,7 @@ dependencies = [
|
|||
"hickory-client",
|
||||
"mime",
|
||||
"num_enum",
|
||||
"rustls-webpki 0.102.7",
|
||||
"sha2",
|
||||
"tokio",
|
||||
"tokio-rustls 0.26.0",
|
||||
|
|
|
@ -25,6 +25,7 @@ tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring
|
|||
dashmap = { version = "6.0.1", optional = true }
|
||||
hickory-client = { version = "0.24.1", optional = true }
|
||||
async-trait = "0.1.81"
|
||||
rustls-webpki = "0.102.7"
|
||||
|
||||
[dev-dependencies]
|
||||
tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }
|
||||
|
|
|
@ -1,88 +0,0 @@
|
|||
//! Custom verifier for Rustls accepting any TLS cert
|
||||
//! (usually called "insecure mode")
|
||||
|
||||
use std::sync::Arc;
|
||||
|
||||
use tokio_rustls::rustls::{
|
||||
self,
|
||||
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
|
||||
crypto::CryptoProvider,
|
||||
};
|
||||
|
||||
/// Custom verifier for Rustls accepting any TLS certificate
|
||||
#[derive(Debug)]
|
||||
pub struct AllowAllCertVerifier(Arc<CryptoProvider>);
|
||||
|
||||
impl Default for AllowAllCertVerifier {
|
||||
/// Same as [`AllowAllCertVerifier::new()`].
|
||||
fn default() -> Self {
|
||||
Self::new()
|
||||
}
|
||||
}
|
||||
|
||||
impl AllowAllCertVerifier {
|
||||
/// Constructor for this verifier.
|
||||
pub fn new() -> Self {
|
||||
AllowAllCertVerifier(
|
||||
CryptoProvider::get_default()
|
||||
.cloned()
|
||||
.unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Arc<CryptoProvider>> for AllowAllCertVerifier {
|
||||
#[inline]
|
||||
fn from(value: Arc<CryptoProvider>) -> Self {
|
||||
AllowAllCertVerifier(value)
|
||||
}
|
||||
}
|
||||
|
||||
impl ServerCertVerifier for AllowAllCertVerifier {
|
||||
#[inline]
|
||||
fn verify_server_cert(
|
||||
&self,
|
||||
_end_entity: &rustls::pki_types::CertificateDer<'_>,
|
||||
_intermediates: &[rustls::pki_types::CertificateDer<'_>],
|
||||
_server_name: &rustls::pki_types::ServerName<'_>,
|
||||
_ocsp_response: &[u8],
|
||||
_now: rustls::pki_types::UnixTime,
|
||||
) -> Result<ServerCertVerified, rustls::Error> {
|
||||
Ok(ServerCertVerified::assertion())
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn verify_tls12_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &rustls::pki_types::CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||
rustls::crypto::verify_tls12_signature(
|
||||
message,
|
||||
cert,
|
||||
dss,
|
||||
&self.0.signature_verification_algorithms,
|
||||
)
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn verify_tls13_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &rustls::pki_types::CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||
rustls::crypto::verify_tls13_signature(
|
||||
message,
|
||||
cert,
|
||||
dss,
|
||||
&self.0.signature_verification_algorithms,
|
||||
)
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
|
||||
self.0.signature_verification_algorithms.supported_schemes()
|
||||
}
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
//! Everything related to TLS certs verification
|
||||
|
||||
pub mod allow_all;
|
||||
pub mod fingerprint;
|
||||
pub mod verifier;
|
||||
|
||||
#[cfg(feature = "file-sscv")]
|
||||
pub mod file_sscv;
|
||||
|
|
|
@ -1,83 +1,139 @@
|
|||
//! Internal custom Rustls verifier
|
||||
//! allowing verification both with webpki trust roots (when enabled)
|
||||
//! and with implementaions of our own [`SelfsignedCertVerifier`]
|
||||
|
||||
use crate::certs::SelfsignedCertVerifier;
|
||||
//! Custom verifier for Rustls allowing self-signed certs
|
||||
//! but performing other required checks;
|
||||
//! mostly for internal use
|
||||
|
||||
use std::sync::Arc;
|
||||
|
||||
pub use tokio_rustls::rustls::pki_types::{CertificateDer, ServerName, UnixTime};
|
||||
|
||||
use tokio_rustls::rustls::{
|
||||
self,
|
||||
client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
|
||||
crypto::CryptoProvider,
|
||||
};
|
||||
|
||||
pub struct CustomCertVerifier {
|
||||
pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
|
||||
pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
|
||||
use webpki::EndEntityCert;
|
||||
|
||||
/// Custom verifier for Rustls accepting any TLS certificate
|
||||
#[derive(Debug)]
|
||||
pub struct InternalCertVerifier(Arc<CryptoProvider>);
|
||||
|
||||
impl Default for InternalCertVerifier {
|
||||
/// Same as [`AllowAllCertVerifier::new()`].
|
||||
fn default() -> Self {
|
||||
Self::new()
|
||||
}
|
||||
}
|
||||
|
||||
impl ServerCertVerifier for CustomCertVerifier {
|
||||
impl InternalCertVerifier {
|
||||
/// Constructor for this verifier.
|
||||
pub fn new() -> Self {
|
||||
InternalCertVerifier(
|
||||
CryptoProvider::get_default()
|
||||
.cloned()
|
||||
.unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider())),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<Arc<CryptoProvider>> for InternalCertVerifier {
|
||||
#[inline]
|
||||
fn from(value: Arc<CryptoProvider>) -> Self {
|
||||
InternalCertVerifier(value)
|
||||
}
|
||||
}
|
||||
|
||||
impl ServerCertVerifier for InternalCertVerifier {
|
||||
fn verify_server_cert(
|
||||
&self,
|
||||
end_entity: &CertificateDer<'_>,
|
||||
_intermediates: &[CertificateDer<'_>],
|
||||
server_name: &ServerName<'_>,
|
||||
end_entity: &rustls::pki_types::CertificateDer<'_>,
|
||||
_intermediates: &[rustls::pki_types::CertificateDer<'_>],
|
||||
server_name: &rustls::pki_types::ServerName<'_>,
|
||||
_ocsp_response: &[u8],
|
||||
now: UnixTime,
|
||||
now: rustls::pki_types::UnixTime,
|
||||
) -> Result<ServerCertVerified, rustls::Error> {
|
||||
// TODO: certificate validation (domain, expiry, etc.)
|
||||
let cert = EndEntityCert::try_from(end_entity).map_err(pki_error)?;
|
||||
|
||||
if self
|
||||
.ss_verifier
|
||||
.verify(end_entity, server_name.to_str().as_ref(), now)?
|
||||
{
|
||||
Ok(ServerCertVerified::assertion())
|
||||
} else {
|
||||
Err(rustls::Error::InvalidCertificate(
|
||||
rustls::CertificateError::ApplicationVerificationFailure,
|
||||
))
|
||||
match cert.verify_for_usage(
|
||||
self.0.signature_verification_algorithms.all,
|
||||
&[], // no trusted anchors (i.e. CAs)
|
||||
&[], // i think there's no point in passing intermediates without CAs
|
||||
now, // `now` as the time for expiration check
|
||||
webpki::KeyUsage::server_auth(),
|
||||
None, // no CRLs
|
||||
None, // no verify_path callback
|
||||
) {
|
||||
Ok(_) => Ok(()), // unreachable
|
||||
Err(webpki::Error::UnknownIssuer) => {
|
||||
// trust anchors verification is done after
|
||||
// any other issuer-independent checks (including expiration),
|
||||
// so this error can be safely ignored as
|
||||
// we are working with self-signed certificates.
|
||||
// for reference -- fn webpki::verify_cert::build_chain_inner
|
||||
// (NOTE: should be re-checked on every rustls update)
|
||||
Ok(())
|
||||
}
|
||||
Err(e) => Err(e),
|
||||
}
|
||||
.map_err(pki_error)?;
|
||||
|
||||
cert.verify_is_valid_for_subject_name(server_name)
|
||||
.map_err(pki_error)?;
|
||||
|
||||
Ok(ServerCertVerified::assertion())
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn verify_tls12_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &CertificateDer<'_>,
|
||||
cert: &rustls::pki_types::CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||
rustls::crypto::verify_tls12_signature(
|
||||
message,
|
||||
cert,
|
||||
dss,
|
||||
&self.provider.signature_verification_algorithms,
|
||||
&self.0.signature_verification_algorithms,
|
||||
)
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn verify_tls13_signature(
|
||||
&self,
|
||||
message: &[u8],
|
||||
cert: &CertificateDer<'_>,
|
||||
cert: &rustls::pki_types::CertificateDer<'_>,
|
||||
dss: &rustls::DigitallySignedStruct,
|
||||
) -> Result<HandshakeSignatureValid, rustls::Error> {
|
||||
rustls::crypto::verify_tls13_signature(
|
||||
message,
|
||||
cert,
|
||||
dss,
|
||||
&self.provider.signature_verification_algorithms,
|
||||
&self.0.signature_verification_algorithms,
|
||||
)
|
||||
}
|
||||
|
||||
#[inline]
|
||||
fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
|
||||
self.provider
|
||||
.signature_verification_algorithms
|
||||
.supported_schemes()
|
||||
self.0.signature_verification_algorithms.supported_schemes()
|
||||
}
|
||||
}
|
||||
|
||||
impl std::fmt::Debug for CustomCertVerifier {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
|
||||
pub fn pki_error(e: webpki::Error) -> rustls::CertificateError {
|
||||
// partially copied from private fn rustls::webpki::pki_error(e)
|
||||
use rustls::{CertificateError, OtherError};
|
||||
use webpki::Error::*;
|
||||
match e {
|
||||
BadDer | BadDerTime | TrailingData(_) => CertificateError::BadEncoding,
|
||||
CertNotValidYet => CertificateError::NotValidYet,
|
||||
CertExpired | InvalidCertValidity => CertificateError::Expired,
|
||||
UnknownIssuer => CertificateError::UnknownIssuer,
|
||||
CertNotValidForName => CertificateError::NotValidForName,
|
||||
CertRevoked => CertificateError::Revoked,
|
||||
UnknownRevocationStatus => CertificateError::UnknownRevocationStatus,
|
||||
|
||||
InvalidSignatureForPublicKey
|
||||
| UnsupportedSignatureAlgorithm
|
||||
| UnsupportedSignatureAlgorithmForPublicKey => CertificateError::BadSignature,
|
||||
|
||||
_ => CertificateError::Other(OtherError(Arc::new(e))),
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
use std::sync::Arc;
|
||||
|
||||
use crate::{
|
||||
certs::{allow_all::AllowAllCertVerifier, SelfsignedCertVerifier},
|
||||
certs::{verifier::InternalCertVerifier, SelfsignedCertVerifier},
|
||||
Client,
|
||||
};
|
||||
|
||||
|
@ -56,7 +56,7 @@ impl ClientBuilder {
|
|||
})
|
||||
.unwrap()
|
||||
.dangerous()
|
||||
.with_custom_certificate_verifier(Arc::new(AllowAllCertVerifier::from(provider)));
|
||||
.with_custom_certificate_verifier(Arc::new(InternalCertVerifier::from(provider)));
|
||||
|
||||
// TODO
|
||||
let tls_config = tls_config.with_no_client_auth();
|
||||
|
|
Loading…
Add table
Reference in a new issue