add DnsClient arg to file_sscv init(), update main.rs example

refactor: remove webpki feature, prepare for next refactor
small cleanup + doc
2024-08-20 10:52:24 +04:00 · 2024-08-20 10:51:42 +04:00 · 2024-08-20 10:45:08 +04:00 · 2024-08-19 11:35:18 +04:00
8 changed files with 110 additions and 166 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -890,7 +890,6 @@ dependencies = [
 "tokio",
 "tokio-rustls 0.26.0",
 "url",
- "webpki-roots",
 ]

 [[package]]
@ -1112,15 +1111,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "webpki-roots"
-version = "0.26.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "winapi"
 version = "0.3.9"
--- a/Cargo.toml
+++ b/Cargo.toml
@ -21,7 +21,6 @@ url = "2.5.2"

 tokio = { version = "1.39.2", features = ["io-util", "net"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] }
-webpki-roots = { version = "0.26.3", optional = true }

 dashmap = { version = "6.0.1", optional = true }
 hickory-client = { version = "0.24.1", optional = true }
@ -30,9 +29,9 @@ hickory-client = { version = "0.24.1", optional = true }
 tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }

 [features]
-webpki = ["dep:webpki-roots"]
 file-sscv = ["dep:dashmap", "tokio/fs"]

+dane = ["hickory"]
 hickory = ["dep:hickory-client"]
 hickory-dot = ["hickory", "hickory-client/dns-over-rustls"]
 hickory-doh = ["hickory", "hickory-client/dns-over-https-rustls"]
@ -46,9 +45,4 @@ path = "examples/simple.rs"
 [[example]]
 name = "main"
 path = "examples/main.rs"
-required-features = ["file-sscv"]
-
-[[example]]
-name = "dane"
-path = "examples/dane.rs"
-required-features = ["hickory"]
+required-features = ["file-sscv", "hickory"]
--- a/examples/dane.rs
+++ b/examples/dane.rs
@ -1,16 +0,0 @@
-use tokio_gemini::dns::DnsClient;
-
-#[tokio::main]
-async fn main() {
-    let mut client = DnsClient::init(("1.1.1.1", 53)).await.unwrap();
-    println!(
-        "{}",
-        client
-            .query_tlsa("torproject.org", 443)
-            .await
-            .unwrap()
-            .next()
-            .unwrap()
-            .hex()
-    );
-}
--- a/examples/main.rs
+++ b/examples/main.rs
@ -1,38 +1,30 @@
-use tokio_gemini::certs::{file_sscv::FileBasedCertVerifier, insecure::AllowAllCertVerifier};
+use tokio_gemini::{
+    certs::{file_sscv::FileBasedCertVerifier, insecure::AllowAllCertVerifier},
+    dns::DnsClient,
+    Client, LibError,
+};

 //
-// cargo add tokio_gemini -F file-sscv
+// cargo add tokio_gemini -F file-sscv,hickory
 // cargo add tokio -F macros,rt-multi-thread,io-util,fs
 //

+const USAGE: &str = "-k\t\tinsecure mode (trust all certs)
+-d <DNS server addr>\tuse custom DNS for resolving & DANE
+-h\t\tshow help";
+
+struct Config {
+    insecure: bool,
+    dns: Option<String>,
+    url: String,
+}
+
 #[tokio::main]
-async fn main() -> Result<(), tokio_gemini::LibError> {
-    let mut args = std::env::args();
-    let mut insecure = false;
-    let mut url = "gemini://geminiprotocol.net/".to_owned();
-    _ = args.next(); // skip exe path
-    if let Some(arg) = args.next() {
-        if arg == "-k" {
-            insecure = true;
-            if let Some(arg) = args.next() {
-                url = arg;
-            }
-        } else {
-            url = arg;
-        }
-    }
+async fn main() -> Result<(), LibError> {
+    let config = parse_args();
+    let client = build_client(&config).await?;

-    let client = if insecure {
-        tokio_gemini::Client::builder()
-            .with_custom_verifier(AllowAllCertVerifier::yes_i_know_what_i_am_doing())
-            .build()
-    } else {
-        tokio_gemini::Client::builder()
-            .with_selfsigned_cert_verifier(FileBasedCertVerifier::init("known_hosts").await?)
-            .build()
-    };
-
-    let mut resp = client.request(&url).await?;
+    let mut resp = client.request(&config.url).await?;

    {
        let status_code = resp.status().status_code();
@ -57,3 +49,66 @@ async fn main() -> Result<(), tokio_gemini::LibError> {

    Ok(())
 }
+
+fn parse_args() -> Config {
+    let mut config = Config {
+        insecure: false,
+        dns: None,
+        url: "gemini://geminiprotocol.net/".to_owned(),
+    };
+
+    let mut expected_dns = false;
+
+    for arg in std::env::args().skip(1) {
+        match arg.as_str() {
+            dns if expected_dns => {
+                config.dns = Some(dns.to_owned());
+                expected_dns = false;
+            }
+            "-k" => config.insecure = true,
+            "-d" => expected_dns = true,
+            "-h" => {
+                println!("{}", USAGE);
+                std::process::exit(0);
+            }
+            url => {
+                println!("URL: {}", url);
+                config.url = url.to_owned();
+                break;
+            }
+        }
+    }
+
+    if expected_dns {
+        println!("{}", USAGE);
+        std::process::exit(0);
+    }
+
+    config
+}
+
+async fn build_client(config: &Config) -> Result<Client, LibError> {
+    let dns = if let Some(addr) = &config.dns {
+        Some(DnsClient::init(addr).await?)
+    } else {
+        None
+    };
+
+    let client = tokio_gemini::Client::builder();
+
+    let client = if config.insecure {
+        client.with_custom_verifier(AllowAllCertVerifier::yes_i_know_what_i_am_doing())
+    } else {
+        client.with_selfsigned_cert_verifier(
+            FileBasedCertVerifier::init("known_hosts", dns.clone()).await?,
+        )
+    };
+
+    let client = if let Some(dns) = dns {
+        client.with_dns_client(dns)
+    } else {
+        client
+    };
+
+    Ok(client.build())
+}
--- a/src/certs/file_sscv.rs
+++ b/src/certs/file_sscv.rs
@ -15,15 +15,21 @@ use crate::{
    LibError,
 };

+#[cfg(feature = "hickory")]
+use crate::dns::DnsClient;
+
 pub struct FileBasedCertVerifier {
    fd: Mutex<std::os::fd::OwnedFd>,
    map: DashMap<String, SelfsignedCert>,
    #[cfg(feature = "hickory")]
-    dns: Option<crate::dns::DnsClient>,
+    dns: Option<DnsClient>,
 }

 impl FileBasedCertVerifier {
-    pub async fn init(path: impl AsRef<Path>) -> Result<Self, LibError> {
+    pub async fn init(
+        path: impl AsRef<Path>,
+        #[cfg(feature = "hickory")] dns: Option<DnsClient>,
+    ) -> Result<Self, LibError> {
        let map = DashMap::new();

        if tokio::fs::try_exists(&path).await? {
@ -97,7 +103,7 @@ impl FileBasedCertVerifier {
            fd,
            map,
            #[cfg(feature = "hickory")]
-            dns: None,
+            dns,
        })
    }
 }
--- a/src/certs/verifier.rs
+++ b/src/certs/verifier.rs
@ -15,8 +15,6 @@ use tokio_rustls::rustls::{

 pub struct CustomCertVerifier {
    pub(crate) provider: Arc<rustls::crypto::CryptoProvider>,
-    pub(crate) webpki_verifier: Option<Arc<rustls::client::WebPkiServerVerifier>>,
-    pub(crate) ss_allowed: bool,
    pub(crate) ss_verifier: Box<dyn SelfsignedCertVerifier>,
 }

@ -29,52 +27,20 @@ impl ServerCertVerifier for CustomCertVerifier {
        _ocsp_response: &[u8],
        now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
-        // if webpki CA certs enabled
-        #[cfg(feature = "webpki")]
-        if let Some(wv) = &self.webpki_verifier {
-            match wv.verify_server_cert(
-                end_entity,
-                _intermediates,
-                server_name,
-                _ocsp_response,
-                now,
-            ) {
-                Ok(verified) => {
-                    return Ok(verified);
-                }
-                Err(
-                    e @ rustls::Error::InvalidCertificate(rustls::CertificateError::UnknownIssuer),
-                ) => {
-                    if !self.ss_allowed {
-                        return Err(e);
-                    }
-                    // go ahead, verify as self-signed
-                }
-                Err(e) => {
-                    // any other error, probably related to invalid cert
-                    return Err(e);
-                }
-            }
-        }
+        // TODO: certificate validation (domain, expiry, etc.)

-        // TODO: certificate validation when webpki_verifier is not used
-
-        // if self-signed certs enabled
-        if self.ss_allowed {
-            // TODO: check if expired or provide handy API to check it
-            // (probably with rustls-webpki's webpki::Cert)
        if self
            .ss_verifier
            .verify(end_entity, server_name.to_str().as_ref(), now)?
        {
-                return Ok(ServerCertVerified::assertion());
+            Ok(ServerCertVerified::assertion())
+        } else {
+            Err(rustls::Error::InvalidCertificate(
+                rustls::CertificateError::ApplicationVerificationFailure,
+            ))
        }
    }

-        // both disabled (shouldn't happen)
-        Err(rustls::Error::UnsupportedNameType) // not sure if chosen correct enum item
-    }
-
    fn verify_tls12_signature(
        &self,
        message: &[u8],
@ -112,10 +78,6 @@ impl ServerCertVerifier for CustomCertVerifier {

 impl std::fmt::Debug for CustomCertVerifier {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(
-            f,
-            "CustomCertVerifier {{ provider: {:?}, webpki_verifier: {:?} }}",
-            self.provider, self.webpki_verifier
-        )
+        write!(f, "CustomCertVerifier {{ provider: {:?} }}", self.provider)
    }
 }
--- a/src/client/builder.rs
+++ b/src/client/builder.rs
@ -12,9 +12,6 @@ use crate::dns::DnsClient;

 use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion};

-#[cfg(feature = "webpki")]
-use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor};
-
 /// Builder for creating configured [`Client`] instance
 pub struct ClientBuilder {
    root_certs: rustls::RootCertStore,
@ -63,33 +60,10 @@ impl ClientBuilder {
        let tls_config = if let Some(cv) = self.custom_verifier {
            tls_config.dangerous().with_custom_certificate_verifier(cv)
        } else if let Some(ssv) = self.ss_verifier {
-            let webpki_verifier = {
-                #[cfg(feature = "webpki")]
-                if !self.root_certs.is_empty() {
-                    Some(
-                        WebPkiServerVerifier::builder_with_provider(
-                            Arc::new(self.root_certs),
-                            provider.clone(),
-                        )
-                        .build()
-                        // panics only if roots are empty (that is checked above)
-                        // or CRLs couldn't be parsed (we didn't provide any)
-                        .unwrap(),
-                    )
-                } else {
-                    None
-                }
-
-                #[cfg(not(feature = "webpki"))]
-                None
-            };
-
            tls_config
                .dangerous()
                .with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
                    provider: provider.clone(),
-                    webpki_verifier,
-                    ss_allowed: true,
                    ss_verifier: ssv,
                }))
        } else {
@ -117,27 +91,6 @@ impl ClientBuilder {
        self
    }

-    /// Include webpki trust anchors.
-    /// Not recommended (useless) as most Gemini capsules use self-signed
-    /// TLS certs and properly configured TOFU policy is enough.
-    #[cfg(feature = "webpki")]
-    pub fn with_webpki_roots(mut self) -> Self {
-        self.root_certs
-            .extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        self
-    }
-
-    /// Include custom trust anchors.
-    /// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`].
-    #[cfg(feature = "webpki")]
-    pub fn with_custom_roots(
-        mut self,
-        iter: impl IntoIterator<Item = TrustAnchor<'static>>,
-    ) -> Self {
-        self.root_certs.extend(iter);
-        self
-    }
-
    /// Include a self-signed cert verifier.
    /// If you only need a known_hosts file, consider using
    /// [`crate::certs::file_sscv::FileBasedCertVerifier`],
--- a/src/client/mod.rs
+++ b/src/client/mod.rs
@ -7,16 +7,14 @@ pub use response::Response;

 #[cfg(feature = "hickory")]
 use crate::dns::DnsClient;
-
 #[cfg(feature = "hickory")]
 use hickory_client::rr::IntoName;
+#[cfg(feature = "hickory")]
+use std::net::SocketAddr;

 use crate::{error::*, status::*};
 use builder::ClientBuilder;

-#[cfg(feature = "hickory")]
-use std::net::SocketAddr;
-
 use std::sync::Arc;

 use tokio::{
@ -49,6 +47,8 @@ impl From<rustls::ClientConfig> for Client {

 #[cfg(feature = "hickory")]
 impl From<(rustls::ClientConfig, DnsClient)> for Client {
+    /// Create a Client from a Rustls config and
+    /// a DnsClient instance as a custom resolver.
    #[inline]
    fn from(value: (rustls::ClientConfig, DnsClient)) -> Self {
        Client {
Author	SHA1	Message	Date
DarkCat09	4314df372b	add DnsClient arg to file_sscv init(), update main.rs example	2024-08-20 10:52:24 +04:00
DarkCat09	9806eb6a02	refactor: remove `webpki` feature, prepare for next refactor	2024-08-20 10:51:42 +04:00
DarkCat09	2feb039c11	small cleanup + doc	2024-08-20 10:45:08 +04:00
DarkCat09	e77b785fa0	alias `dane` feature to `hickory`, remove dane.rs example	2024-08-19 11:35:18 +04:00