clia_rustls_mod/server/
builder.rs

1use alloc::sync::Arc;
2use alloc::vec::Vec;
3use core::marker::PhantomData;
4
5use pki_types::{CertificateDer, PrivateKeyDer};
6
7use crate::builder::{ConfigBuilder, WantsVerifier};
8use crate::crypto::CryptoProvider;
9use crate::error::Error;
10use crate::msgs::handshake::CertificateChain;
11use crate::server::{handy, ResolvesServerCert, ServerConfig};
12use crate::time_provider::TimeProvider;
13use crate::verify::{ClientCertVerifier, NoClientAuth};
14use crate::{versions, NoKeyLog};
15
16impl ConfigBuilder<ServerConfig, WantsVerifier> {
17    /// Choose how to verify client certificates.
18    pub fn with_client_cert_verifier(
19        self,
20        client_cert_verifier: Arc<dyn ClientCertVerifier>,
21    ) -> ConfigBuilder<ServerConfig, WantsServerCert> {
22        ConfigBuilder {
23            state: WantsServerCert {
24                provider: self.state.provider,
25                versions: self.state.versions,
26                verifier: client_cert_verifier,
27                time_provider: self.state.time_provider,
28            },
29            side: PhantomData,
30        }
31    }
32
33    /// Disable client authentication.
34    pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert> {
35        self.with_client_cert_verifier(Arc::new(NoClientAuth))
36    }
37}
38
39/// A config builder state where the caller must supply how to provide a server certificate to
40/// the connecting peer.
41///
42/// For more information, see the [`ConfigBuilder`] documentation.
43#[derive(Clone, Debug)]
44pub struct WantsServerCert {
45    provider: Arc<CryptoProvider>,
46    versions: versions::EnabledVersions,
47    verifier: Arc<dyn ClientCertVerifier>,
48    time_provider: Arc<dyn TimeProvider>,
49}
50
51impl ConfigBuilder<ServerConfig, WantsServerCert> {
52    /// Sets a single certificate chain and matching private key.  This
53    /// certificate and key is used for all subsequent connections,
54    /// irrespective of things like SNI hostname.
55    ///
56    /// Note that the end-entity certificate must have the
57    /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1)
58    /// extension to describe, e.g., the valid DNS name. The `commonName` field is
59    /// disregarded.
60    ///
61    /// `cert_chain` is a vector of DER-encoded certificates.
62    /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
63    /// `aws-lc-rs` and `ring` [`CryptoProvider`]s support all three encodings,
64    /// but other `CryptoProviders` may not.
65    ///
66    /// This function fails if `key_der` is invalid.
67    pub fn with_single_cert(
68        self,
69        cert_chain: Vec<CertificateDer<'static>>,
70        key_der: PrivateKeyDer<'static>,
71    ) -> Result<ServerConfig, Error> {
72        let private_key = self
73            .state
74            .provider
75            .key_provider
76            .load_private_key(key_der)?;
77        let resolver = handy::AlwaysResolvesChain::new(private_key, CertificateChain(cert_chain));
78        Ok(self.with_cert_resolver(Arc::new(resolver)))
79    }
80
81    /// Sets a single certificate chain, matching private key and optional OCSP
82    /// response.  This certificate and key is used for all
83    /// subsequent connections, irrespective of things like SNI hostname.
84    ///
85    /// `cert_chain` is a vector of DER-encoded certificates.
86    /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
87    /// `aws-lc-rs` and `ring` [`CryptoProvider`]s support all three encodings,
88    /// but other `CryptoProviders` may not.
89    /// `ocsp` is a DER-encoded OCSP response.  Ignored if zero length.
90    ///
91    /// This function fails if `key_der` is invalid.
92    pub fn with_single_cert_with_ocsp(
93        self,
94        cert_chain: Vec<CertificateDer<'static>>,
95        key_der: PrivateKeyDer<'static>,
96        ocsp: Vec<u8>,
97    ) -> Result<ServerConfig, Error> {
98        let private_key = self
99            .state
100            .provider
101            .key_provider
102            .load_private_key(key_der)?;
103        let resolver = handy::AlwaysResolvesChain::new_with_extras(
104            private_key,
105            CertificateChain(cert_chain),
106            ocsp,
107        );
108        Ok(self.with_cert_resolver(Arc::new(resolver)))
109    }
110
111    /// Sets a custom [`ResolvesServerCert`].
112    pub fn with_cert_resolver(self, cert_resolver: Arc<dyn ResolvesServerCert>) -> ServerConfig {
113        ServerConfig {
114            provider: self.state.provider,
115            verifier: self.state.verifier,
116            cert_resolver,
117            ignore_client_order: false,
118            max_fragment_size: None,
119            #[cfg(feature = "std")]
120            session_storage: handy::ServerSessionMemoryCache::new(256),
121            #[cfg(not(feature = "std"))]
122            session_storage: Arc::new(handy::NoServerSessionStorage {}),
123            ticketer: Arc::new(handy::NeverProducesTickets {}),
124            alpn_protocols: Vec::new(),
125            versions: self.state.versions,
126            key_log: Arc::new(NoKeyLog {}),
127            enable_secret_extraction: false,
128            max_early_data_size: 0,
129            send_half_rtt_data: false,
130            send_tls13_tickets: 4,
131            #[cfg(feature = "tls12")]
132            require_ems: cfg!(feature = "fips"),
133            time_provider: self.state.time_provider,
134        }
135    }
136}