aranya_util/
rustls.rs

1//! This module provides TLS configuration components that **deliberately bypass security checks**.
2//! Useful for server configurations that rely on PSKs to secure connections.
3
4// --- Start SkipServerVerification ---
5// INSECURE: Allows connecting to any server certificate.
6// Requires the `dangerous_configuration` feature on the `rustls` crate.
7// Use full paths for traits and types
8// TODO: remove this once we have a way to exclusively use PSKs.
9// Currently, we use this to allow the server to be set up to use PSKs
10// without having to rely on the server certificate.
11
12use std::sync::Arc;
13
14use s2n_quic::provider::tls::rustls::rustls::pki_types::ServerName;
15#[allow(deprecated)]
16use s2n_quic::provider::tls::rustls::rustls::{self, crypto::CryptoProvider};
17
18#[derive(Debug)]
19/// A server certificate verifier that accepts any certificate without validation.
20///
21/// This struct implements [`rustls::client::danger::ServerCertVerifier`] but performs no actual
22/// certificate verification, effectively accepting any server certificate presented during
23/// the TLS handshake.
24pub struct SkipServerVerification(Arc<CryptoProvider>);
25
26impl SkipServerVerification {
27    #![allow(clippy::expect_used)]
28    /// Creates a new instance using the default [`CryptoProvider`]
29    pub fn new() -> Arc<Self> {
30        let provider = CryptoProvider::get_default().expect("Default crypto provider not found");
31        Arc::new(Self(provider.clone()))
32    }
33}
34
35impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
36    fn verify_server_cert(
37        &self,
38        _end_entity: &rustls::pki_types::CertificateDer<'_>,
39        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
40        _server_name: &ServerName<'_>,
41        _ocsp_response: &[u8],
42        _now: rustls::pki_types::UnixTime,
43    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
44        Ok(rustls::client::danger::ServerCertVerified::assertion())
45    }
46
47    fn verify_tls12_signature(
48        &self,
49        message: &[u8],
50        cert: &rustls::pki_types::CertificateDer<'_>,
51        dss: &rustls::DigitallySignedStruct,
52    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
53        // Use the selected provider's verification algorithms
54        rustls::crypto::verify_tls12_signature(
55            message,
56            cert,
57            dss,
58            &self.0.signature_verification_algorithms,
59        )
60    }
61
62    fn verify_tls13_signature(
63        &self,
64        message: &[u8],
65        cert: &rustls::pki_types::CertificateDer<'_>,
66        dss: &rustls::DigitallySignedStruct,
67    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
68        // Use the selected provider's verification algorithms
69        rustls::crypto::verify_tls13_signature(
70            message,
71            cert,
72            dss,
73            &self.0.signature_verification_algorithms,
74        )
75    }
76
77    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
78        self.0.signature_verification_algorithms.supported_schemes()
79    }
80}
81// --- End SkipServerVerification ---
82
83/// A certificate resolver that provides no certificates.
84///
85/// This struct implements [`rustls::server::ResolvesServerCert`] but returns an empty
86/// certificate chain with a non-functional signing key. This is intended for server
87/// configurations that rely exclusively on Pre-Shared Keys (PSKs) for authentication.
88#[derive(Debug, Default)]
89pub struct NoCertResolver(Arc<NoSigningKey>);
90impl rustls::server::ResolvesServerCert for NoCertResolver {
91    fn resolve(
92        &self,
93        _client_hello: rustls::server::ClientHello<'_>,
94    ) -> Option<Arc<rustls::sign::CertifiedKey>> {
95        Some(Arc::new(rustls::sign::CertifiedKey::new(
96            vec![],
97            Arc::clone(&self.0) as _,
98        )))
99    }
100}
101
102/// A non-functional signing key implementation that performs no actual signing.
103///
104/// This struct implements [`rustls::sign::SigningKey`].
105/// It's used internally by [`NoCertResolver`].
106#[derive(Debug, Default)]
107pub struct NoSigningKey;
108impl rustls::sign::SigningKey for NoSigningKey {
109    fn choose_scheme(
110        &self,
111        _offered: &[rustls::SignatureScheme],
112    ) -> Option<Box<dyn rustls::sign::Signer>> {
113        None
114    }
115
116    fn algorithm(&self) -> rustls::SignatureAlgorithm {
117        rustls::SignatureAlgorithm::ECDSA
118    }
119}
aranya_util/rustls.rs

aranya_util/
rustls.rs
