dhttp 0.2.0

The True Internet
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

use std::sync::{Arc, LazyLock};

use h3x::dquic::{
    cert::handy::ToCertificate,
    client::{ClientQuicConfig, ServerCertVerifierChoice},
    server::ServerQuicConfig,
};
use rustls::{
    RootCertStore,
    client::WebPkiServerVerifier,
    server::{WebPkiClientVerifier, danger::ClientCertVerifier},
};

/// PEM-encoded DHTTP ecosystem root CA certificate embedded at build time.
///
/// Build scripts set this from `DHTTP_ROOT_CA` when that environment variable
/// is present. Otherwise, docs-only builds use the generated docs-only
/// certificate from `dhttp/build.rs`.
pub const DHTTP_ROOT_CA: &[u8] = crate::bootstrap::DHTTP_ROOT_CA;

/// Client certificate policy for DHTTP peer authentication.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ClientIdentityPolicy {
    /// Verify client certificates when peers provide them, but allow anonymous peers.
    Optional,
    /// Require peers to provide a certificate trusted by the DHTTP root store.
    Required,
}

/// Return the DHTTP ecosystem root certificate store.
///
/// The current embedded certificate is the transitional genmeta root CA. It is
/// expected to be replaced by the dhttp.net root CA when the ecosystem switches
/// domains.
pub fn dhttp_root_cert_store() -> &'static Arc<RootCertStore> {
    static STORE: LazyLock<Arc<RootCertStore>> = LazyLock::new(|| {
        let mut store = RootCertStore::empty();
        store.add_parsable_certificates(DHTTP_ROOT_CA.to_certificate());
        Arc::new(store)
    });
    &STORE
}

/// Build the default verifier for DHTTP clients validating server certificates.
pub fn dhttp_server_cert_verifier() -> Arc<WebPkiServerVerifier> {
    static VERIFIER: LazyLock<Arc<WebPkiServerVerifier>> = LazyLock::new(|| {
        WebPkiServerVerifier::builder(dhttp_root_cert_store().clone())
            .build()
            .expect("BUG: webpki server verifier built from fixed DHTTP roots")
    });
    VERIFIER.clone()
}

/// Build the default verifier for DHTTP servers validating client certificates.
pub fn dhttp_client_cert_verifier(policy: ClientIdentityPolicy) -> Arc<dyn ClientCertVerifier> {
    let builder = WebPkiClientVerifier::builder(dhttp_root_cert_store().clone());
    match policy {
        ClientIdentityPolicy::Optional => builder
            .allow_unauthenticated()
            .build()
            .expect("BUG: webpki client verifier built from fixed DHTTP roots"),
        ClientIdentityPolicy::Required => builder
            .build()
            .expect("BUG: webpki client verifier built from fixed DHTTP roots"),
    }
}

/// Default DHTTP client-side QUIC configuration.
///
/// Verifies server certificates against the DHTTP ecosystem root and offers the
/// HTTP/3 ALPN.
pub fn default_client_quic_config() -> ClientQuicConfig {
    static CONFIG: LazyLock<ClientQuicConfig> = LazyLock::new(|| ClientQuicConfig {
        verifier: ServerCertVerifierChoice::WebPki(dhttp_server_cert_verifier()),
        alpns: vec![b"h3".to_vec()],
        ..Default::default()
    });
    CONFIG.clone()
}

/// Default DHTTP server-side QUIC configuration.
///
/// Verifies client certificates when provided, allows anonymous clients by
/// default, and advertises the HTTP/3 ALPN.
pub fn default_server_quic_config() -> ServerQuicConfig {
    static CONFIG: LazyLock<ServerQuicConfig> = LazyLock::new(|| ServerQuicConfig {
        alpns: vec![b"h3".to_vec()],
        backlog: 1024,
        client_cert_verifier: dhttp_client_cert_verifier(ClientIdentityPolicy::Optional),
        ..Default::default()
    });
    CONFIG.clone()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn public_root_ca_constant_is_valid_certificate_material() {
        let mut store = RootCertStore::empty();
        let (added, ignored) = store.add_parsable_certificates(DHTTP_ROOT_CA.to_certificate());

        assert_eq!(added, 1);
        assert_eq!(ignored, 0);
    }

    #[test]
    fn dhttp_root_store_contains_embedded_root() {
        assert!(!dhttp_root_cert_store().roots.is_empty());
    }

    #[test]
    fn default_client_config_uses_dhttp_webpki_roots_and_h3_alpn() {
        let config = default_client_quic_config();

        assert!(matches!(
            config.verifier,
            ServerCertVerifierChoice::WebPki(_)
        ));
        assert_eq!(config.alpns, vec![b"h3".to_vec()]);
    }

    #[test]
    fn default_client_config_is_stable_across_calls() {
        let a = default_client_quic_config();
        let b = default_client_quic_config();

        assert_eq!(a, b);
    }

    #[test]
    fn default_server_config_uses_optional_dhttp_client_auth_and_h3_alpn() {
        let config = default_server_quic_config();

        assert_eq!(config.alpns, vec![b"h3".to_vec()]);
        assert_eq!(config.backlog, 1024);
        assert!(Arc::strong_count(&config.client_cert_verifier) >= 1);
    }

    #[test]
    fn default_server_config_is_stable_across_calls() {
        let a = default_server_quic_config();
        let b = default_server_quic_config();

        assert_eq!(a, b);
    }

    #[test]
    fn required_client_identity_policy_builds_verifier() {
        let verifier = dhttp_client_cert_verifier(ClientIdentityPolicy::Required);

        assert!(Arc::strong_count(&verifier) >= 1);
    }
}