fugle-marketdata-core 0.6.0

Internal kernel for the Fugle market data SDK. End users should depend on `fugle-marketdata` instead.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

//! TLS configuration for REST (`ureq`) and WebSocket (`tokio-tungstenite`).
//!
//! Both transports share the same [`TlsConfig`] shape and the
//! [`build_rustls_config`] helper, so a user-supplied root CA or
//! "accept invalid certs" flag applies uniformly across the SDK.

use std::io::BufReader;
use std::sync::{Arc, OnceLock};

use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme};

use crate::errors::MarketDataError;

/// Optional TLS customization. When all fields are default the SDK uses
/// the OS trust store loaded by `rustls-native-certs`.
#[derive(Clone, Debug, Default)]
pub struct TlsConfig {
    /// PEM-encoded additional root CA. Added to the rustls `RootCertStore`
    /// alongside the system trust store, so the client accepts chains
    /// signed by either this CA or any OS-trusted root.
    pub root_cert_pem: Option<Vec<u8>>,

    /// Disable ALL TLS verification (chain + hostname + expiry + EKU).
    /// Equivalent to `wscat --no-check` or `curl -k`. Do not use in
    /// production — exposes the client to trivial MITM. Prefer
    /// `root_cert_pem` with a properly-issued server cert.
    pub accept_invalid_certs: bool,
}

static PROVIDER_INSTALLED: OnceLock<()> = OnceLock::new();
static SYSTEM_ROOTS: OnceLock<Arc<RootCertStore>> = OnceLock::new();

fn install_crypto_provider() {
    PROVIDER_INSTALLED.get_or_init(|| {
        // Best-effort: if another crate already installed one, this
        // returns Err and we ignore it. First installer wins.
        let _ = rustls::crypto::ring::default_provider().install_default();
    });
}

fn system_root_store() -> &'static Arc<RootCertStore> {
    SYSTEM_ROOTS.get_or_init(|| {
        let mut store = RootCertStore::empty();
        // rustls-native-certs 0.8 returns CertificateResult { certs, errors }.
        // We ignore per-cert errors — reading some OS stores may fail on
        // locked-down systems, but usable roots still load.
        let loaded = rustls_native_certs::load_native_certs();
        for cert in loaded.certs {
            let _ = store.add(cert);
        }
        Arc::new(store)
    })
}

/// Build a rustls [`ClientConfig`] honoring any custom root CA or
/// `accept_invalid_certs` flag in `tls`. On default config this returns
/// a config using the OS trust store loaded once into a process-wide
/// `RootCertStore`. ureq's rustls integration and tokio-tungstenite's
/// `Connector::Rustls` both consume this `Arc<ClientConfig>`.
///
/// # Errors
/// Returns [`MarketDataError`] on parse, transport, protocol, deserialization,
/// validation, or peer-initiated failures.
pub fn build_rustls_config(tls: &TlsConfig) -> Result<Arc<ClientConfig>, MarketDataError> {
    install_crypto_provider();

    if tls.accept_invalid_certs {
        // DangerousClientConfigBuilder lives inline on the builder since
        // rustls 0.23 (no feature flag required).
        let config = ClientConfig::builder()
            .dangerous()
            .with_custom_certificate_verifier(Arc::new(AlwaysTrustVerifier))
            .with_no_client_auth();
        return Ok(Arc::new(config));
    }

    // Clone the cached system store so callers can't mutate it.
    let mut store = (**system_root_store()).clone();

    if let Some(pem) = &tls.root_cert_pem {
        let mut reader = BufReader::new(pem.as_slice());
        for cert_result in rustls_pemfile::certs(&mut reader) {
            let cert = cert_result.map_err(|e| {
                MarketDataError::ConfigError(format!("invalid TLS root cert PEM: {e}"))
            })?;
            store.add(cert).map_err(|e| {
                MarketDataError::ConfigError(format!("failed to add root cert: {e}"))
            })?;
        }
    }

    let config = ClientConfig::builder()
        .with_root_certificates(store)
        .with_no_client_auth();
    Ok(Arc::new(config))
}

/// Verifier that accepts any server certificate. Only used when the
/// caller opts in via `TlsConfig::accept_invalid_certs`.
#[derive(Debug)]
struct AlwaysTrustVerifier;

impl ServerCertVerifier for AlwaysTrustVerifier {
    fn verify_server_cert(
        &self,
        _end_entity: &CertificateDer<'_>,
        _intermediates: &[CertificateDer<'_>],
        _server_name: &ServerName<'_>,
        _ocsp_response: &[u8],
        _now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        Ok(ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, rustls::Error> {
        Ok(HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
        vec![
            SignatureScheme::RSA_PKCS1_SHA256,
            SignatureScheme::RSA_PKCS1_SHA384,
            SignatureScheme::RSA_PKCS1_SHA512,
            SignatureScheme::ECDSA_NISTP256_SHA256,
            SignatureScheme::ECDSA_NISTP384_SHA384,
            SignatureScheme::RSA_PSS_SHA256,
            SignatureScheme::RSA_PSS_SHA384,
            SignatureScheme::RSA_PSS_SHA512,
            SignatureScheme::ED25519,
        ]
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn default_config_builds_rustls_config() {
        let cfg = TlsConfig::default();
        let _ = build_rustls_config(&cfg).expect("default should always build");
    }

    #[test]
    fn accept_invalid_certs_builds_rustls_config() {
        let cfg = TlsConfig {
            accept_invalid_certs: true,
            ..Default::default()
        };
        let _ = build_rustls_config(&cfg).expect("should build");
    }

    #[test]
    fn invalid_pem_is_config_error() {
        let cfg = TlsConfig {
            root_cert_pem: Some(b"not a real pem".to_vec()),
            ..Default::default()
        };
        // rustls-pemfile silently returns 0 certs on garbage input (not an
        // error) — so the config builds but with no extra root added.
        // That's acceptable: the surrounding "invalid PEM" contract was
        // native-tls-specific. A clearly-invalid PEM that DOES look like
        // a cert header would fail inside the iterator.
        let cfg_ok = build_rustls_config(&cfg);
        assert!(cfg_ok.is_ok(), "garbage non-PEM should parse to zero certs, not error");
    }
}