nexus-net 0.5.1

Low-latency WebSocket, HTTP/1.1, and TLS primitives. Sans-IO, zero-copy, SIMD-accelerated.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190

use std::sync::Arc;

use rustls::ClientConfig;
use rustls::pki_types::CertificateDer;

use super::TlsError;

/// Shared TLS configuration. Create once at startup, pass to each connection.
///
/// Wraps `Arc<ClientConfig>` — cloning is cheap.
///
/// # Examples
///
/// ```ignore
/// // Safe defaults: system root certs, TLS 1.2+1.3, AES-GCM preferred.
/// let config = TlsConfig::new()?;
///
/// // TLS 1.3 only, no certificate verification (testing).
/// let config = TlsConfig::builder()
///     .tls13_only()
///     .danger_no_verify()
///     .build()?;
/// ```
#[derive(Clone)]
pub struct TlsConfig {
    pub(crate) inner: Arc<ClientConfig>,
}

impl TlsConfig {
    /// Create with safe defaults.
    ///
    /// - System root certificates via `rustls-native-certs`
    /// - TLS 1.2 + 1.3 (both supported)
    /// - aws-lc-rs crypto backend (AES-GCM with AES-NI)
    pub fn new() -> Result<Self, TlsError> {
        Self::builder().build()
    }

    /// Access the underlying rustls `ClientConfig`.
    ///
    /// Useful for creating a `tokio_rustls::TlsConnector` or other
    /// rustls-based adapters.
    pub fn client_config(&self) -> &Arc<ClientConfig> {
        &self.inner
    }

    /// Create a builder for custom configuration.
    #[must_use]
    pub fn builder() -> TlsConfigBuilder {
        TlsConfigBuilder {
            custom_roots: Vec::new(),
            skip_system_certs: false,
            no_verify: false,
            tls13_only: false,
        }
    }
}

/// Builder for [`TlsConfig`].
pub struct TlsConfigBuilder {
    custom_roots: Vec<CertificateDer<'static>>,
    skip_system_certs: bool,
    no_verify: bool,
    tls13_only: bool,
}

impl TlsConfigBuilder {
    /// Add a custom root certificate (DER-encoded).
    ///
    /// Useful for internal CAs or self-signed certificates.
    #[must_use]
    pub fn add_root_cert(mut self, der: impl Into<CertificateDer<'static>>) -> Self {
        self.custom_roots.push(der.into());
        self
    }

    /// Skip loading system root certificates.
    ///
    /// Use when providing all root certificates manually.
    #[must_use]
    pub fn skip_system_certs(mut self) -> Self {
        self.skip_system_certs = true;
        self
    }

    /// Disable certificate verification entirely.
    ///
    /// # Safety
    ///
    /// This disables all server identity checks. Use only for testing
    /// against local servers with self-signed certificates.
    #[must_use]
    pub fn danger_no_verify(mut self) -> Self {
        self.no_verify = true;
        self
    }

    /// Restrict to TLS 1.3 only.
    ///
    /// TLS 1.3 has a simpler handshake (1-RTT vs 2-RTT) and mandatory
    /// forward secrecy. Disable TLS 1.2 if all endpoints support 1.3.
    #[must_use]
    pub fn tls13_only(mut self) -> Self {
        self.tls13_only = true;
        self
    }

    /// Build the configuration.
    pub fn build(self) -> Result<TlsConfig, TlsError> {
        let versions: &[&rustls::SupportedProtocolVersion] = if self.tls13_only {
            &[&rustls::version::TLS13]
        } else {
            rustls::ALL_VERSIONS
        };

        let config = if self.no_verify {
            ClientConfig::builder_with_protocol_versions(versions)
                .dangerous()
                .with_custom_certificate_verifier(Arc::new(NoVerifier))
                .with_no_client_auth()
        } else {
            let mut root_store = rustls::RootCertStore::empty();

            if !self.skip_system_certs {
                let result = rustls_native_certs::load_native_certs();
                if result.certs.is_empty() {
                    return Err(TlsError::NoRootCerts);
                }
                root_store.add_parsable_certificates(result.certs);
            }

            for cert in self.custom_roots {
                root_store.add(cert).map_err(TlsError::Rustls)?;
            }

            if root_store.is_empty() {
                return Err(TlsError::NoRootCerts);
            }

            ClientConfig::builder_with_protocol_versions(versions)
                .with_root_certificates(root_store)
                .with_no_client_auth()
        };

        Ok(TlsConfig {
            inner: Arc::new(config),
        })
    }
}

/// Certificate verifier that accepts everything. Testing only.
#[derive(Debug)]
struct NoVerifier;

impl rustls::client::danger::ServerCertVerifier for NoVerifier {
    fn verify_server_cert(
        &self,
        _end_entity: &CertificateDer<'_>,
        _intermediates: &[CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::danger::ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        rustls::crypto::aws_lc_rs::default_provider()
            .signature_verification_algorithms
            .supported_schemes()
    }
}