protonmail-client 0.1.0

IMAP client library for Proton Mail via Proton Bridge
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

//! Shared IMAP connection and TLS helpers
//!
//! Provides the low-level `connect()` and `select()` functions used by
//! both read and write operations on `ProtonClient`.

use crate::config::ImapConfig;
use crate::error::{Error, Result};
use async_imap::Session;
use rustls::pki_types::ServerName;
use std::sync::Arc;
use tokio::net::TcpStream;
use tokio_rustls::TlsConnector;
use tokio_util::compat::{Compat, TokioAsyncReadCompatExt};
use tracing::{debug, info};

/// A TLS-wrapped IMAP session.
pub type ImapSession = Session<Compat<tokio_rustls::client::TlsStream<TcpStream>>>;

/// Build a TLS connector that accepts all certificates.
///
/// Proton Bridge uses self-signed certificates, so we skip
/// verification entirely.
fn tls_connector() -> TlsConnector {
    let config = rustls::ClientConfig::builder()
        .dangerous()
        .with_custom_certificate_verifier(Arc::new(DangerousVerifier))
        .with_no_client_auth();
    TlsConnector::from(Arc::new(config))
}

/// Open a fresh TLS-wrapped IMAP session.
///
/// Connects to `config.host:config.port` via TCP, issues STARTTLS,
/// performs the TLS handshake, and logs in.
pub async fn connect(config: &ImapConfig) -> Result<ImapSession> {
    let addr = format!("{}:{}", config.host, config.port);
    debug!("Connecting to IMAP server at {}", addr);

    let tcp_stream = TcpStream::connect(&addr).await?;
    let mut client = async_imap::Client::new(tcp_stream.compat());

    client
        .run_command_and_check_ok("STARTTLS", None)
        .await
        .map_err(|e| Error::Tls(format!("STARTTLS failed: {e}")))?;

    let connector = tls_connector();
    let server_name = ServerName::try_from(config.host.clone())
        .map_err(|e| Error::Tls(format!("Invalid server name: {e}")))?;

    let inner = client.into_inner().into_inner();
    let tls_stream = connector
        .connect(server_name, inner)
        .await
        .map_err(|e| Error::Tls(e.to_string()))?;

    let tls_client = async_imap::Client::new(tls_stream.compat());

    let session = tls_client
        .login(&config.username, &config.password)
        .await
        .map_err(|(e, _)| Error::Imap(format!("Login failed: {e}")))?;

    info!("Connected to IMAP server");
    Ok(session)
}

/// SELECT a folder on an existing session.
pub async fn select(session: &mut ImapSession, folder: &str) -> Result<()> {
    session
        .select(folder)
        .await
        .map_err(|e| Error::Imap(format!("Failed to select {folder}: {e}")))?;
    Ok(())
}

/// Certificate verifier that accepts all certificates
/// (for Proton Bridge self-signed certs).
#[derive(Debug)]
struct DangerousVerifier;

impl rustls::client::danger::ServerCertVerifier for DangerousVerifier {
    fn verify_server_cert(
        &self,
        _end_entity: &rustls::pki_types::CertificateDer<'_>,
        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
        _server_name: &rustls::pki_types::ServerName<'_>,
        _ocsp_response: &[u8],
        _now: rustls::pki_types::UnixTime,
    ) -> std::result::Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
        Ok(rustls::client::danger::ServerCertVerified::assertion())
    }

    fn verify_tls12_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> std::result::Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn verify_tls13_signature(
        &self,
        _message: &[u8],
        _cert: &rustls::pki_types::CertificateDer<'_>,
        _dss: &rustls::DigitallySignedStruct,
    ) -> std::result::Result<rustls::client::danger::HandshakeSignatureValid, rustls::Error> {
        Ok(rustls::client::danger::HandshakeSignatureValid::assertion())
    }

    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
        vec![
            rustls::SignatureScheme::RSA_PKCS1_SHA256,
            rustls::SignatureScheme::RSA_PKCS1_SHA384,
            rustls::SignatureScheme::RSA_PKCS1_SHA512,
            rustls::SignatureScheme::ECDSA_NISTP256_SHA256,
            rustls::SignatureScheme::ECDSA_NISTP384_SHA384,
            rustls::SignatureScheme::ECDSA_NISTP521_SHA512,
            rustls::SignatureScheme::RSA_PSS_SHA256,
            rustls::SignatureScheme::RSA_PSS_SHA384,
            rustls::SignatureScheme::RSA_PSS_SHA512,
            rustls::SignatureScheme::ED25519,
        ]
    }
}