hyper_custom_cert

Struct HttpClientBuilder

Source 
pub struct HttpClientBuilder { /* private fields */ }
Expand description

Builder for configuring and creating an HttpClient.

Implementations§

Source§

impl HttpClientBuilder

Source

pub fn new() -> Self

Start a new builder with default settings.

Source

pub fn with_timeout(self, timeout: Duration) -> Self

Set a request timeout to apply to client operations.

Examples found in repository?
examples/self-signed-certs/main.rs (line 11)
5fn main() {
6    // Default secure client (uses OS trust store when built with default features)
7    let mut headers = HashMap::new();
8    headers.insert("x-app".into(), "example".into());
9
10    let client = HttpClient::builder()
11        .with_timeout(Duration::from_secs(10))
12        .with_default_headers(headers)
13        .build();
14
15    // Demonstrate a request (no network I/O in this example crate yet)
16    client
17        .request("https://example.com")
18        .expect("request should succeed on native targets");
19
20    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
21    // Note: Requires building with: --no-default-features --features rustls
22    #[cfg(feature = "rustls")]
23    {
24        // Option 1: Load CA certificate from raw PEM bytes
25        let ca_pem: &[u8] =
26            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
27        let _rustls_client = HttpClient::builder()
28            .with_timeout(Duration::from_secs(10))
29            .with_root_ca_pem(ca_pem)
30            .build();
31        let _ = _rustls_client.request("https://private.local");
32
33        // Option 2: Load CA certificate from a file path
34        // Note: This will panic if the file doesn't exist - ensure your cert file is available
35        // let _rustls_client_from_file = HttpClient::builder()
36        //     .with_timeout(Duration::from_secs(10))
37        //     .with_root_ca_file("path/to/your/root-ca.pem")
38        //     .build();
39        // let _ = _rustls_client_from_file.request("https://private.local");
40    }
41
42    // Local development only: accept invalid/self-signed certs (dangerous)
43    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
44    #[cfg(feature = "insecure-dangerous")]
45    {
46        // Shortcut:
47        let _dev_client = HttpClient::with_self_signed_certs();
48        let _ = _dev_client.request("https://localhost:8443");
49
50        // Or explicit builder method:
51        let _dev_client2 = HttpClient::builder()
52            .insecure_accept_invalid_certs(true)
53            .build();
54        let _ = _dev_client2.request("https://localhost:8443");
55    }
56
57    println!("Example finished. See README for feature flags and commands.");
58}
Source

pub fn with_default_headers(self, headers: HashMap<String, String>) -> Self

Set default headers that will be added to every request initiated by this client.

Examples found in repository?
examples/self-signed-certs/main.rs (line 12)
5fn main() {
6    // Default secure client (uses OS trust store when built with default features)
7    let mut headers = HashMap::new();
8    headers.insert("x-app".into(), "example".into());
9
10    let client = HttpClient::builder()
11        .with_timeout(Duration::from_secs(10))
12        .with_default_headers(headers)
13        .build();
14
15    // Demonstrate a request (no network I/O in this example crate yet)
16    client
17        .request("https://example.com")
18        .expect("request should succeed on native targets");
19
20    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
21    // Note: Requires building with: --no-default-features --features rustls
22    #[cfg(feature = "rustls")]
23    {
24        // Option 1: Load CA certificate from raw PEM bytes
25        let ca_pem: &[u8] =
26            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
27        let _rustls_client = HttpClient::builder()
28            .with_timeout(Duration::from_secs(10))
29            .with_root_ca_pem(ca_pem)
30            .build();
31        let _ = _rustls_client.request("https://private.local");
32
33        // Option 2: Load CA certificate from a file path
34        // Note: This will panic if the file doesn't exist - ensure your cert file is available
35        // let _rustls_client_from_file = HttpClient::builder()
36        //     .with_timeout(Duration::from_secs(10))
37        //     .with_root_ca_file("path/to/your/root-ca.pem")
38        //     .build();
39        // let _ = _rustls_client_from_file.request("https://private.local");
40    }
41
42    // Local development only: accept invalid/self-signed certs (dangerous)
43    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
44    #[cfg(feature = "insecure-dangerous")]
45    {
46        // Shortcut:
47        let _dev_client = HttpClient::with_self_signed_certs();
48        let _ = _dev_client.request("https://localhost:8443");
49
50        // Or explicit builder method:
51        let _dev_client2 = HttpClient::builder()
52            .insecure_accept_invalid_certs(true)
53            .build();
54        let _ = _dev_client2.request("https://localhost:8443");
55    }
56
57    println!("Example finished. See README for feature flags and commands.");
58}
Source

pub fn insecure_accept_invalid_certs(self, accept: bool) -> Self

Dev-only: accept self-signed/invalid TLS certificates. Requires the insecure-dangerous feature to be enabled. NEVER enable this in production.

§Examples

Enable insecure mode during local development (dangerous):

use hyper_custom_cert::HttpClient;

// Requires: --features insecure-dangerous
let client = HttpClient::builder()
    .insecure_accept_invalid_certs(true)
    .build();
Examples found in repository?
examples/self-signed-certs/main.rs (line 52)
5fn main() {
6    // Default secure client (uses OS trust store when built with default features)
7    let mut headers = HashMap::new();
8    headers.insert("x-app".into(), "example".into());
9
10    let client = HttpClient::builder()
11        .with_timeout(Duration::from_secs(10))
12        .with_default_headers(headers)
13        .build();
14
15    // Demonstrate a request (no network I/O in this example crate yet)
16    client
17        .request("https://example.com")
18        .expect("request should succeed on native targets");
19
20    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
21    // Note: Requires building with: --no-default-features --features rustls
22    #[cfg(feature = "rustls")]
23    {
24        // Option 1: Load CA certificate from raw PEM bytes
25        let ca_pem: &[u8] =
26            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
27        let _rustls_client = HttpClient::builder()
28            .with_timeout(Duration::from_secs(10))
29            .with_root_ca_pem(ca_pem)
30            .build();
31        let _ = _rustls_client.request("https://private.local");
32
33        // Option 2: Load CA certificate from a file path
34        // Note: This will panic if the file doesn't exist - ensure your cert file is available
35        // let _rustls_client_from_file = HttpClient::builder()
36        //     .with_timeout(Duration::from_secs(10))
37        //     .with_root_ca_file("path/to/your/root-ca.pem")
38        //     .build();
39        // let _ = _rustls_client_from_file.request("https://private.local");
40    }
41
42    // Local development only: accept invalid/self-signed certs (dangerous)
43    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
44    #[cfg(feature = "insecure-dangerous")]
45    {
46        // Shortcut:
47        let _dev_client = HttpClient::with_self_signed_certs();
48        let _ = _dev_client.request("https://localhost:8443");
49
50        // Or explicit builder method:
51        let _dev_client2 = HttpClient::builder()
52            .insecure_accept_invalid_certs(true)
53            .build();
54        let _ = _dev_client2.request("https://localhost:8443");
55    }
56
57    println!("Example finished. See README for feature flags and commands.");
58}
Source

pub fn with_root_ca_pem(self, pem_bytes: &[u8]) -> Self

Provide a PEM-encoded Root CA certificate to be trusted by the client. This is the production-ready way to trust a custom CA.

§Examples
use hyper_custom_cert::HttpClient;

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_root_ca_pem(include_bytes!("../examples-data/root-ca.pem"))
    .build();
Examples found in repository?
examples/self-signed-certs/main.rs (line 29)
5fn main() {
6    // Default secure client (uses OS trust store when built with default features)
7    let mut headers = HashMap::new();
8    headers.insert("x-app".into(), "example".into());
9
10    let client = HttpClient::builder()
11        .with_timeout(Duration::from_secs(10))
12        .with_default_headers(headers)
13        .build();
14
15    // Demonstrate a request (no network I/O in this example crate yet)
16    client
17        .request("https://example.com")
18        .expect("request should succeed on native targets");
19
20    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
21    // Note: Requires building with: --no-default-features --features rustls
22    #[cfg(feature = "rustls")]
23    {
24        // Option 1: Load CA certificate from raw PEM bytes
25        let ca_pem: &[u8] =
26            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
27        let _rustls_client = HttpClient::builder()
28            .with_timeout(Duration::from_secs(10))
29            .with_root_ca_pem(ca_pem)
30            .build();
31        let _ = _rustls_client.request("https://private.local");
32
33        // Option 2: Load CA certificate from a file path
34        // Note: This will panic if the file doesn't exist - ensure your cert file is available
35        // let _rustls_client_from_file = HttpClient::builder()
36        //     .with_timeout(Duration::from_secs(10))
37        //     .with_root_ca_file("path/to/your/root-ca.pem")
38        //     .build();
39        // let _ = _rustls_client_from_file.request("https://private.local");
40    }
41
42    // Local development only: accept invalid/self-signed certs (dangerous)
43    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
44    #[cfg(feature = "insecure-dangerous")]
45    {
46        // Shortcut:
47        let _dev_client = HttpClient::with_self_signed_certs();
48        let _ = _dev_client.request("https://localhost:8443");
49
50        // Or explicit builder method:
51        let _dev_client2 = HttpClient::builder()
52            .insecure_accept_invalid_certs(true)
53            .build();
54        let _ = _dev_client2.request("https://localhost:8443");
55    }
56
57    println!("Example finished. See README for feature flags and commands.");
58}
Source

pub fn with_root_ca_file<P: AsRef<Path>>(self, path: P) -> Self

Provide a PEM-encoded Root CA certificate file to be trusted by the client. This is the production-ready way to trust a custom CA from a file path.

The file will be read during builder configuration and its contents stored in the client. This method will panic if the file cannot be read, similar to how include_bytes! macro behaves.

§Security Considerations

Only use certificate files from trusted sources. Ensure proper file permissions are set to prevent unauthorized modification of the certificate file.

§Panics

This method will panic if:

  • The file does not exist
  • The file cannot be read due to permissions or I/O errors
  • The path is invalid
§Examples
use hyper_custom_cert::HttpClient;

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_root_ca_file("path/to/root-ca.pem")
    .build();

Using a std::path::Path:

use hyper_custom_cert::HttpClient;
use std::path::Path;

// Requires: --no-default-features --features rustls
let ca_path = Path::new("certs/custom-ca.pem");
let client = HttpClient::builder()
    .with_root_ca_file(ca_path)
    .build();
Source

pub fn with_pinned_cert_sha256(self, pins: Vec<[u8; 32]>) -> Self

Configure certificate pinning using SHA256 fingerprints for additional security.

Certificate pinning provides an additional layer of security beyond CA validation by verifying that the server’s certificate matches one of the provided fingerprints. This helps protect against compromised CAs and man-in-the-middle attacks.

§Security Considerations
  • Certificate pinning should be used in conjunction with, not as a replacement for, proper CA validation.
  • Pinned certificates must be updated when the server’s certificate changes.
  • Consider having backup pins for certificate rotation scenarios.
  • This method provides additional security but requires careful maintenance.
§Parameters
  • pins - A vector of 32-byte SHA256 fingerprints of certificates to pin. Each fingerprint should be the SHA256 hash of the certificate’s DER encoding.
§Examples
use hyper_custom_cert::HttpClient;

// Example SHA256 fingerprints (these are just examples)
let pin1: [u8; 32] = [
    0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
    0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
    0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00,
    0xa1, 0xb2, 0xc3, 0xd4, 0xe5, 0xf6, 0x07, 0x18
];

let pin2: [u8; 32] = [
    0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
    0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f,
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
];

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_pinned_cert_sha256(vec![pin1, pin2])
    .build();
Source

pub fn build(self) -> HttpClient

Finalize the configuration and build an HttpClient.

Examples found in repository?
examples/self-signed-certs/main.rs (line 13)
5fn main() {
6    // Default secure client (uses OS trust store when built with default features)
7    let mut headers = HashMap::new();
8    headers.insert("x-app".into(), "example".into());
9
10    let client = HttpClient::builder()
11        .with_timeout(Duration::from_secs(10))
12        .with_default_headers(headers)
13        .build();
14
15    // Demonstrate a request (no network I/O in this example crate yet)
16    client
17        .request("https://example.com")
18        .expect("request should succeed on native targets");
19
20    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
21    // Note: Requires building with: --no-default-features --features rustls
22    #[cfg(feature = "rustls")]
23    {
24        // Option 1: Load CA certificate from raw PEM bytes
25        let ca_pem: &[u8] =
26            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
27        let _rustls_client = HttpClient::builder()
28            .with_timeout(Duration::from_secs(10))
29            .with_root_ca_pem(ca_pem)
30            .build();
31        let _ = _rustls_client.request("https://private.local");
32
33        // Option 2: Load CA certificate from a file path
34        // Note: This will panic if the file doesn't exist - ensure your cert file is available
35        // let _rustls_client_from_file = HttpClient::builder()
36        //     .with_timeout(Duration::from_secs(10))
37        //     .with_root_ca_file("path/to/your/root-ca.pem")
38        //     .build();
39        // let _ = _rustls_client_from_file.request("https://private.local");
40    }
41
42    // Local development only: accept invalid/self-signed certs (dangerous)
43    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
44    #[cfg(feature = "insecure-dangerous")]
45    {
46        // Shortcut:
47        let _dev_client = HttpClient::with_self_signed_certs();
48        let _ = _dev_client.request("https://localhost:8443");
49
50        // Or explicit builder method:
51        let _dev_client2 = HttpClient::builder()
52            .insecure_accept_invalid_certs(true)
53            .build();
54        let _ = _dev_client2.request("https://localhost:8443");
55    }
56
57    println!("Example finished. See README for feature flags and commands.");
58}

Trait Implementations§

Source§

impl Default for HttpClientBuilder

Default builder state is secure and ergonomic.

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.