Skip to main content

microsandbox_network/tls/
config.rs

1//! TLS interception configuration types.
2//!
3//! These types configure inline TLS MITM for the smoltcp networking stack.
4//! All TCP connections terminate at smoltcp, so TLS interception is handled
5//! directly by proxy tasks — no kernel redirect rules needed.
6
7use std::path::PathBuf;
8
9use serde::{Deserialize, Serialize};
10
11//--------------------------------------------------------------------------------------------------
12// Types
13//--------------------------------------------------------------------------------------------------
14
15/// TLS interception configuration.
16#[derive(Debug, Clone, Serialize, Deserialize)]
17pub struct TlsConfig {
18    /// Whether TLS interception is enabled.
19    #[serde(default)]
20    pub enabled: bool,
21
22    /// TCP ports subject to TLS interception (default: `[443]`).
23    #[serde(default = "default_intercepted_ports")]
24    pub intercepted_ports: Vec<u16>,
25
26    /// Domains to bypass (no MITM). Supports exact match and `*.suffix` wildcards.
27    #[serde(default)]
28    pub bypass: Vec<String>,
29
30    /// Whether to verify the upstream server's TLS certificate.
31    #[serde(default = "default_true")]
32    pub verify_upstream: bool,
33
34    /// Drop UDP to intercepted ports when TLS interception is active,
35    /// forcing QUIC traffic to fall back to TCP/TLS.
36    #[serde(default = "default_true")]
37    pub block_quic_on_intercept: bool,
38
39    /// CA certificate PEM files to trust for upstream server verification.
40    #[serde(default)]
41    pub upstream_ca_cert: Vec<PathBuf>,
42
43    /// Host-scoped CA certificate PEM files to trust for upstream server verification.
44    #[serde(default, alias = "scoped_upstream_ca_certs")]
45    pub scoped_upstream_ca_cert: Vec<ScopedUpstreamCaCert>,
46
47    /// Host-scoped upstream verification overrides.
48    #[serde(default)]
49    pub scoped_verify_upstream: Vec<ScopedVerifyUpstream>,
50
51    /// Interception CA configuration. The TLS proxy uses this CA to sign
52    /// per-domain certs that it presents to the guest during interception.
53    #[serde(default, alias = "ca")]
54    pub intercept_ca: InterceptCaConfig,
55
56    /// Per-domain certificate cache configuration.
57    #[serde(default)]
58    pub cache: CertCacheConfig,
59}
60
61/// A CA certificate PEM file trusted only for matching upstream hosts.
62#[derive(Debug, Clone, Serialize, Deserialize)]
63pub struct ScopedUpstreamCaCert {
64    /// Host pattern this CA applies to. Supports exact hosts and `*.suffix` wildcards.
65    pub pattern: String,
66
67    /// Path to the CA certificate PEM file.
68    pub path: PathBuf,
69}
70
71/// An upstream certificate verification override for matching hosts.
72#[derive(Debug, Clone, Serialize, Deserialize)]
73pub struct ScopedVerifyUpstream {
74    /// Host pattern this override applies to. Supports exact hosts and `*.suffix` wildcards.
75    pub pattern: String,
76
77    /// Whether to verify matching upstream server certificates.
78    pub verify: bool,
79}
80
81/// Certificate authority configuration for TLS interception.
82#[derive(Debug, Clone, Default, Serialize, Deserialize)]
83pub struct InterceptCaConfig {
84    /// Path to an existing CA certificate PEM file.
85    /// If `None`, a CA is auto-generated and persisted.
86    #[serde(default)]
87    pub cert_path: Option<PathBuf>,
88
89    /// Path to an existing CA private key PEM file.
90    /// If `None`, a key is auto-generated and persisted.
91    #[serde(default)]
92    pub key_path: Option<PathBuf>,
93}
94
95/// Per-domain certificate cache configuration.
96#[derive(Debug, Clone, Serialize, Deserialize)]
97pub struct CertCacheConfig {
98    /// Maximum number of cached certificates. Default: 1000.
99    #[serde(default = "default_cache_capacity")]
100    pub capacity: usize,
101
102    /// Certificate validity duration in hours. Default: 24.
103    #[serde(default = "default_cert_validity_hours")]
104    pub validity_hours: u64,
105}
106
107//--------------------------------------------------------------------------------------------------
108// Trait Implementations
109//--------------------------------------------------------------------------------------------------
110
111impl Default for TlsConfig {
112    fn default() -> Self {
113        Self {
114            enabled: false,
115            intercepted_ports: default_intercepted_ports(),
116            bypass: Vec::new(),
117            verify_upstream: true,
118            block_quic_on_intercept: true,
119            upstream_ca_cert: Vec::new(),
120            scoped_upstream_ca_cert: Vec::new(),
121            scoped_verify_upstream: Vec::new(),
122            intercept_ca: InterceptCaConfig::default(),
123            cache: CertCacheConfig::default(),
124        }
125    }
126}
127
128impl Default for CertCacheConfig {
129    fn default() -> Self {
130        Self {
131            capacity: default_cache_capacity(),
132            validity_hours: default_cert_validity_hours(),
133        }
134    }
135}
136
137//--------------------------------------------------------------------------------------------------
138// Functions
139//--------------------------------------------------------------------------------------------------
140
141fn default_true() -> bool {
142    true
143}
144
145fn default_intercepted_ports() -> Vec<u16> {
146    vec![443]
147}
148
149fn default_cache_capacity() -> usize {
150    1000
151}
152
153fn default_cert_validity_hours() -> u64 {
154    24
155}