microsandbox_network/tls/config.rs
1//! TLS interception configuration types.
2//!
3//! These types configure inline TLS MITM for the smoltcp networking stack.
4//! All TCP connections terminate at smoltcp, so TLS interception is handled
5//! directly by proxy tasks — no kernel redirect rules needed.
6
7use std::path::PathBuf;
8
9use serde::{Deserialize, Serialize};
10
11//--------------------------------------------------------------------------------------------------
12// Types
13//--------------------------------------------------------------------------------------------------
14
15/// TLS interception configuration.
16#[derive(Debug, Clone, Serialize, Deserialize)]
17pub struct TlsConfig {
18 /// Whether TLS interception is enabled.
19 #[serde(default)]
20 pub enabled: bool,
21
22 /// TCP ports subject to TLS interception (default: `[443]`).
23 #[serde(default = "default_intercepted_ports")]
24 pub intercepted_ports: Vec<u16>,
25
26 /// Domains to bypass (no MITM). Supports exact match and `*.suffix` wildcards.
27 #[serde(default)]
28 pub bypass: Vec<String>,
29
30 /// Whether to verify the upstream server's TLS certificate.
31 #[serde(default = "default_true")]
32 pub verify_upstream: bool,
33
34 /// Drop UDP to intercepted ports when TLS interception is active,
35 /// forcing QUIC traffic to fall back to TCP/TLS.
36 #[serde(default = "default_true")]
37 pub block_quic_on_intercept: bool,
38
39 /// CA certificate PEM files to trust for upstream server verification.
40 #[serde(default)]
41 pub upstream_ca_cert: Vec<PathBuf>,
42
43 /// Host-scoped CA certificate PEM files to trust for upstream server verification.
44 #[serde(default, alias = "scoped_upstream_ca_certs")]
45 pub scoped_upstream_ca_cert: Vec<ScopedUpstreamCaCert>,
46
47 /// Host-scoped upstream verification overrides.
48 #[serde(default)]
49 pub scoped_verify_upstream: Vec<ScopedVerifyUpstream>,
50
51 /// Interception CA configuration. The TLS proxy uses this CA to sign
52 /// per-domain certs that it presents to the guest during interception.
53 #[serde(default, alias = "ca")]
54 pub intercept_ca: InterceptCaConfig,
55
56 /// Per-domain certificate cache configuration.
57 #[serde(default)]
58 pub cache: CertCacheConfig,
59}
60
61/// A CA certificate PEM file trusted only for matching upstream hosts.
62#[derive(Debug, Clone, Serialize, Deserialize)]
63pub struct ScopedUpstreamCaCert {
64 /// Host pattern this CA applies to. Supports exact hosts and `*.suffix` wildcards.
65 pub pattern: String,
66
67 /// Path to the CA certificate PEM file.
68 pub path: PathBuf,
69}
70
71/// An upstream certificate verification override for matching hosts.
72#[derive(Debug, Clone, Serialize, Deserialize)]
73pub struct ScopedVerifyUpstream {
74 /// Host pattern this override applies to. Supports exact hosts and `*.suffix` wildcards.
75 pub pattern: String,
76
77 /// Whether to verify matching upstream server certificates.
78 pub verify: bool,
79}
80
81/// Certificate authority configuration for TLS interception.
82#[derive(Debug, Clone, Default, Serialize, Deserialize)]
83pub struct InterceptCaConfig {
84 /// Path to an existing CA certificate PEM file.
85 /// If `None`, a CA is auto-generated and persisted.
86 #[serde(default)]
87 pub cert_path: Option<PathBuf>,
88
89 /// Path to an existing CA private key PEM file.
90 /// If `None`, a key is auto-generated and persisted.
91 #[serde(default)]
92 pub key_path: Option<PathBuf>,
93}
94
95/// Per-domain certificate cache configuration.
96#[derive(Debug, Clone, Serialize, Deserialize)]
97pub struct CertCacheConfig {
98 /// Maximum number of cached certificates. Default: 1000.
99 #[serde(default = "default_cache_capacity")]
100 pub capacity: usize,
101
102 /// Certificate validity duration in hours. Default: 24.
103 #[serde(default = "default_cert_validity_hours")]
104 pub validity_hours: u64,
105}
106
107//--------------------------------------------------------------------------------------------------
108// Trait Implementations
109//--------------------------------------------------------------------------------------------------
110
111impl Default for TlsConfig {
112 fn default() -> Self {
113 Self {
114 enabled: false,
115 intercepted_ports: default_intercepted_ports(),
116 bypass: Vec::new(),
117 verify_upstream: true,
118 block_quic_on_intercept: true,
119 upstream_ca_cert: Vec::new(),
120 scoped_upstream_ca_cert: Vec::new(),
121 scoped_verify_upstream: Vec::new(),
122 intercept_ca: InterceptCaConfig::default(),
123 cache: CertCacheConfig::default(),
124 }
125 }
126}
127
128impl Default for CertCacheConfig {
129 fn default() -> Self {
130 Self {
131 capacity: default_cache_capacity(),
132 validity_hours: default_cert_validity_hours(),
133 }
134 }
135}
136
137//--------------------------------------------------------------------------------------------------
138// Functions
139//--------------------------------------------------------------------------------------------------
140
141fn default_true() -> bool {
142 true
143}
144
145fn default_intercepted_ports() -> Vec<u16> {
146 vec![443]
147}
148
149fn default_cache_capacity() -> usize {
150 1000
151}
152
153fn default_cert_validity_hours() -> u64 {
154 24
155}