Struct rustls_web_pki_client_cert_verifier_builder

pub struct rustls_web_pki_client_cert_verifier_builder { /* private fields */ }

A client certificate verifier being constructed.

A builder can be modified by, e.g. rustls_web_pki_client_cert_verifier_builder_add_crl.

Once you’re done configuring settings, call rustls_web_pki_client_cert_verifier_builder_build to turn it into a rustls_client_cert_verifier.

This object is not safe for concurrent mutation.

See https://docs.rs/rustls/latest/rustls/server/struct.ClientCertVerifierBuilder.html for more information.

Implementations

impl rustls_web_pki_client_cert_verifier_builder

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_new( store: *const rustls_root_cert_store, ) -> *mut rustls_web_pki_client_cert_verifier_builder

Create a rustls_web_pki_client_cert_verifier_builder using the process-wide default cryptography provider.

Caller owns the memory and may eventually call rustls_web_pki_client_cert_verifier_builder_free to free it, whether or not rustls_web_pki_client_cert_verifier_builder_build was called.

Without further modification the builder will produce a client certificate verifier that will require a client present a client certificate that chains to one of the trust anchors in the provided rustls_root_cert_store. The root cert store must not be empty.

Revocation checking will not be performed unless rustls_web_pki_client_cert_verifier_builder_add_crl is used to add certificate revocation lists (CRLs) to the builder. If CRLs are added, revocation checking will be performed for the entire certificate chain unless rustls_web_pki_client_cert_verifier_only_check_end_entity_revocation is used. Unknown revocation status for certificates considered for revocation status will be treated as an error unless rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status is used.

Unauthenticated clients will not be permitted unless rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated is used.

This copies the contents of the rustls_root_cert_store. It does not take ownership of the pointed-to data.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_new_with_provider( provider: *const rustls_crypto_provider, store: *const rustls_root_cert_store, ) -> *mut rustls_web_pki_client_cert_verifier_builder

Create a rustls_web_pki_client_cert_verifier_builder using the specified cryptography provider.

Caller owns the memory and may eventually call rustls_web_pki_client_cert_verifier_builder_free to free it, whether or not rustls_web_pki_client_cert_verifier_builder_build was called.

Without further modification the builder will produce a client certificate verifier that will require a client present a client certificate that chains to one of the trust anchors in the provided rustls_root_cert_store. The root cert store must not be empty.

Revocation checking will not be performed unless rustls_web_pki_client_cert_verifier_builder_add_crl is used to add certificate revocation lists (CRLs) to the builder. If CRLs are added, revocation checking will be performed for the entire certificate chain unless rustls_web_pki_client_cert_verifier_only_check_end_entity_revocation is used. Unknown revocation status for certificates considered for revocation status will be treated as an error unless rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status is used.

Unauthenticated clients will not be permitted unless rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated is used.

This copies the contents of the rustls_root_cert_store. It does not take ownership of the pointed-to data.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_add_crl( builder: *mut rustls_web_pki_client_cert_verifier_builder, crl_pem: *const u8, crl_pem_len: size_t, ) -> rustls_result

Add one or more certificate revocation lists (CRLs) to the client certificate verifier builder by reading the CRL content from the provided buffer of PEM encoded content.

By default revocation checking will be performed on the entire certificate chain. To only check the revocation status of the end entity certificate, use rustls_web_pki_client_cert_verifier_only_check_end_entity_revocation.

This function returns an error if the provided buffer is not valid PEM encoded content.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_only_check_end_entity_revocation( builder: *mut rustls_web_pki_client_cert_verifier_builder, ) -> rustls_result

When CRLs are provided with rustls_web_pki_client_cert_verifier_builder_add_crl, only check the revocation status of end entity certificates, ignoring any intermediate certificates in the chain.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_allow_unknown_revocation_status( builder: *mut rustls_web_pki_client_cert_verifier_builder, ) -> rustls_result

When CRLs are provided with rustls_web_pki_client_cert_verifier_builder_add_crl, and it isn’t possible to determine the revocation status of a considered certificate, do not treat it as an error condition.

Overrides the default behavior where unknown revocation status is considered an error.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_allow_unauthenticated( builder: *mut rustls_web_pki_client_cert_verifier_builder, ) -> rustls_result

Allow unauthenticated anonymous clients in addition to those that present a client certificate that chains to one of the verifier’s configured trust anchors.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_clear_root_hint_subjects( builder: *mut rustls_web_pki_client_cert_verifier_builder, ) -> rustls_result

Clear the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will remove these hint subjects, indicating the client should make a free choice of which certificate to send.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_add_root_hint_subjects( builder: *mut rustls_web_pki_client_cert_verifier_builder, store: *const rustls_root_cert_store, ) -> rustls_result

Add additional distinguished names to the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will add to these existing hint subjects. Calling this function with an empty store will have no effect, use rustls_web_pki_client_cert_verifier_clear_root_hint_subjects to clear the subject hints.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_build( builder: *mut rustls_web_pki_client_cert_verifier_builder, verifier_out: *mut *mut rustls_client_cert_verifier, ) -> rustls_result

Create a new client certificate verifier from the builder.

The builder is consumed and cannot be used again, but must still be freed.

The verifier can be used in several rustls_server_config instances and must be freed by the application when no longer needed. See the documentation of rustls_web_pki_client_cert_verifier_builder_free for details about lifetime.

#[no_mangle]

pub extern "C" fn rustls_web_pki_client_cert_verifier_builder_free( builder: *mut rustls_web_pki_client_cert_verifier_builder, )

Free a rustls_client_cert_verifier_builder previously returned from rustls_client_cert_verifier_builder_new.

Calling with NULL is fine. Must not be called twice with the same value.