rustls_fork_shadow_tls/client/
builder.rs

1use crate::anchors;
2use crate::builder::{ConfigBuilder, WantsVerifier};
3use crate::client::handy;
4use crate::client::{ClientConfig, ResolvesClientCert};
5use crate::error::Error;
6use crate::key;
7use crate::kx::SupportedKxGroup;
8use crate::suites::SupportedCipherSuite;
9use crate::verify::{self, CertificateTransparencyPolicy};
10use crate::versions;
11use crate::NoKeyLog;
12
13use std::marker::PhantomData;
14use std::sync::Arc;
15use std::time::SystemTime;
16
17impl ConfigBuilder<ClientConfig, WantsVerifier> {
18    /// Choose how to verify client certificates.
19    pub fn with_root_certificates(
20        self,
21        root_store: anchors::RootCertStore,
22    ) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
23        ConfigBuilder {
24            state: WantsTransparencyPolicyOrClientCert {
25                cipher_suites: self.state.cipher_suites,
26                kx_groups: self.state.kx_groups,
27                versions: self.state.versions,
28                root_store,
29            },
30            side: PhantomData::default(),
31        }
32    }
33
34    #[cfg(feature = "dangerous_configuration")]
35    /// Set a custom certificate verifier.
36    pub fn with_custom_certificate_verifier(
37        self,
38        verifier: Arc<dyn verify::ServerCertVerifier>,
39    ) -> ConfigBuilder<ClientConfig, WantsClientCert> {
40        ConfigBuilder {
41            state: WantsClientCert {
42                cipher_suites: self.state.cipher_suites,
43                kx_groups: self.state.kx_groups,
44                versions: self.state.versions,
45                verifier,
46            },
47            side: PhantomData::default(),
48        }
49    }
50}
51
52/// A config builder state where the caller needs to supply a certificate transparency policy or
53/// client certificate resolver.
54///
55/// In this state, the caller can optionally enable certificate transparency, or ignore CT and
56/// invoke one of the methods related to client certificates (as in the [`WantsClientCert`] state).
57///
58/// For more information, see the [`ConfigBuilder`] documentation.
59#[derive(Clone, Debug)]
60pub struct WantsTransparencyPolicyOrClientCert {
61    cipher_suites: Vec<SupportedCipherSuite>,
62    kx_groups: Vec<&'static SupportedKxGroup>,
63    versions: versions::EnabledVersions,
64    root_store: anchors::RootCertStore,
65}
66
67impl ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
68    /// Set Certificate Transparency logs to use for server certificate validation.
69    ///
70    /// Because Certificate Transparency logs are sharded on a per-year basis and can be trusted or
71    /// distrusted relatively quickly, rustls stores a validation deadline. Server certificates will
72    /// be validated against the configured CT logs until the deadline expires. After the deadline,
73    /// certificates will no longer be validated, and a warning message will be logged. The deadline
74    /// may vary depending on how often you deploy builds with updated dependencies.
75    pub fn with_certificate_transparency_logs(
76        self,
77        logs: &'static [&'static sct::Log],
78        validation_deadline: SystemTime,
79    ) -> ConfigBuilder<ClientConfig, WantsClientCert> {
80        self.with_logs(Some(CertificateTransparencyPolicy::new(
81            logs,
82            validation_deadline,
83        )))
84    }
85
86    /// Sets a single certificate chain and matching private key for use
87    /// in client authentication.
88    ///
89    /// `cert_chain` is a vector of DER-encoded certificates.
90    /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key.
91    ///
92    /// This function fails if `key_der` is invalid.
93    pub fn with_single_cert(
94        self,
95        cert_chain: Vec<key::Certificate>,
96        key_der: key::PrivateKey,
97    ) -> Result<ClientConfig, Error> {
98        self.with_logs(None)
99            .with_single_cert(cert_chain, key_der)
100    }
101
102    /// Do not support client auth.
103    pub fn with_no_client_auth(self) -> ClientConfig {
104        self.with_logs(None)
105            .with_client_cert_resolver(Arc::new(handy::FailResolveClientCert {}))
106    }
107
108    /// Sets a custom [`ResolvesClientCert`].
109    pub fn with_client_cert_resolver(
110        self,
111        client_auth_cert_resolver: Arc<dyn ResolvesClientCert>,
112    ) -> ClientConfig {
113        self.with_logs(None)
114            .with_client_cert_resolver(client_auth_cert_resolver)
115    }
116
117    fn with_logs(
118        self,
119        ct_policy: Option<CertificateTransparencyPolicy>,
120    ) -> ConfigBuilder<ClientConfig, WantsClientCert> {
121        ConfigBuilder {
122            state: WantsClientCert {
123                cipher_suites: self.state.cipher_suites,
124                kx_groups: self.state.kx_groups,
125                versions: self.state.versions,
126                verifier: Arc::new(verify::WebPkiVerifier::new(
127                    self.state.root_store,
128                    ct_policy,
129                )),
130            },
131            side: PhantomData,
132        }
133    }
134}
135
136/// A config builder state where the caller needs to supply whether and how to provide a client
137/// certificate.
138///
139/// For more information, see the [`ConfigBuilder`] documentation.
140#[derive(Clone, Debug)]
141pub struct WantsClientCert {
142    cipher_suites: Vec<SupportedCipherSuite>,
143    kx_groups: Vec<&'static SupportedKxGroup>,
144    versions: versions::EnabledVersions,
145    verifier: Arc<dyn verify::ServerCertVerifier>,
146}
147
148impl ConfigBuilder<ClientConfig, WantsClientCert> {
149    /// Sets a single certificate chain and matching private key for use
150    /// in client authentication.
151    ///
152    /// `cert_chain` is a vector of DER-encoded certificates.
153    /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key.
154    ///
155    /// This function fails if `key_der` is invalid.
156    pub fn with_single_cert(
157        self,
158        cert_chain: Vec<key::Certificate>,
159        key_der: key::PrivateKey,
160    ) -> Result<ClientConfig, Error> {
161        let resolver = handy::AlwaysResolvesClientCert::new(cert_chain, &key_der)?;
162        Ok(self.with_client_cert_resolver(Arc::new(resolver)))
163    }
164
165    /// Do not support client auth.
166    pub fn with_no_client_auth(self) -> ClientConfig {
167        self.with_client_cert_resolver(Arc::new(handy::FailResolveClientCert {}))
168    }
169
170    /// Sets a custom [`ResolvesClientCert`].
171    pub fn with_client_cert_resolver(
172        self,
173        client_auth_cert_resolver: Arc<dyn ResolvesClientCert>,
174    ) -> ClientConfig {
175        ClientConfig {
176            cipher_suites: self.state.cipher_suites,
177            kx_groups: self.state.kx_groups,
178            alpn_protocols: Vec::new(),
179            session_storage: handy::ClientSessionMemoryCache::new(256),
180            max_fragment_size: None,
181            client_auth_cert_resolver,
182            enable_tickets: true,
183            versions: self.state.versions,
184            enable_sni: true,
185            verifier: self.state.verifier,
186            key_log: Arc::new(NoKeyLog {}),
187            #[cfg(feature = "secret_extraction")]
188            enable_secret_extraction: false,
189            enable_early_data: false,
190        }
191    }
192}