rustls_tokio_postgres/
config.rs

1use std::sync::Arc;
2
3use rustls::{
4    ClientConfig, Error as TlsError, SignatureScheme,
5    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
6};
7
8// Helper function that returns a rustls ClientConfig that uses root
9// certificates from the rustls_native_certs crate.
10#[cfg(feature = "native-roots")]
11pub fn config_native_roots() -> ClientConfig {
12    let mut root_store = rustls::RootCertStore::empty();
13    let results = rustls_native_certs::load_native_certs();
14    for cert in results.certs {
15        let _ = root_store.add(cert);
16    }
17
18    ClientConfig::builder()
19        .with_root_certificates(root_store)
20        .with_no_client_auth()
21}
22
23/// Helper function that returns a rustls ClientConfig that uses root
24/// certificates from the webpki_roots crate.
25#[cfg(feature = "webpki-roots")]
26pub fn config_webpki_roots() -> ClientConfig {
27    let root_store = rustls::RootCertStore {
28        roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
29    };
30
31    ClientConfig::builder()
32        .with_root_certificates(root_store)
33        .with_no_client_auth()
34}
35
36/// Helper function that returns a rustls ClientConfig that does not verify the
37/// server certificate.
38pub fn config_no_verify() -> ClientConfig {
39    ClientConfig::builder()
40        .dangerous()
41        .with_custom_certificate_verifier(Arc::new(NoopTlsVerifier {}))
42        .with_no_client_auth()
43}
44
45#[derive(Debug)]
46struct NoopTlsVerifier;
47
48impl ServerCertVerifier for NoopTlsVerifier {
49    fn verify_server_cert(
50        &self,
51        _end_entity: &rustls::pki_types::CertificateDer<'_>,
52        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
53        _server_name: &rustls::pki_types::ServerName<'_>,
54        _ocsp_response: &[u8],
55        _now: rustls::pki_types::UnixTime,
56    ) -> Result<ServerCertVerified, TlsError> {
57        Ok(ServerCertVerified::assertion())
58    }
59
60    fn verify_tls12_signature(
61        &self,
62        _message: &[u8],
63        _cert: &rustls::pki_types::CertificateDer<'_>,
64        _dss: &rustls::DigitallySignedStruct,
65    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
66        Ok(HandshakeSignatureValid::assertion())
67    }
68
69    fn verify_tls13_signature(
70        &self,
71        _message: &[u8],
72        _cert: &rustls::pki_types::CertificateDer<'_>,
73        _dss: &rustls::DigitallySignedStruct,
74    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
75        Ok(HandshakeSignatureValid::assertion())
76    }
77
78    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
79        vec![
80            SignatureScheme::ECDSA_NISTP256_SHA256,
81            SignatureScheme::ECDSA_NISTP384_SHA384,
82            SignatureScheme::ECDSA_NISTP521_SHA512,
83            SignatureScheme::ED25519,
84            SignatureScheme::RSA_PSS_SHA256,
85            SignatureScheme::RSA_PSS_SHA384,
86            SignatureScheme::RSA_PSS_SHA512,
87        ]
88    }
89}