rustls_tokio_postgres/
config.rs

1use std::sync::Arc;
2
3use rustls::{
4    ClientConfig, Error as TlsError, SignatureScheme,
5    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
6};
7
8/// Returns a rustls ClientConfig that uses root certificates from the
9/// rustls_native_certs crate.
10#[cfg(feature = "native-roots")]
11#[cfg_attr(docsrs, doc(cfg(feature = "native-roots")))]
12pub fn config_native_roots() -> ClientConfig {
13    let mut root_store = rustls::RootCertStore::empty();
14    let results = rustls_native_certs::load_native_certs();
15    for cert in results.certs {
16        let _ = root_store.add(cert);
17    }
18
19    ClientConfig::builder()
20        .with_root_certificates(root_store)
21        .with_no_client_auth()
22}
23
24/// Returns a rustls ClientConfig that uses root certificates from the
25/// webpki_roots crate.
26#[cfg(feature = "webpki-roots")]
27#[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
28pub fn config_webpki_roots() -> ClientConfig {
29    let root_store = rustls::RootCertStore {
30        roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
31    };
32
33    ClientConfig::builder()
34        .with_root_certificates(root_store)
35        .with_no_client_auth()
36}
37
38/// Returns a rustls ClientConfig that does not verify the server certificate.
39pub fn config_no_verify() -> ClientConfig {
40    ClientConfig::builder()
41        .dangerous()
42        .with_custom_certificate_verifier(Arc::new(NoopTlsVerifier {}))
43        .with_no_client_auth()
44}
45
46#[derive(Debug)]
47struct NoopTlsVerifier;
48
49impl ServerCertVerifier for NoopTlsVerifier {
50    fn verify_server_cert(
51        &self,
52        _end_entity: &rustls::pki_types::CertificateDer<'_>,
53        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
54        _server_name: &rustls::pki_types::ServerName<'_>,
55        _ocsp_response: &[u8],
56        _now: rustls::pki_types::UnixTime,
57    ) -> Result<ServerCertVerified, TlsError> {
58        Ok(ServerCertVerified::assertion())
59    }
60
61    fn verify_tls12_signature(
62        &self,
63        _message: &[u8],
64        _cert: &rustls::pki_types::CertificateDer<'_>,
65        _dss: &rustls::DigitallySignedStruct,
66    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
67        Ok(HandshakeSignatureValid::assertion())
68    }
69
70    fn verify_tls13_signature(
71        &self,
72        _message: &[u8],
73        _cert: &rustls::pki_types::CertificateDer<'_>,
74        _dss: &rustls::DigitallySignedStruct,
75    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
76        Ok(HandshakeSignatureValid::assertion())
77    }
78
79    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
80        vec![
81            SignatureScheme::ECDSA_NISTP256_SHA256,
82            SignatureScheme::ECDSA_NISTP384_SHA384,
83            SignatureScheme::ECDSA_NISTP521_SHA512,
84            SignatureScheme::ED25519,
85            SignatureScheme::RSA_PSS_SHA256,
86            SignatureScheme::RSA_PSS_SHA384,
87            SignatureScheme::RSA_PSS_SHA512,
88        ]
89    }
90}