rustls_tokio_postgres/
config.rs

1use std::sync::Arc;
2
3use rustls::{
4    ClientConfig, Error as TlsError, SignatureScheme,
5    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
6};
7
8/// Returns a rustls ClientConfig that uses root certificates from the
9/// `rustls-native-certs` crate.
10///
11/// Requires the `native-roots` feature to be enabled.
12#[cfg(feature = "native-roots")]
13#[cfg_attr(docsrs, doc(cfg(feature = "native-roots")))]
14pub fn config_native_roots() -> ClientConfig {
15    let mut root_store = rustls::RootCertStore::empty();
16    let results = rustls_native_certs::load_native_certs();
17    for cert in results.certs {
18        let _ = root_store.add(cert);
19    }
20
21    ClientConfig::builder()
22        .with_root_certificates(root_store)
23        .with_no_client_auth()
24}
25
26/// Returns a rustls ClientConfig that uses root certificates from the
27/// `webpki-roots` crate.
28///
29/// Requires the `webpki-roots` feature to be enabled.
30#[cfg(feature = "webpki-roots")]
31#[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
32pub fn config_webpki_roots() -> ClientConfig {
33    let root_store = rustls::RootCertStore {
34        roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
35    };
36
37    ClientConfig::builder()
38        .with_root_certificates(root_store)
39        .with_no_client_auth()
40}
41
42/// Returns a rustls ClientConfig that does not verify the server certificate.
43pub fn config_no_verify() -> ClientConfig {
44    ClientConfig::builder()
45        .dangerous()
46        .with_custom_certificate_verifier(Arc::new(NoopTlsVerifier {}))
47        .with_no_client_auth()
48}
49
50#[derive(Debug)]
51struct NoopTlsVerifier;
52
53impl ServerCertVerifier for NoopTlsVerifier {
54    fn verify_server_cert(
55        &self,
56        _end_entity: &rustls::pki_types::CertificateDer<'_>,
57        _intermediates: &[rustls::pki_types::CertificateDer<'_>],
58        _server_name: &rustls::pki_types::ServerName<'_>,
59        _ocsp_response: &[u8],
60        _now: rustls::pki_types::UnixTime,
61    ) -> Result<ServerCertVerified, TlsError> {
62        Ok(ServerCertVerified::assertion())
63    }
64
65    fn verify_tls12_signature(
66        &self,
67        _message: &[u8],
68        _cert: &rustls::pki_types::CertificateDer<'_>,
69        _dss: &rustls::DigitallySignedStruct,
70    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
71        Ok(HandshakeSignatureValid::assertion())
72    }
73
74    fn verify_tls13_signature(
75        &self,
76        _message: &[u8],
77        _cert: &rustls::pki_types::CertificateDer<'_>,
78        _dss: &rustls::DigitallySignedStruct,
79    ) -> Result<rustls::client::danger::HandshakeSignatureValid, TlsError> {
80        Ok(HandshakeSignatureValid::assertion())
81    }
82
83    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
84        vec![
85            SignatureScheme::ECDSA_NISTP256_SHA256,
86            SignatureScheme::ECDSA_NISTP384_SHA384,
87            SignatureScheme::ECDSA_NISTP521_SHA512,
88            SignatureScheme::ED25519,
89            SignatureScheme::RSA_PSS_SHA256,
90            SignatureScheme::RSA_PSS_SHA384,
91            SignatureScheme::RSA_PSS_SHA512,
92        ]
93    }
94}