Struct rustls::server::WebPkiClientVerifier

source · 
pub struct WebPkiClientVerifier { /* private fields */ }
Expand description

A client certificate verifier that uses the webpki crate1 to perform client certificate validation. It must be created via the WebPkiClientVerifier::builder() function.

Once built, the provided Arc<dyn ClientCertVerifier> can be used with a Rustls crate::server::ServerConfig to configure client certificate validation using with_client_cert_verifier.

Example:

To require all clients present a client certificate issued by a trusted CA:

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .build()
  .unwrap();

Or, to allow clients presenting a client certificate authenticated by a trusted CA, or anonymous clients that present no client certificate:

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .allow_unauthenticated()
  .build()
  .unwrap();

If you wish to disable advertising client authentication:

let client_verifier = WebPkiClientVerifier::no_client_auth();

You can also configure the client verifier to check for certificate revocation with client certificate revocation lists (CRLs):

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .with_crls(crls)
  .build()
  .unwrap();

  1. https://github.com/rustls/webpki 

Implementations§

source§

impl WebPkiClientVerifier

source

pub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder

Create builder to build up the webpki client certificate verifier configuration. Client certificate authentication will be offered by the server, and client certificates will be verified using the trust anchors found in the provided roots. If you wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.

For more information, see the ClientCertVerifierBuilder documentation.

source

pub fn no_client_auth() -> Arc<dyn ClientCertVerifier>

Create a new WebPkiClientVerifier that disables client authentication. The server will not offer client authentication and anonymous clients will be accepted.

This is in contrast to using WebPkiClientVerifier::builder().allow_unauthenticated().build(), which will produce a verifier that will offer client authentication, but not require it.

Trait Implementations§

source§

impl ClientCertVerifier for WebPkiClientVerifier

source§

fn offer_client_auth(&self) -> bool

Returns true to enable the server to request a client certificate and false to skip requesting a client certificate. Defaults to true.
source§

fn client_auth_mandatory(&self) -> bool

Return true to require a client certificate and false to make client authentication optional. Defaults to Some(self.offer_client_auth()).
source§

fn client_auth_root_subjects(&self) -> &[DistinguishedName]

Returns the Subjects of the client authentication trust anchors to share with the client when requesting client authentication. Read more
source§

fn verify_client_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], now: SystemTime ) -> Result<ClientCertVerified, Error>

Verify the end-entity certificate end_entity is valid, acceptable, and chains to at least one of the trust anchors trusted by this verifier. Read more
source§

fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate. Read more
source§

fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate. Read more
source§

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.