Struct rustls::server::ClientCertVerifierBuilder

source ·

pub struct ClientCertVerifierBuilder { /* private fields */ }

Expand description

A builder for configuring a webpki client certificate verifier.

For more information, see the WebPkiClientVerifier documentation.

Implementations§

source §

impl ClientCertVerifierBuilder

source

pub fn clear_root_hint_subjects(self) -> Self

Clear the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will remove these hint subjects, indicating the client should make a free choice of which certificate to send.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to clear the default hint subjects.

source

pub fn add_root_hint_subjects( self, subjects: impl IntoIterator<Item = DistinguishedName>, ) -> Self

Add additional DistinguishedNames to the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will add to these existing hint subjects. Calling this function with empty subjects will have no effect.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to override the default hint subjects.

source

pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> Self

Verify the revocation state of presented client certificates against the provided certificate revocation lists (CRLs). Calling with_crls multiple times appends the given CRLs to the existing collection.

By default all certificates in the verified chain built from the presented client certificate to a trust anchor will have their revocation status checked. Calling only_check_end_entity_revocation will change this behavior to only check the end entity client certificate.

By default if a certificate’s revocation status can not be determined using the configured CRLs, it will be treated as an error. Calling allow_unknown_revocation_status will change this behavior to allow unknown revocation status.

source

pub fn only_check_end_entity_revocation(self) -> Self

Only check the end entity certificate revocation status when using CRLs.

If CRLs are provided using with_crls only check the end entity certificate’s revocation status. Overrides the default behavior of checking revocation status for each certificate in the verified chain built to a trust anchor (excluding the trust anchor itself).

If no CRLs are provided then this setting has no effect. Neither the end entity certificate or any intermediates will have revocation status checked.

source

pub fn allow_unauthenticated(self) -> Self

Allow unauthenticated clients to connect.

Clients that offer a client certificate issued by a trusted root, and clients that offer no client certificate will be allowed to connect.

source

pub fn allow_unknown_revocation_status(self) -> Self

Allow unknown certificate revocation status when using CRLs.

If CRLs are provided with with_crls and it isn’t possible to determine the revocation status of a certificate, do not treat it as an error condition. Overrides the default behavior where unknown revocation status is considered an error.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn enforce_revocation_expiration(self) -> Self

Enforce the CRL nextUpdate field (i.e. expiration)

If CRLs are provided with with_crls and the verification time is beyond the time in the CRL nextUpdate field, it is expired and treated as an error condition. Overrides the default behavior where expired CRLs are not treated as an error condition.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>

Build a client certificate verifier. The built verifier will be used for the server to offer client certificate authentication, to control how offered client certificates are validated, and to determine what to do with anonymous clients that do not respond to the client certificate authentication offer with a client certificate.

If with_signature_verification_algorithms was not called on the builder, a default set of signature verification algorithms is used, controlled by the selected CryptoProvider.

Once built, the provided Arc<dyn ClientCertVerifier> can be used with a Rustls ServerConfig to configure client certificate validation using with_client_cert_verifier.