solana_tls_utils/
skip_client_verification.rs

1use {
2    crate::crypto_provider,
3    rustls::{
4        client::danger::HandshakeSignatureValid,
5        crypto::CryptoProvider,
6        pki_types::{CertificateDer, UnixTime},
7        server::danger::{ClientCertVerified, ClientCertVerifier},
8        DigitallySignedStruct, DistinguishedName, Error, SignatureScheme,
9    },
10    std::{fmt::Debug, sync::Arc},
11};
12
13/// Implementation of [`ClientCertVerifier`] that ignores the server
14/// certificate. Yet still checks the TLS signatures.
15#[derive(Debug)]
16pub struct SkipClientVerification(Arc<CryptoProvider>);
17
18impl SkipClientVerification {
19    pub fn new() -> Arc<Self> {
20        Arc::new(Self(Arc::new(crypto_provider())))
21    }
22}
23impl ClientCertVerifier for SkipClientVerification {
24    fn verify_client_cert(
25        &self,
26        _end_entity: &CertificateDer,
27        _intermediates: &[CertificateDer],
28        _now: UnixTime,
29    ) -> Result<ClientCertVerified, Error> {
30        Ok(ClientCertVerified::assertion())
31    }
32
33    fn root_hint_subjects(&self) -> &[DistinguishedName] {
34        &[]
35    }
36
37    fn verify_tls12_signature(
38        &self,
39        message: &[u8],
40        cert: &CertificateDer<'_>,
41        dss: &DigitallySignedStruct,
42    ) -> Result<HandshakeSignatureValid, Error> {
43        rustls::crypto::verify_tls12_signature(
44            message,
45            cert,
46            dss,
47            &self.0.signature_verification_algorithms,
48        )
49    }
50
51    fn verify_tls13_signature(
52        &self,
53        message: &[u8],
54        cert: &CertificateDer<'_>,
55        dss: &DigitallySignedStruct,
56    ) -> Result<HandshakeSignatureValid, Error> {
57        rustls::crypto::verify_tls13_signature(
58            message,
59            cert,
60            dss,
61            &self.0.signature_verification_algorithms,
62        )
63    }
64
65    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
66        self.0.signature_verification_algorithms.supported_schemes()
67    }
68
69    fn offer_client_auth(&self) -> bool {
70        true
71    }
72
73    fn client_auth_mandatory(&self) -> bool {
74        self.offer_client_auth()
75    }
76}