Trait rustls::client::ServerCertVerifier
source · pub trait ServerCertVerifier: Send + Sync {
// Required method
fn verify_server_cert(
&self,
end_entity: &Certificate,
intermediates: &[Certificate],
server_name: &ServerName,
scts: &mut dyn Iterator<Item = &[u8]>,
ocsp_response: &[u8],
now: SystemTime,
) -> Result<ServerCertVerified, Error>;
// Provided methods
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error> { ... }
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error> { ... }
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { ... }
fn request_scts(&self) -> bool { ... }
}
Expand description
Something that can verify a server certificate chain, and verify signatures made by certificates.
Required Methods§
sourcefn verify_server_cert(
&self,
end_entity: &Certificate,
intermediates: &[Certificate],
server_name: &ServerName,
scts: &mut dyn Iterator<Item = &[u8]>,
ocsp_response: &[u8],
now: SystemTime,
) -> Result<ServerCertVerified, Error>
fn verify_server_cert( &self, end_entity: &Certificate, intermediates: &[Certificate], server_name: &ServerName, scts: &mut dyn Iterator<Item = &[u8]>, ocsp_response: &[u8], now: SystemTime, ) -> Result<ServerCertVerified, Error>
Verify the end-entity certificate end_entity
is valid for the
hostname dns_name
and chains to at least one trust anchor.
intermediates
contains all certificates other than end_entity
that
were sent as part of the server’s Certificate message. It is in the
same order that the server sent them and may be empty.
Note that none of the certificates have been parsed yet, so it is the responsibility of
the implementor to handle invalid data. It is recommended that the implementor returns
[Error::InvalidCertificate(CertificateError::BadEncoding)
] when these cases are encountered.
scts
contains the Signed Certificate Timestamps (SCTs) the server
sent with the end-entity certificate, if any.
Provided Methods§
sourcefn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls12_signature( &self, message: &[u8], cert: &Certificate, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
Verify a signature allegedly by the given server certificate.
message
is not hashed, and needs hashing during the verification.
The signature and algorithm are within dss
. cert
contains the
public key to use.
cert
has already been validated by ServerCertVerifier::verify_server_cert
.
If and only if the signature is valid, return Ok(HandshakeSignatureValid)
.
Otherwise, return an error – rustls will send an alert and abort the
connection.
This method is only called for TLS1.2 handshakes. Note that, in TLS1.2,
SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256
are not
in fact bound to the specific curve implied in their name.
This trait method has a default implementation that uses webpki to verify the signature.
sourcefn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls13_signature( &self, message: &[u8], cert: &Certificate, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
Verify a signature allegedly by the given server certificate.
This method is only called for TLS1.3 handshakes.
This method is very similar to verify_tls12_signature
: but note the
tighter ECDSA SignatureScheme semantics – e.g. SignatureScheme::ECDSA_NISTP256_SHA256
must only validate signatures using public keys on the right curve –
rustls does not enforce this requirement for you.
cert
has already been validated by ServerCertVerifier::verify_server_cert
.
If and only if the signature is valid, return Ok(HandshakeSignatureValid)
.
Otherwise, return an error – rustls will send an alert and abort the
connection.
This trait method has a default implementation that uses webpki to verify the signature.
sourcefn supported_verify_schemes(&self) -> Vec<SignatureScheme>
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
Return the list of SignatureSchemes that this verifier will handle,
in verify_tls12_signature
and verify_tls13_signature
calls.
This should be in priority order, with the most preferred first.
This trait method has a default implementation that reflects the schemes supported by webpki.
sourcefn request_scts(&self) -> bool
fn request_scts(&self) -> bool
Returns true
if Rustls should ask the server to send SCTs.
Signed Certificate Timestamps (SCTs) are used for Certificate Transparency validation.
The default implementation of this function returns true.