pub struct WebPkiClientVerifier {
roots: Arc<RootCertStore>,
root_hint_subjects: Vec<DistinguishedName>,
crls: Vec<CertRevocationList<'static>>,
revocation_check_depth: RevocationCheckDepth,
unknown_revocation_policy: UnknownStatusPolicy,
revocation_expiration_policy: ExpirationPolicy,
anonymous_policy: AnonymousClientPolicy,
supported_algs: WebPkiSupportedAlgorithms,
}
Expand description
A client certificate verifier that uses the webpki
crate1 to perform client certificate
validation.
It must be created via the WebPkiClientVerifier::builder()
or
WebPkiClientVerifier::builder_with_provider()
functions.
Once built, the provided Arc<dyn ClientCertVerifier>
can be used with a Rustls ServerConfig
to configure client certificate validation using with_client_cert_verifier
.
Example:
To require all clients present a client certificate issued by a trusted CA:
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.build()
.unwrap();
Or, to allow clients presenting a client certificate authenticated by a trusted CA, or anonymous clients that present no client certificate:
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.allow_unauthenticated()
.build()
.unwrap();
If you wish to disable advertising client authentication:
let client_verifier = WebPkiClientVerifier::no_client_auth();
You can also configure the client verifier to check for certificate revocation with client certificate revocation lists (CRLs):
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.with_crls(crls)
.build()
.unwrap();
Fields§
§roots: Arc<RootCertStore>
§root_hint_subjects: Vec<DistinguishedName>
§crls: Vec<CertRevocationList<'static>>
§revocation_check_depth: RevocationCheckDepth
§unknown_revocation_policy: UnknownStatusPolicy
§revocation_expiration_policy: ExpirationPolicy
§anonymous_policy: AnonymousClientPolicy
§supported_algs: WebPkiSupportedAlgorithms
Implementations§
source§impl WebPkiClientVerifier
impl WebPkiClientVerifier
sourcepub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder
pub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder
Create a builder for the webpki
client certificate verifier configuration using
the process-default CryptoProvider
.
Client certificate authentication will be offered by the server, and client certificates
will be verified using the trust anchors found in the provided roots
. If you
wish to disable client authentication use WebPkiClientVerifier::no_client_auth()
instead.
Use Self::builder_with_provider
if you wish to specify an explicit provider.
For more information, see the ClientCertVerifierBuilder
documentation.
sourcepub fn builder_with_provider(
roots: Arc<RootCertStore>,
provider: Arc<CryptoProvider>,
) -> ClientCertVerifierBuilder
pub fn builder_with_provider( roots: Arc<RootCertStore>, provider: Arc<CryptoProvider>, ) -> ClientCertVerifierBuilder
Create a builder for the webpki
client certificate verifier configuration using
a specified CryptoProvider
.
Client certificate authentication will be offered by the server, and client certificates
will be verified using the trust anchors found in the provided roots
. If you
wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.
The cryptography used comes from the specified CryptoProvider
.
For more information, see the ClientCertVerifierBuilder
documentation.
sourcepub fn no_client_auth() -> Arc<dyn ClientCertVerifier>
pub fn no_client_auth() -> Arc<dyn ClientCertVerifier>
Create a new WebPkiClientVerifier
that disables client authentication. The server will
not offer client authentication and anonymous clients will be accepted.
This is in contrast to using WebPkiClientVerifier::builder().allow_unauthenticated().build()
,
which will produce a verifier that will offer client authentication, but not require it.
sourcepub(crate) fn new(
roots: Arc<RootCertStore>,
root_hint_subjects: Vec<DistinguishedName>,
crls: Vec<CertRevocationList<'static>>,
revocation_check_depth: RevocationCheckDepth,
unknown_revocation_policy: UnknownStatusPolicy,
revocation_expiration_policy: ExpirationPolicy,
anonymous_policy: AnonymousClientPolicy,
supported_algs: WebPkiSupportedAlgorithms,
) -> Self
pub(crate) fn new( roots: Arc<RootCertStore>, root_hint_subjects: Vec<DistinguishedName>, crls: Vec<CertRevocationList<'static>>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, revocation_expiration_policy: ExpirationPolicy, anonymous_policy: AnonymousClientPolicy, supported_algs: WebPkiSupportedAlgorithms, ) -> Self
Construct a new WebpkiClientVerifier
.
roots
is a list of trust anchors to use for certificate validation.root_hint_subjects
is a list of distinguished names to use for hinting acceptable certificate authority subjects to a client.crls
is aVec
of owned certificate revocation lists (CRLs) to use for client certificate validation.revocation_check_depth
controls which certificates have their revocation status checked whencrls
are provided.unknown_revocation_policy
controls how certificates with an unknown revocation status are handled whencrls
are provided.anonymous_policy
controls whether client authentication is required, or if anonymous clients can connect.supported_algs
specifies which signature verification algorithms should be used.
Trait Implementations§
source§impl ClientCertVerifier for WebPkiClientVerifier
impl ClientCertVerifier for WebPkiClientVerifier
source§fn offer_client_auth(&self) -> bool
fn offer_client_auth(&self) -> bool
true
to enable the server to request a client certificate and
false
to skip requesting a client certificate. Defaults to true
.source§fn client_auth_mandatory(&self) -> bool
fn client_auth_mandatory(&self) -> bool
true
to require a client certificate and false
to make
client authentication optional.
Defaults to self.offer_client_auth()
.source§fn root_hint_subjects(&self) -> &[DistinguishedName]
fn root_hint_subjects(&self) -> &[DistinguishedName]
DistinguishedName
subjects that the server will hint to clients to
identify acceptable authentication trust anchors. Read moresource§fn verify_client_cert(
&self,
end_entity: &CertificateDer<'_>,
intermediates: &[CertificateDer<'_>],
now: UnixTime,
) -> Result<ClientCertVerified, Error>
fn verify_client_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], now: UnixTime, ) -> Result<ClientCertVerified, Error>
end_entity
is valid, acceptable,
and chains to at least one of the trust anchors trusted by
this verifier. Read moresource§fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
source§fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
source§fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
verify_tls12_signature
and verify_tls13_signature
calls. Read more