rustls::webpki::server_verifier

Struct ServerCertVerifierBuilder

source
pub struct ServerCertVerifierBuilder {
    roots: Arc<RootCertStore>,
    crls: Vec<CertificateRevocationListDer<'static>>,
    revocation_check_depth: RevocationCheckDepth,
    unknown_revocation_policy: UnknownStatusPolicy,
    revocation_expiration_policy: ExpirationPolicy,
    supported_algs: WebPkiSupportedAlgorithms,
}
Expand description

A builder for configuring a webpki server certificate verifier.

For more information, see the WebPkiServerVerifier documentation.

Fields§

§roots: Arc<RootCertStore>§crls: Vec<CertificateRevocationListDer<'static>>§revocation_check_depth: RevocationCheckDepth§unknown_revocation_policy: UnknownStatusPolicy§revocation_expiration_policy: ExpirationPolicy§supported_algs: WebPkiSupportedAlgorithms

Implementations§

source§

impl ServerCertVerifierBuilder

source

pub(crate) fn new( roots: Arc<RootCertStore>, supported_algs: WebPkiSupportedAlgorithms, ) -> Self

source

pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> Self

Verify the revocation state of presented client certificates against the provided certificate revocation lists (CRLs). Calling with_crls multiple times appends the given CRLs to the existing collection.

source

pub fn only_check_end_entity_revocation(self) -> Self

Only check the end entity certificate revocation status when using CRLs.

If CRLs are provided using with_crls only check the end entity certificate’s revocation status. Overrides the default behavior of checking revocation status for each certificate in the verified chain built to a trust anchor (excluding the trust anchor itself).

If no CRLs are provided then this setting has no effect. Neither the end entity certificate or any intermediates will have revocation status checked.

source

pub fn allow_unknown_revocation_status(self) -> Self

Allow unknown certificate revocation status when using CRLs.

If CRLs are provided with with_crls and it isn’t possible to determine the revocation status of a certificate, do not treat it as an error condition. Overrides the default behavior where unknown revocation status is considered an error.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn enforce_revocation_expiration(self) -> Self

Enforce the CRL nextUpdate field (i.e. expiration)

If CRLs are provided with with_crls and the verification time is beyond the time in the CRL nextUpdate field, it is expired and treated as an error condition. Overrides the default behavior where expired CRLs are not treated as an error condition.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn build(self) -> Result<Arc<WebPkiServerVerifier>, VerifierBuilderError>

Build a server certificate verifier, allowing control over the root certificates to use as trust anchors, and to control how server certificate revocation checking is performed.

If with_signature_verification_algorithms was not called on the builder, a default set of signature verification algorithms is used, controlled by the selected crypto::CryptoProvider.

Once built, the provided Arc<dyn ServerCertVerifier> can be used with a Rustls ServerConfig to configure client certificate validation using with_client_cert_verifier.

§Errors

This function will return a VerifierBuilderError if:

  1. No trust anchors have been provided.
  2. DER encoded CRLs have been provided that can not be parsed successfully.

Trait Implementations§

source§

impl Clone for ServerCertVerifierBuilder

source§

fn clone(&self) -> ServerCertVerifierBuilder

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for ServerCertVerifierBuilder

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

source§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

source§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.