WebPkiServerVerifier

rustls::webpki::server_verifier

Struct WebPkiServerVerifier 

Source 
pub struct WebPkiServerVerifier {
    roots: Arc<RootCertStore>,
    crls: Vec<CertRevocationList<'static>>,
    revocation_check_depth: RevocationCheckDepth,
    unknown_revocation_policy: UnknownStatusPolicy,
    revocation_expiration_policy: ExpirationPolicy,
    supported: WebPkiSupportedAlgorithms,
}
Expand description

Default ServerCertVerifier, see the trait impl for more information.

Fields§

§roots: Arc<RootCertStore>§crls: Vec<CertRevocationList<'static>>§revocation_check_depth: RevocationCheckDepth§unknown_revocation_policy: UnknownStatusPolicy§revocation_expiration_policy: ExpirationPolicy§supported: WebPkiSupportedAlgorithms

Implementations§

Source§

impl WebPkiServerVerifier

Source

pub fn builder(roots: Arc<RootCertStore>) -> ServerCertVerifierBuilder

Create a builder for the webpki server certificate verifier configuration using the process-default CryptoProvider.

Server certificates will be verified using the trust anchors found in the provided roots.

Use Self::builder_with_provider if you wish to specify an explicit provider.

For more information, see the ServerCertVerifierBuilder documentation.

Source

pub fn builder_with_provider( roots: Arc<RootCertStore>, provider: Arc<CryptoProvider>, ) -> ServerCertVerifierBuilder

Create a builder for the webpki server certificate verifier configuration using a specified CryptoProvider.

Server certificates will be verified using the trust anchors found in the provided roots.

The cryptography used comes from the specified CryptoProvider.

For more information, see the ServerCertVerifierBuilder documentation.

Source

pub(crate) fn new_without_revocation( roots: impl Into<Arc<RootCertStore>>, supported_algs: WebPkiSupportedAlgorithms, ) -> Self

Short-cut for creating a WebPkiServerVerifier that does not perform certificate revocation checking, avoiding the need to use a builder.

Source

pub(crate) fn new( roots: impl Into<Arc<RootCertStore>>, crls: Vec<CertRevocationList<'static>>, revocation_check_depth: RevocationCheckDepth, unknown_revocation_policy: UnknownStatusPolicy, revocation_expiration_policy: ExpirationPolicy, supported: WebPkiSupportedAlgorithms, ) -> Self

Constructs a new WebPkiServerVerifier.

  • roots is the set of trust anchors to trust for issuing server certs.
  • crls are a vec of owned certificate revocation lists (CRLs) to use for client certificate validation.
  • revocation_check_depth controls which certificates have their revocation status checked when crls are provided.
  • unknown_revocation_policy controls how certificates with an unknown revocation status are handled when crls are provided.
  • supported is the set of supported algorithms that will be used for certificate verification and TLS handshake signature verification.

Trait Implementations§

Source§

impl Debug for WebPkiServerVerifier

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl ServerCertVerifier for WebPkiServerVerifier

Source§

fn verify_server_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], server_name: &ServerName<'_>, ocsp_response: &[u8], now: UnixTime, ) -> Result<ServerCertVerified, Error>

Will verify the certificate is valid in the following ways:

  • Signed by a trusted RootCertStore CA
  • Not Expired
  • Valid for DNS entry
  • Valid revocation status (if applicable).

Depending on the verifier’s configuration revocation status checking may be performed for each certificate in the chain to a root CA (excluding the root itself), or only the end entity certificate. Similarly, unknown revocation status may be treated as an error or allowed based on configuration.

Source§

fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate. Read more
Source§

fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate. Read more
Source§

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls. Read more
Source§

fn requires_raw_public_keys(&self) -> bool

Returns whether this verifier requires raw public keys as defined in RFC 7250.
Source§

fn root_hint_subjects(&self) -> Option<&[DistinguishedName]>

Return the DistinguishedNames of certificate authorities that this verifier trusts. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.