ClientCertVerifierBuilder

rama::tls::rustls::dep::rustls::server

Struct ClientCertVerifierBuilder 

pub struct ClientCertVerifierBuilder { /* private fields */ }
Available on (crate features rustls or boring or acme) and crate feature rustls only.
Expand description

A builder for configuring a webpki client certificate verifier.

For more information, see the WebPkiClientVerifier documentation.

Implementations§

§

impl ClientCertVerifierBuilder

pub fn clear_root_hint_subjects(self) -> ClientCertVerifierBuilder

Clear the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will remove these hint subjects, indicating the client should make a free choice of which certificate to send.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to clear the default hint subjects.

pub fn add_root_hint_subjects( self, subjects: impl IntoIterator<Item = DistinguishedName>, ) -> ClientCertVerifierBuilder

Add additional DistinguishedNames to the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will add to these existing hint subjects. Calling this function with empty subjects will have no effect.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to override the default hint subjects.

pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> ClientCertVerifierBuilder

Verify the revocation state of presented client certificates against the provided certificate revocation lists (CRLs). Calling with_crls multiple times appends the given CRLs to the existing collection.

By default all certificates in the verified chain built from the presented client certificate to a trust anchor will have their revocation status checked. Calling only_check_end_entity_revocation will change this behavior to only check the end entity client certificate.

By default if a certificate’s revocation status can not be determined using the configured CRLs, it will be treated as an error. Calling allow_unknown_revocation_status will change this behavior to allow unknown revocation status.

pub fn only_check_end_entity_revocation(self) -> ClientCertVerifierBuilder

Only check the end entity certificate revocation status when using CRLs.

If CRLs are provided using with_crls only check the end entity certificate’s revocation status. Overrides the default behavior of checking revocation status for each certificate in the verified chain built to a trust anchor (excluding the trust anchor itself).

If no CRLs are provided then this setting has no effect. Neither the end entity certificate or any intermediates will have revocation status checked.

pub fn allow_unauthenticated(self) -> ClientCertVerifierBuilder

Allow unauthenticated clients to connect.

Clients that offer a client certificate issued by a trusted root, and clients that offer no client certificate will be allowed to connect.

pub fn allow_unknown_revocation_status(self) -> ClientCertVerifierBuilder

Allow unknown certificate revocation status when using CRLs.

If CRLs are provided with with_crls and it isn’t possible to determine the revocation status of a certificate, do not treat it as an error condition. Overrides the default behavior where unknown revocation status is considered an error.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

pub fn enforce_revocation_expiration(self) -> ClientCertVerifierBuilder

Enforce the CRL nextUpdate field (i.e. expiration)

If CRLs are provided with with_crls and the verification time is beyond the time in the CRL nextUpdate field, it is expired and treated as an error condition. Overrides the default behavior where expired CRLs are not treated as an error condition.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

pub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>

Build a client certificate verifier. The built verifier will be used for the server to offer client certificate authentication, to control how offered client certificates are validated, and to determine what to do with anonymous clients that do not respond to the client certificate authentication offer with a client certificate.

If with_signature_verification_algorithms was not called on the builder, a default set of signature verification algorithms is used, controlled by the selected CryptoProvider.

Once built, the provided Arc<dyn ClientCertVerifier> can be used with a Rustls [ServerConfig] to configure client certificate validation using [with_client_cert_verifier][ConfigBuilder<ClientConfig, WantsVerifier>::with_client_cert_verifier].

§Errors

This function will return a VerifierBuilderError if:

  1. No trust anchors have been provided.
  2. DER encoded CRLs have been provided that can not be parsed successfully.

Trait Implementations§

§

impl Clone for ClientCertVerifierBuilder

§

fn clone(&self) -> ClientCertVerifierBuilder

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
§

impl Debug for ClientCertVerifierBuilder

§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> FromRef<T> for T
where T: Clone,

§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
§

impl<T> FutureExt for T

§

fn with_context(self, otel_cx: Context) -> WithContext<Self>

Attaches the provided Context to this type, returning a WithContext wrapper. Read more
§

fn with_current_context(self) -> WithContext<Self>

Attaches the current Context to this type, returning a WithContext wrapper. Read more
§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
§

impl<T> Pointable for T

§

const ALIGN: usize

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
§

impl<T> PolicyExt for T
where T: ?Sized,

§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
§

impl<T, U> RamaFrom<T> for U
where U: From<T>,

§

fn rama_from(value: T) -> U

§

impl<T, U, CrateMarker> RamaInto<U, CrateMarker> for T
where U: RamaFrom<T, CrateMarker>,

§

fn rama_into(self) -> U

§

impl<T, U> RamaTryFrom<T> for U
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

§

fn rama_try_from(value: T) -> Result<U, <U as RamaTryFrom<T>>::Error>

§

impl<T, U, CrateMarker> RamaTryInto<U, CrateMarker> for T
where U: RamaTryFrom<T, CrateMarker>,

§

type Error = <U as RamaTryFrom<T, CrateMarker>>::Error

§

fn rama_try_into(self) -> Result<U, <U as RamaTryFrom<T, CrateMarker>>::Error>

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more