WebPkiClientVerifier

rama::tls::rustls::dep::rustls::server

Struct WebPkiClientVerifier 

pub struct WebPkiClientVerifier { /* private fields */ }
Available on (crate features rustls or boring or acme) and crate feature rustls only.
Expand description

A client certificate verifier that uses the webpki crate1 to perform client certificate validation.

It must be created via the WebPkiClientVerifier::builder() or WebPkiClientVerifier::builder_with_provider() functions.

Once built, the provided Arc<dyn ClientCertVerifier> can be used with a Rustls [ServerConfig] to configure client certificate validation using [with_client_cert_verifier][ConfigBuilder<ClientConfig, WantsVerifier>::with_client_cert_verifier].

Example:

To require all clients present a client certificate issued by a trusted CA:

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .build()
  .unwrap();

Or, to allow clients presenting a client certificate authenticated by a trusted CA, or anonymous clients that present no client certificate:

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .allow_unauthenticated()
  .build()
  .unwrap();

If you wish to disable advertising client authentication:

let client_verifier = WebPkiClientVerifier::no_client_auth();

You can also configure the client verifier to check for certificate revocation with client certificate revocation lists (CRLs):

let client_verifier = WebPkiClientVerifier::builder(roots.into())
  .with_crls(crls)
  .build()
  .unwrap();

  1. https://github.com/rustls/webpki 

Implementations§

§

impl WebPkiClientVerifier

pub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder

Create a builder for the webpki client certificate verifier configuration using the process-default CryptoProvider.

Client certificate authentication will be offered by the server, and client certificates will be verified using the trust anchors found in the provided roots. If you wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.

Use Self::builder_with_provider if you wish to specify an explicit provider.

For more information, see the ClientCertVerifierBuilder documentation.

pub fn builder_with_provider( roots: Arc<RootCertStore>, provider: Arc<CryptoProvider>, ) -> ClientCertVerifierBuilder

Create a builder for the webpki client certificate verifier configuration using a specified CryptoProvider.

Client certificate authentication will be offered by the server, and client certificates will be verified using the trust anchors found in the provided roots. If you wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.

The cryptography used comes from the specified CryptoProvider.

For more information, see the ClientCertVerifierBuilder documentation.

pub fn no_client_auth() -> Arc<dyn ClientCertVerifier>

Create a new WebPkiClientVerifier that disables client authentication. The server will not offer client authentication and anonymous clients will be accepted.

This is in contrast to using WebPkiClientVerifier::builder().allow_unauthenticated().build(), which will produce a verifier that will offer client authentication, but not require it.

Trait Implementations§

§

impl ClientCertVerifier for WebPkiClientVerifier

§

fn offer_client_auth(&self) -> bool

Returns true to enable the server to request a client certificate and false to skip requesting a client certificate. Defaults to true.
§

fn client_auth_mandatory(&self) -> bool

Return true to require a client certificate and false to make client authentication optional. Defaults to self.offer_client_auth().
§

fn root_hint_subjects(&self) -> &[DistinguishedName]

Returns the DistinguishedName subjects that the server will hint to clients to identify acceptable authentication trust anchors. Read more
§

fn verify_client_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], now: UnixTime, ) -> Result<ClientCertVerified, Error>

Verify the end-entity certificate end_entity is valid, acceptable, and chains to at least one of the trust anchors trusted by this verifier. Read more
§

fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate. Read more
§

fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate. Read more
§

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls. Read more
§

fn requires_raw_public_keys(&self) -> bool

Returns whether this verifier requires raw public keys as defined in RFC 7250.
§

impl Debug for WebPkiClientVerifier

§

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T> FutureExt for T

§

fn with_context(self, otel_cx: Context) -> WithContext<Self>

Attaches the provided Context to this type, returning a WithContext wrapper. Read more
§

fn with_current_context(self) -> WithContext<Self>

Attaches the current Context to this type, returning a WithContext wrapper. Read more
§

impl<T> Instrument for T

§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
§

impl<T> Pointable for T

§

const ALIGN: usize

The alignment of pointer.
§

type Init = T

The type for initializers.
§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
§

impl<T> PolicyExt for T
where T: ?Sized,

§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
§

impl<T, U> RamaFrom<T> for U
where U: From<T>,

§

fn rama_from(value: T) -> U

§

impl<T, U, CrateMarker> RamaInto<U, CrateMarker> for T
where U: RamaFrom<T, CrateMarker>,

§

fn rama_into(self) -> U

§

impl<T, U> RamaTryFrom<T> for U
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

§

fn rama_try_from(value: T) -> Result<U, <U as RamaTryFrom<T>>::Error>

§

impl<T, U, CrateMarker> RamaTryInto<U, CrateMarker> for T
where U: RamaTryFrom<T, CrateMarker>,

§

type Error = <U as RamaTryFrom<T, CrateMarker>>::Error

§

fn rama_try_into(self) -> Result<U, <U as RamaTryFrom<T, CrateMarker>>::Error>

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> WithSubscriber for T

§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more