/rust/registry/src/index.crates.io-1949cf8c6b5b557f/rustls-0.23.27/src/server/builder.rs
Line | Count | Source |
1 | | use alloc::vec::Vec; |
2 | | use core::marker::PhantomData; |
3 | | |
4 | | use pki_types::{CertificateDer, PrivateKeyDer}; |
5 | | |
6 | | use super::{ResolvesServerCert, ServerConfig, handy}; |
7 | | use crate::builder::{ConfigBuilder, WantsVerifier}; |
8 | | use crate::error::Error; |
9 | | use crate::sign::{CertifiedKey, SingleCertAndKey}; |
10 | | use crate::sync::Arc; |
11 | | use crate::verify::{ClientCertVerifier, NoClientAuth}; |
12 | | use crate::{NoKeyLog, compress, versions}; |
13 | | |
14 | | impl ConfigBuilder<ServerConfig, WantsVerifier> { |
15 | | /// Choose how to verify client certificates. |
16 | 0 | pub fn with_client_cert_verifier( |
17 | 0 | self, |
18 | 0 | client_cert_verifier: Arc<dyn ClientCertVerifier>, |
19 | 0 | ) -> ConfigBuilder<ServerConfig, WantsServerCert> { |
20 | 0 | ConfigBuilder { |
21 | 0 | state: WantsServerCert { |
22 | 0 | versions: self.state.versions, |
23 | 0 | verifier: client_cert_verifier, |
24 | 0 | }, |
25 | 0 | provider: self.provider, |
26 | 0 | time_provider: self.time_provider, |
27 | 0 | side: PhantomData, |
28 | 0 | } |
29 | 0 | } |
30 | | |
31 | | /// Disable client authentication. |
32 | 0 | pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert> { |
33 | 0 | self.with_client_cert_verifier(Arc::new(NoClientAuth)) |
34 | 0 | } |
35 | | } |
36 | | |
37 | | /// A config builder state where the caller must supply how to provide a server certificate to |
38 | | /// the connecting peer. |
39 | | /// |
40 | | /// For more information, see the [`ConfigBuilder`] documentation. |
41 | | #[derive(Clone, Debug)] |
42 | | pub struct WantsServerCert { |
43 | | versions: versions::EnabledVersions, |
44 | | verifier: Arc<dyn ClientCertVerifier>, |
45 | | } |
46 | | |
47 | | impl ConfigBuilder<ServerConfig, WantsServerCert> { |
48 | | /// Sets a single certificate chain and matching private key. This |
49 | | /// certificate and key is used for all subsequent connections, |
50 | | /// irrespective of things like SNI hostname. |
51 | | /// |
52 | | /// Note that the end-entity certificate must have the |
53 | | /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1) |
54 | | /// extension to describe, e.g., the valid DNS name. The `commonName` field is |
55 | | /// disregarded. |
56 | | /// |
57 | | /// `cert_chain` is a vector of DER-encoded certificates. |
58 | | /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The |
59 | | /// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support |
60 | | /// all three encodings, but other `CryptoProviders` may not. |
61 | | /// |
62 | | /// This function fails if `key_der` is invalid, or if the |
63 | | /// `SubjectPublicKeyInfo` from the private key does not match the public |
64 | | /// key for the end-entity certificate from the `cert_chain`. |
65 | 0 | pub fn with_single_cert( |
66 | 0 | self, |
67 | 0 | cert_chain: Vec<CertificateDer<'static>>, |
68 | 0 | key_der: PrivateKeyDer<'static>, |
69 | 0 | ) -> Result<ServerConfig, Error> { |
70 | 0 | let certified_key = CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?; |
71 | 0 | Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key)))) |
72 | 0 | } |
73 | | |
74 | | /// Sets a single certificate chain, matching private key and optional OCSP |
75 | | /// response. This certificate and key is used for all |
76 | | /// subsequent connections, irrespective of things like SNI hostname. |
77 | | /// |
78 | | /// `cert_chain` is a vector of DER-encoded certificates. |
79 | | /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The |
80 | | /// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support |
81 | | /// all three encodings, but other `CryptoProviders` may not. |
82 | | /// `ocsp` is a DER-encoded OCSP response. Ignored if zero length. |
83 | | /// |
84 | | /// This function fails if `key_der` is invalid, or if the |
85 | | /// `SubjectPublicKeyInfo` from the private key does not match the public |
86 | | /// key for the end-entity certificate from the `cert_chain`. |
87 | 0 | pub fn with_single_cert_with_ocsp( |
88 | 0 | self, |
89 | 0 | cert_chain: Vec<CertificateDer<'static>>, |
90 | 0 | key_der: PrivateKeyDer<'static>, |
91 | 0 | ocsp: Vec<u8>, |
92 | 0 | ) -> Result<ServerConfig, Error> { |
93 | 0 | let mut certified_key = |
94 | 0 | CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?; |
95 | 0 | certified_key.ocsp = Some(ocsp); |
96 | 0 | Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key)))) |
97 | 0 | } |
98 | | |
99 | | /// Sets a custom [`ResolvesServerCert`]. |
100 | 0 | pub fn with_cert_resolver(self, cert_resolver: Arc<dyn ResolvesServerCert>) -> ServerConfig { |
101 | 0 | ServerConfig { |
102 | 0 | provider: self.provider, |
103 | 0 | verifier: self.state.verifier, |
104 | 0 | cert_resolver, |
105 | 0 | ignore_client_order: false, |
106 | 0 | max_fragment_size: None, |
107 | 0 | #[cfg(feature = "std")] |
108 | 0 | session_storage: handy::ServerSessionMemoryCache::new(256), |
109 | 0 | #[cfg(not(feature = "std"))] |
110 | 0 | session_storage: Arc::new(handy::NoServerSessionStorage {}), |
111 | 0 | ticketer: Arc::new(handy::NeverProducesTickets {}), |
112 | 0 | alpn_protocols: Vec::new(), |
113 | 0 | versions: self.state.versions, |
114 | 0 | key_log: Arc::new(NoKeyLog {}), |
115 | 0 | enable_secret_extraction: false, |
116 | 0 | max_early_data_size: 0, |
117 | 0 | send_half_rtt_data: false, |
118 | 0 | send_tls13_tickets: 2, |
119 | 0 | #[cfg(feature = "tls12")] |
120 | 0 | require_ems: cfg!(feature = "fips"), |
121 | 0 | time_provider: self.time_provider, |
122 | 0 | cert_compressors: compress::default_cert_compressors().to_vec(), |
123 | 0 | cert_compression_cache: Arc::new(compress::CompressionCache::default()), |
124 | 0 | cert_decompressors: compress::default_cert_decompressors().to_vec(), |
125 | 0 | } |
126 | 0 | } |
127 | | } |