Trait rustls::ClientCertVerifier
source · [−]pub trait ClientCertVerifier: Send + Sync {
fn client_auth_root_subjects(
&self,
sni: Option<&DNSName>
) -> Option<DistinguishedNames>;
fn verify_client_cert(
&self,
presented_certs: &[Certificate],
sni: Option<&DNSName>
) -> Result<ClientCertVerified, TLSError>;
fn offer_client_auth(&self) -> bool { ... }
fn client_auth_mandatory(&self, _sni: Option<&DNSName>) -> Option<bool> { ... }
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError> { ... }
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError> { ... }
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { ... }
}
Expand description
Something that can verify a client certificate chain
Required Methods
sourcefn client_auth_root_subjects(
&self,
sni: Option<&DNSName>
) -> Option<DistinguishedNames>
fn client_auth_root_subjects(
&self,
sni: Option<&DNSName>
) -> Option<DistinguishedNames>
Returns the subject names of the client authentication trust anchors to share with the client when requesting client authentication.
Return None
to abort the connection.
sni
is the server name quoted by the client in its ClientHello; it has
been validated as a proper DNS name but is otherwise untrusted.
sourcefn verify_client_cert(
&self,
presented_certs: &[Certificate],
sni: Option<&DNSName>
) -> Result<ClientCertVerified, TLSError>
fn verify_client_cert(
&self,
presented_certs: &[Certificate],
sni: Option<&DNSName>
) -> Result<ClientCertVerified, TLSError>
Verify a certificate chain. presented_certs
is the certificate chain from the client.
sni
is the server name quoted by the client in its ClientHello; it has
been validated as a proper DNS name but is otherwise untrusted.
Provided Methods
sourcefn offer_client_auth(&self) -> bool
fn offer_client_auth(&self) -> bool
Returns true
to enable the server to request a client certificate and
false
to skip requesting a client certificate. Defaults to true
.
sourcefn client_auth_mandatory(&self, _sni: Option<&DNSName>) -> Option<bool>
fn client_auth_mandatory(&self, _sni: Option<&DNSName>) -> Option<bool>
Return Some(true)
to require a client certificate and Some(false)
to make
client authentication optional. Return None
to abort the connection.
Defaults to Some(self.offer_client_auth())
.
sni
is the server name quoted by the client in its ClientHello; it has
been validated as a proper DNS name but is otherwise untrusted.
sourcefn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
Verify a signature allegedly by the given server certificate.
message
is not hashed, and needs hashing during the verification.
The signature and algorithm are within dss
. cert
contains the
public key to use.
cert
is the same certificate that was previously validated by a
call to verify_server_cert
.
If and only if the signature is valid, return HandshakeSignatureValid. Otherwise, return an error – rustls will send an alert and abort the connection.
This method is only called for TLS1.2 handshakes. Note that, in TLS1.2,
SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256
are not
in fact bound to the specific curve implied in their name.
This trait method has a default implementation that uses webpki to verify the signature.
sourcefn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
Verify a signature allegedly by the given server certificate.
This method is only called for TLS1.3 handshakes.
This method is very similar to verify_tls12_signature
: but note the
tighter ECDSA SignatureScheme semantics – eg SignatureScheme::ECDSA_NISTP256_SHA256
must only validate signatures using public keys on the right curve –
rustls does not enforce this requirement for you.
This trait method has a default implementation that uses webpki to verify the signature.
sourcefn supported_verify_schemes(&self) -> Vec<SignatureScheme>
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
Return the list of SignatureSchemes that this verifier will handle,
in verify_tls12_signature
and verify_tls13_signature
calls.
This should be in priority order, with the most preferred first.
This trait mehod has a default implementation that reflects the schemes supported by webpki.