Add built-in support for rustls-platform-verifier

rustls · Jan 24, 2024 · 8500db1 · 8500db1
1 parent ad93d22
commit 8500db1
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le
 log = { version = "0.4.4", optional = true }
 pki-types = { package = "rustls-pki-types", version = "1" }
 rustls-native-certs = { version = "0.7", optional = true }
+rustls-platform-verifier = { version = "0.2", optional = true }
 rustls = { version = "0.22", default-features = false }
 tokio = "1.0"
 tokio-rustls = { version = "0.25", default-features = false }
@@ -37,6 +38,7 @@ http1 = ["hyper-util/http1"]
 http2 = ["hyper-util/http2"]
 webpki-tokio = ["webpki-roots"]
 native-tokio = ["rustls-native-certs"]
+platform-verifier = ["rustls-platform-verifier"]
 ring = ["rustls/ring"]
 tls12 = ["tokio-rustls/tls12", "rustls/tls12"]
 logging = ["log", "tokio-rustls/logging", "rustls/logging"]

diff --git a/src/config.rs b/src/config.rs
@@ -1,3 +1,5 @@
+use std::sync::Arc;
+
 #[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
 use rustls::client::WantsClientCert;
 use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
@@ -7,6 +9,10 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 /// This adds methods (gated by crate features) for easily configuring
 /// TLS server roots a rustls ClientConfig will trust.
 pub trait ConfigBuilderExt {
+    /// Use the platform's native verifier to verify server certificates.
+    #[cfg(feature = "rustls-platform-verifier")]
+    fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;
+
     /// This configures the platform's trusted certs, as implemented by
     /// rustls-native-certs
     ///
@@ -22,6 +28,14 @@ pub trait ConfigBuilderExt {
 }
 
 impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
+    #[cfg(feature = "rustls-platform-verifier")]
+    fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
+        self.dangerous()
+            .with_custom_certificate_verifier(Arc::new(
+                rustls_platform_verifier::Verifier::default(),
+            ))
+    }
+
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
     fn with_native_roots(self) -> std::io::Result<ConfigBuilder<ClientConfig, WantsClientCert>> {

diff --git a/src/connector/builder.rs b/src/connector/builder.rs
@@ -51,6 +51,18 @@ impl ConnectorBuilder<WantsTlsConfig> {
         ConnectorBuilder(WantsSchemes { tls_config: config })
     }
 
+    /// Use rustls' default crypto provider and other defaults, and the platform verifier
+    ///
+    /// See [`ConfigBuilderExt::with_platform_verifier()'].
+    #[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))]
+    pub fn with_platform_verifier(self) -> ConnectorBuilder<WantsSchemes> {
+        self.with_tls_config(
+            ClientConfig::builder()
+                .with_platform_verifier()
+                .with_no_client_auth(),
+        )
+    }
+
     /// Shorthand for using rustls' default crypto provider and safe defaults, with
     /// native roots.
     ///