pub struct WebPkiClientVerifier { /* private fields */ }
Expand description
A client certificate verifier that uses the webpki
crate1 to perform client certificate
validation. It must be created via the WebPkiClientVerifier::builder() function.
Once built, the provided Arc<dyn ClientCertVerifier>
can be used with a Rustls ServerConfig
to configure client certificate validation using with_client_cert_verifier
.
Example:
To require all clients present a client certificate issued by a trusted CA:
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.build()
.unwrap();
Or, to allow clients presenting a client certificate authenticated by a trusted CA, or anonymous clients that present no client certificate:
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.allow_unauthenticated()
.build()
.unwrap();
If you wish to disable advertising client authentication:
let client_verifier = WebPkiClientVerifier::no_client_auth();
You can also configure the client verifier to check for certificate revocation with client certificate revocation lists (CRLs):
let client_verifier = WebPkiClientVerifier::builder(roots.into())
.with_crls(crls)
.build()
.unwrap();
Implementations§
source§impl WebPkiClientVerifier
impl WebPkiClientVerifier
sourcepub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder
pub fn builder(roots: Arc<RootCertStore>) -> ClientCertVerifierBuilder
Create a builder for the webpki
client certificate verifier configuration using
the default CryptoProvider
.
Client certificate authentication will be offered by the server, and client certificates
will be verified using the trust anchors found in the provided roots
. If you
wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.
The cryptography used comes from the default CryptoProvider
: crypto::ring::default_provider
.
Use Self::builder_with_provider
if you wish to customize this.
For more information, see the ClientCertVerifierBuilder
documentation.
sourcepub fn builder_with_provider(
roots: Arc<RootCertStore>,
provider: Arc<CryptoProvider>,
) -> ClientCertVerifierBuilder
pub fn builder_with_provider( roots: Arc<RootCertStore>, provider: Arc<CryptoProvider>, ) -> ClientCertVerifierBuilder
Create a builder for the webpki
client certificate verifier configuration using
a specified CryptoProvider
.
Client certificate authentication will be offered by the server, and client certificates
will be verified using the trust anchors found in the provided roots
. If you
wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.
The cryptography used comes from the specified CryptoProvider
.
For more information, see the ClientCertVerifierBuilder
documentation.
sourcepub fn no_client_auth() -> Arc<dyn ClientCertVerifier>
pub fn no_client_auth() -> Arc<dyn ClientCertVerifier>
Create a new WebPkiClientVerifier
that disables client authentication. The server will
not offer client authentication and anonymous clients will be accepted.
This is in contrast to using WebPkiClientVerifier::builder().allow_unauthenticated().build()
,
which will produce a verifier that will offer client authentication, but not require it.
Trait Implementations§
source§impl ClientCertVerifier for WebPkiClientVerifier
impl ClientCertVerifier for WebPkiClientVerifier
source§fn offer_client_auth(&self) -> bool
fn offer_client_auth(&self) -> bool
true
to enable the server to request a client certificate and
false
to skip requesting a client certificate. Defaults to true
.source§fn client_auth_mandatory(&self) -> bool
fn client_auth_mandatory(&self) -> bool
true
to require a client certificate and false
to make
client authentication optional.
Defaults to self.offer_client_auth()
.source§fn root_hint_subjects(&self) -> &[DistinguishedName]
fn root_hint_subjects(&self) -> &[DistinguishedName]
DistinguishedName
subjects that the server will hint to clients to
identify acceptable authentication trust anchors. Read moresource§fn verify_client_cert(
&self,
end_entity: &CertificateDer<'_>,
intermediates: &[CertificateDer<'_>],
now: UnixTime,
) -> Result<ClientCertVerified, Error>
fn verify_client_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], now: UnixTime, ) -> Result<ClientCertVerified, Error>
end_entity
is valid, acceptable,
and chains to at least one of the trust anchors trusted by
this verifier. Read moresource§fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
source§fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> Result<HandshakeSignatureValid, Error>
fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>
source§fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
verify_tls12_signature
and verify_tls13_signature
calls. Read more