builder.rs source code [crates/rustls/src/server/builder.rs]

1	use alloc::vec::Vec;
2	use core::marker::PhantomData;
3
4	use pki_types::{CertificateDer, PrivateKeyDer};
5
6	use super::{ResolvesServerCert, ServerConfig, handy};
7	use crate::builder::{ConfigBuilder, WantsVerifier};
8	use crate::error::Error;
9	use crate::sign::{CertifiedKey, SingleCertAndKey};
10	use crate::sync::Arc;
11	use crate::verify::{ClientCertVerifier, NoClientAuth};
12	use crate::{NoKeyLog, compress, versions};
13
14	impl ConfigBuilder<ServerConfig, WantsVerifier> {
15	/// Choose how to verify client certificates.
16	pub fn with_client_cert_verifier(
17	self,
18	client_cert_verifier: Arc<dyn ClientCertVerifier>,
19	) -> ConfigBuilder<ServerConfig, WantsServerCert> {
20	ConfigBuilder {
21	state: WantsServerCert {
22	versions: self.state.versions,
23	verifier: client_cert_verifier,
24	},
25	provider: self.provider,
26	time_provider: self.time_provider,
27	side: PhantomData,
28	}
29	}
30
31	/// Disable client authentication.
32	pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert> {
33	self.with_client_cert_verifier(Arc::new(data:NoClientAuth))
34	}
35	}
36
37	/// A config builder state where the caller must supply how to provide a server certificate to
38	/// the connecting peer.
39	///
40	/// For more information, see the [`ConfigBuilder`] documentation.
41	#[derive(Clone, Debug)]
42	pub struct WantsServerCert {
43	versions: versions::EnabledVersions,
44	verifier: Arc<dyn ClientCertVerifier>,
45	}
46
47	impl ConfigBuilder<ServerConfig, WantsServerCert> {
48	/// Sets a single certificate chain and matching private key. This
49	/// certificate and key is used for all subsequent connections,
50	/// irrespective of things like SNI hostname.
51	///
52	/// Note that the end-entity certificate must have the
53	/// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1)
54	/// extension to describe, e.g., the valid DNS name. The `commonName` field is
55	/// disregarded.
56	///
57	/// `cert_chain` is a vector of DER-encoded certificates.
58	/// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
59	/// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support
60	/// all three encodings, but other `CryptoProviders` may not.
61	///
62	/// This function fails if `key_der` is invalid, or if the
63	/// `SubjectPublicKeyInfo` from the private key does not match the public
64	/// key for the end-entity certificate from the `cert_chain`.
65	pub fn with_single_cert(
66	self,
67	cert_chain: Vec<CertificateDer<'static>>,
68	key_der: PrivateKeyDer<'static>,
69	) -> Result<ServerConfig, Error> {
70	let certified_key = CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?;
71	Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key))))
72	}
73
74	/// Sets a single certificate chain, matching private key and optional OCSP
75	/// response. This certificate and key is used for all
76	/// subsequent connections, irrespective of things like SNI hostname.
77	///
78	/// `cert_chain` is a vector of DER-encoded certificates.
79	/// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
80	/// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support
81	/// all three encodings, but other `CryptoProviders` may not.
82	/// `ocsp` is a DER-encoded OCSP response. Ignored if zero length.
83	///
84	/// This function fails if `key_der` is invalid, or if the
85	/// `SubjectPublicKeyInfo` from the private key does not match the public
86	/// key for the end-entity certificate from the `cert_chain`.
87	pub fn with_single_cert_with_ocsp(
88	self,
89	cert_chain: Vec<CertificateDer<'static>>,
90	key_der: PrivateKeyDer<'static>,
91	ocsp: Vec<u8>,
92	) -> Result<ServerConfig, Error> {
93	let mut certified_key =
94	CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?;
95	certified_key.ocsp = Some(ocsp);
96	Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key))))
97	}
98
99	/// Sets a custom [`ResolvesServerCert`].
100	pub fn with_cert_resolver(self, cert_resolver: Arc<dyn ResolvesServerCert>) -> ServerConfig {
101	ServerConfig {
102	provider: self.provider,
103	verifier: self.state.verifier,
104	cert_resolver,
105	ignore_client_order: `false`,
106	max_fragment_size: None,
107	#[cfg(feature = "std")]
108	session_storage: handy::ServerSessionMemoryCache::new(`256`),
109	#[cfg(not(feature = "std"))]
110	session_storage: Arc::new(handy::NoServerSessionStorage {}),
111	ticketer: Arc::new(handy::NeverProducesTickets {}),
112	alpn_protocols: Vec::new(),
113	versions: self.state.versions,
114	key_log: Arc::new(NoKeyLog {}),
115	enable_secret_extraction: `false`,
116	max_early_data_size: `0`,
117	send_half_rtt_data: `false`,
118	send_tls13_tickets: `2`,
119	#[cfg(feature = "tls12")]
120	require_ems: cfg!(feature = "fips"),
121	time_provider: self.time_provider,
122	cert_compressors: compress::default_cert_compressors().to_vec(),
123	cert_compression_cache: Arc::new(compress::CompressionCache::default()),
124	cert_decompressors: compress::default_cert_decompressors().to_vec(),
125	}
126	}
127	}
128