rustls/server/
builder.rs

1use alloc::vec::Vec;
2use core::marker::PhantomData;
3
4use pki_types::{CertificateDer, PrivateKeyDer};
5
6use super::{ResolvesServerCert, ServerConfig, handy};
7use crate::builder::{ConfigBuilder, WantsVerifier};
8use crate::error::Error;
9use crate::sign::{CertifiedKey, SingleCertAndKey};
10use crate::sync::Arc;
11use crate::verify::{ClientCertVerifier, NoClientAuth};
12use crate::{NoKeyLog, compress, versions};
13
14impl ConfigBuilder<ServerConfig, WantsVerifier> {
15    /// Choose how to verify client certificates.
16    pub fn with_client_cert_verifier(
17        self,
18        client_cert_verifier: Arc<dyn ClientCertVerifier>,
19    ) -> ConfigBuilder<ServerConfig, WantsServerCert> {
20        ConfigBuilder {
21            state: WantsServerCert {
22                versions: self.state.versions,
23                verifier: client_cert_verifier,
24            },
25            provider: self.provider,
26            time_provider: self.time_provider,
27            side: PhantomData,
28        }
29    }
30
31    /// Disable client authentication.
32    pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert> {
33        self.with_client_cert_verifier(Arc::new(NoClientAuth))
34    }
35}
36
37/// A config builder state where the caller must supply how to provide a server certificate to
38/// the connecting peer.
39///
40/// For more information, see the [`ConfigBuilder`] documentation.
41#[derive(Clone, Debug)]
42pub struct WantsServerCert {
43    versions: versions::EnabledVersions,
44    verifier: Arc<dyn ClientCertVerifier>,
45}
46
47impl ConfigBuilder<ServerConfig, WantsServerCert> {
48    /// Sets a single certificate chain and matching private key.  This
49    /// certificate and key is used for all subsequent connections,
50    /// irrespective of things like SNI hostname.
51    ///
52    /// Note that the end-entity certificate must have the
53    /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1)
54    /// extension to describe, e.g., the valid DNS name. The `commonName` field is
55    /// disregarded.
56    ///
57    /// `cert_chain` is a vector of DER-encoded certificates.
58    /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
59    /// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support
60    /// all three encodings, but other `CryptoProviders` may not.
61    ///
62    /// This function fails if `key_der` is invalid, or if the
63    /// `SubjectPublicKeyInfo` from the private key does not match the public
64    /// key for the end-entity certificate from the `cert_chain`.
65    pub fn with_single_cert(
66        self,
67        cert_chain: Vec<CertificateDer<'static>>,
68        key_der: PrivateKeyDer<'static>,
69    ) -> Result<ServerConfig, Error> {
70        let certified_key = CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?;
71        Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key))))
72    }
73
74    /// Sets a single certificate chain, matching private key and optional OCSP
75    /// response.  This certificate and key is used for all
76    /// subsequent connections, irrespective of things like SNI hostname.
77    ///
78    /// `cert_chain` is a vector of DER-encoded certificates.
79    /// `key_der` is a DER-encoded private key as PKCS#1, PKCS#8, or SEC1. The
80    /// `aws-lc-rs` and `ring` [`CryptoProvider`][crate::CryptoProvider]s support
81    /// all three encodings, but other `CryptoProviders` may not.
82    /// `ocsp` is a DER-encoded OCSP response.  Ignored if zero length.
83    ///
84    /// This function fails if `key_der` is invalid, or if the
85    /// `SubjectPublicKeyInfo` from the private key does not match the public
86    /// key for the end-entity certificate from the `cert_chain`.
87    pub fn with_single_cert_with_ocsp(
88        self,
89        cert_chain: Vec<CertificateDer<'static>>,
90        key_der: PrivateKeyDer<'static>,
91        ocsp: Vec<u8>,
92    ) -> Result<ServerConfig, Error> {
93        let mut certified_key =
94            CertifiedKey::from_der(cert_chain, key_der, self.crypto_provider())?;
95        certified_key.ocsp = Some(ocsp);
96        Ok(self.with_cert_resolver(Arc::new(SingleCertAndKey::from(certified_key))))
97    }
98
99    /// Sets a custom [`ResolvesServerCert`].
100    pub fn with_cert_resolver(self, cert_resolver: Arc<dyn ResolvesServerCert>) -> ServerConfig {
101        ServerConfig {
102            provider: self.provider,
103            verifier: self.state.verifier,
104            cert_resolver,
105            ignore_client_order: false,
106            max_fragment_size: None,
107            #[cfg(feature = "std")]
108            session_storage: handy::ServerSessionMemoryCache::new(256),
109            #[cfg(not(feature = "std"))]
110            session_storage: Arc::new(handy::NoServerSessionStorage {}),
111            ticketer: Arc::new(handy::NeverProducesTickets {}),
112            alpn_protocols: Vec::new(),
113            versions: self.state.versions,
114            key_log: Arc::new(NoKeyLog {}),
115            enable_secret_extraction: false,
116            max_early_data_size: 0,
117            send_half_rtt_data: false,
118            send_tls13_tickets: 2,
119            #[cfg(feature = "tls12")]
120            require_ems: cfg!(feature = "fips"),
121            time_provider: self.time_provider,
122            cert_compressors: compress::default_cert_compressors().to_vec(),
123            cert_compression_cache: Arc::new(compress::CompressionCache::default()),
124            cert_decompressors: compress::default_cert_decompressors().to_vec(),
125        }
126    }
127}