Struct rustls::server::ClientCertVerifierBuilder

source ·
pub struct ClientCertVerifierBuilder { /* private fields */ }
Expand description

A builder for configuring a webpki client certificate verifier.

For more information, see the WebPkiClientVerifier documentation.

Implementations§

source§

impl ClientCertVerifierBuilder

source

pub fn clear_root_hint_subjects(self) -> Self

Clear the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will remove these hint subjects, indicating the client should make a free choice of which certificate to send.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to clear the default hint subjects.

source

pub fn add_root_hint_subjects( self, subjects: impl IntoIterator<Item = DistinguishedName>, ) -> Self

Add additional DistinguishedNames to the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will add to these existing hint subjects. Calling this function with empty subjects will have no effect.

See ClientCertVerifier::root_hint_subjects for more information on circumstances where you may want to override the default hint subjects.

source

pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> Self

Verify the revocation state of presented client certificates against the provided certificate revocation lists (CRLs). Calling with_crls multiple times appends the given CRLs to the existing collection.

By default all certificates in the verified chain built from the presented client certificate to a trust anchor will have their revocation status checked. Calling only_check_end_entity_revocation will change this behavior to only check the end entity client certificate.

By default if a certificate’s revocation status can not be determined using the configured CRLs, it will be treated as an error. Calling allow_unknown_revocation_status will change this behavior to allow unknown revocation status.

source

pub fn only_check_end_entity_revocation(self) -> Self

Only check the end entity certificate revocation status when using CRLs.

If CRLs are provided using with_crls only check the end entity certificate’s revocation status. Overrides the default behavior of checking revocation status for each certificate in the verified chain built to a trust anchor (excluding the trust anchor itself).

If no CRLs are provided then this setting has no effect. Neither the end entity certificate or any intermediates will have revocation status checked.

source

pub fn allow_unauthenticated(self) -> Self

Allow unauthenticated clients to connect.

Clients that offer a client certificate issued by a trusted root, and clients that offer no client certificate will be allowed to connect.

source

pub fn allow_unknown_revocation_status(self) -> Self

Allow unknown certificate revocation status when using CRLs.

If CRLs are provided with with_crls and it isn’t possible to determine the revocation status of a certificate, do not treat it as an error condition. Overrides the default behavior where unknown revocation status is considered an error.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn enforce_revocation_expiration(self) -> Self

Enforce the CRL nextUpdate field (i.e. expiration)

If CRLs are provided with with_crls and the verification time is beyond the time in the CRL nextUpdate field, it is expired and treated as an error condition. Overrides the default behavior where expired CRLs are not treated as an error condition.

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

source

pub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>

Build a client certificate verifier. The built verifier will be used for the server to offer client certificate authentication, to control how offered client certificates are validated, and to determine what to do with anonymous clients that do not respond to the client certificate authentication offer with a client certificate.

If with_signature_verification_algorithms was not called on the builder, a default set of signature verification algorithms is used, controlled by the selected CryptoProvider.

Once built, the provided Arc<dyn ClientCertVerifier> can be used with a Rustls ServerConfig to configure client certificate validation using with_client_cert_verifier.

§Errors

This function will return a VerifierBuilderError if:

  1. No trust anchors have been provided.
  2. DER encoded CRLs have been provided that can not be parsed successfully.

Trait Implementations§

source§

impl Clone for ClientCertVerifierBuilder

source§

fn clone(&self) -> ClientCertVerifierBuilder

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for ClientCertVerifierBuilder

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> CloneToUninit for T
where T: Clone,

source§

default unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.