rustls/server/
builder.rs

1use crate::builder::{ConfigBuilder, WantsVerifier};
2use crate::error::Error;
3use crate::key;
4use crate::kx::SupportedKxGroup;
5use crate::server::handy;
6use crate::server::{ResolvesServerCert, ServerConfig};
7use crate::suites::SupportedCipherSuite;
8use crate::verify;
9use crate::versions;
10use crate::NoKeyLog;
11
12use std::marker::PhantomData;
13use std::sync::Arc;
14
15impl ConfigBuilder<ServerConfig, WantsVerifier> {
16    /// Choose how to verify client certificates.
17    pub fn with_client_cert_verifier(
18        self,
19        client_cert_verifier: Arc<dyn verify::ClientCertVerifier>,
20    ) -> ConfigBuilder<ServerConfig, WantsServerCert> {
21        ConfigBuilder {
22            state: WantsServerCert {
23                cipher_suites: self.state.cipher_suites,
24                kx_groups: self.state.kx_groups,
25                versions: self.state.versions,
26                verifier: client_cert_verifier,
27            },
28            side: PhantomData,
29        }
30    }
31
32    /// Disable client authentication.
33    pub fn with_no_client_auth(self) -> ConfigBuilder<ServerConfig, WantsServerCert> {
34        self.with_client_cert_verifier(verify::NoClientAuth::boxed())
35    }
36}
37
38/// A config builder state where the caller must supply how to provide a server certificate to
39/// the connecting peer.
40///
41/// For more information, see the [`ConfigBuilder`] documentation.
42#[derive(Clone, Debug)]
43pub struct WantsServerCert {
44    cipher_suites: Vec<SupportedCipherSuite>,
45    kx_groups: Vec<&'static SupportedKxGroup>,
46    versions: versions::EnabledVersions,
47    verifier: Arc<dyn verify::ClientCertVerifier>,
48}
49
50impl ConfigBuilder<ServerConfig, WantsServerCert> {
51    /// Sets a single certificate chain and matching private key.  This
52    /// certificate and key is used for all subsequent connections,
53    /// irrespective of things like SNI hostname.
54    ///
55    /// Note that the end-entity certificate must have the
56    /// [Subject Alternative Name](https://tools.ietf.org/html/rfc6125#section-4.1)
57    /// extension to describe, e.g., the valid DNS name. The `commonName` field is
58    /// disregarded.
59    ///
60    /// `cert_chain` is a vector of DER-encoded certificates.
61    /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key.
62    ///
63    /// This function fails if `key_der` is invalid.
64    pub fn with_single_cert(
65        self,
66        cert_chain: Vec<key::Certificate>,
67        key_der: key::PrivateKey,
68    ) -> Result<ServerConfig, Error> {
69        let resolver = handy::AlwaysResolvesChain::new(cert_chain, &key_der)?;
70        Ok(self.with_cert_resolver(Arc::new(resolver)))
71    }
72
73    /// Sets a single certificate chain, matching private key, OCSP
74    /// response and SCTs.  This certificate and key is used for all
75    /// subsequent connections, irrespective of things like SNI hostname.
76    ///
77    /// `cert_chain` is a vector of DER-encoded certificates.
78    /// `key_der` is a DER-encoded RSA, ECDSA, or Ed25519 private key.
79    /// `ocsp` is a DER-encoded OCSP response.  Ignored if zero length.
80    /// `scts` is an `SignedCertificateTimestampList` encoding (see RFC6962)
81    /// and is ignored if empty.
82    ///
83    /// This function fails if `key_der` is invalid.
84    pub fn with_single_cert_with_ocsp_and_sct(
85        self,
86        cert_chain: Vec<key::Certificate>,
87        key_der: key::PrivateKey,
88        ocsp: Vec<u8>,
89        scts: Vec<u8>,
90    ) -> Result<ServerConfig, Error> {
91        let resolver =
92            handy::AlwaysResolvesChain::new_with_extras(cert_chain, &key_der, ocsp, scts)?;
93        Ok(self.with_cert_resolver(Arc::new(resolver)))
94    }
95
96    /// Sets a custom [`ResolvesServerCert`].
97    pub fn with_cert_resolver(self, cert_resolver: Arc<dyn ResolvesServerCert>) -> ServerConfig {
98        ServerConfig {
99            cipher_suites: self.state.cipher_suites,
100            kx_groups: self.state.kx_groups,
101            verifier: self.state.verifier,
102            cert_resolver,
103            ignore_client_order: false,
104            max_fragment_size: None,
105            session_storage: handy::ServerSessionMemoryCache::new(256),
106            ticketer: Arc::new(handy::NeverProducesTickets {}),
107            alpn_protocols: Vec::new(),
108            versions: self.state.versions,
109            key_log: Arc::new(NoKeyLog {}),
110            #[cfg(feature = "secret_extraction")]
111            enable_secret_extraction: false,
112            max_early_data_size: 0,
113            send_half_rtt_data: false,
114            send_tls13_tickets: 4,
115        }
116    }
117}