~boringcactus/gemifedi

ref: b5f2b8c75384306ecf3dcb9fc45ef62065bb3f00 gemifedi/src/client_cert_fix.rs -rw-r--r-- 1.4 KiB
b5f2b8c7 — Melody Horn bump to v0.3.0 1 year, 7 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
use std::sync::Arc;
use rustls::{Certificate, TLSError};
use webpki::DNSName;

/// Preserve TLS client certificates but do not verify them.
/// Probably unsafe, TODO implement trust-on-first-use for these
pub struct TrustAnyClientCertOrAnonymous;

impl TrustAnyClientCertOrAnonymous {
    pub fn new() -> Arc<Self> {
        Arc::new(Self)
    }
}

impl rustls::ClientCertVerifier for TrustAnyClientCertOrAnonymous {
    fn offer_client_auth(&self) -> bool {
        true
    }

    fn client_auth_mandatory(&self, _sni: Option<&DNSName>) -> Option<bool> {
        Some(false)
    }

    fn client_auth_root_subjects(&self, _sni: Option<&DNSName>) -> Option<rustls::DistinguishedNames> {
        log::debug!("uhhh what the hell is client_auth_root_subjects");
        Some(rustls::DistinguishedNames::new())
    }

    fn verify_client_cert(&self, _presented_certs: &[Certificate], _sni: Option<&DNSName>) -> Result<rustls::ClientCertVerified, TLSError> {
        log::debug!("verification? never heard of it");
        Ok(rustls::ClientCertVerified::assertion())
    }

    fn verify_tls12_signature(&self, _message: &[u8], _cert: &Certificate, _dss: &rustls::internal::msgs::handshake::DigitallySignedStruct) -> Result<rustls::HandshakeSignatureValid, TLSError> {
        log::debug!("verification? also never heard of it");
        Ok(rustls::HandshakeSignatureValid::assertion())
    }
}