rustls/client/
common.rs

1use alloc::boxed::Box;
2use alloc::vec::Vec;
3
4use super::ResolvesClientCert;
5use crate::log::{debug, trace};
6use crate::msgs::enums::ExtensionType;
7use crate::msgs::handshake::{CertificateChain, DistinguishedName, ProtocolName, ServerExtensions};
8use crate::sync::Arc;
9use crate::{SignatureScheme, compress, sign};
10
11#[derive(Debug)]
12pub(super) struct ServerCertDetails<'a> {
13    pub(super) cert_chain: CertificateChain<'a>,
14    pub(super) ocsp_response: Vec<u8>,
15}
16
17impl<'a> ServerCertDetails<'a> {
18    pub(super) fn new(cert_chain: CertificateChain<'a>, ocsp_response: Vec<u8>) -> Self {
19        Self {
20            cert_chain,
21            ocsp_response,
22        }
23    }
24
25    pub(super) fn into_owned(self) -> ServerCertDetails<'static> {
26        let Self {
27            cert_chain,
28            ocsp_response,
29        } = self;
30        ServerCertDetails {
31            cert_chain: cert_chain.into_owned(),
32            ocsp_response,
33        }
34    }
35}
36
37pub(super) struct ClientHelloDetails {
38    pub(super) alpn_protocols: Vec<ProtocolName>,
39    pub(super) sent_extensions: Vec<ExtensionType>,
40    pub(super) extension_order_seed: u16,
41    pub(super) offered_cert_compression: bool,
42}
43
44impl ClientHelloDetails {
45    pub(super) fn new(alpn_protocols: Vec<ProtocolName>, extension_order_seed: u16) -> Self {
46        Self {
47            alpn_protocols,
48            sent_extensions: Vec::new(),
49            extension_order_seed,
50            offered_cert_compression: false,
51        }
52    }
53
54    pub(super) fn server_sent_unsolicited_extensions(
55        &self,
56        received_exts: &ServerExtensions<'_>,
57        allowed_unsolicited: &[ExtensionType],
58    ) -> bool {
59        let mut extensions = received_exts.collect_used();
60        extensions.extend(
61            received_exts
62                .unknown_extensions
63                .iter()
64                .map(|ext| ExtensionType::from(*ext)),
65        );
66        for ext_type in extensions {
67            if !self.sent_extensions.contains(&ext_type) && !allowed_unsolicited.contains(&ext_type)
68            {
69                trace!("Unsolicited extension {ext_type:?}");
70                return true;
71            }
72        }
73
74        false
75    }
76}
77
78pub(super) enum ClientAuthDetails {
79    /// Send an empty `Certificate` and no `CertificateVerify`.
80    Empty { auth_context_tls13: Option<Vec<u8>> },
81    /// Send a non-empty `Certificate` and a `CertificateVerify`.
82    Verify {
83        certkey: Arc<sign::CertifiedKey>,
84        signer: Box<dyn sign::Signer>,
85        auth_context_tls13: Option<Vec<u8>>,
86        compressor: Option<&'static dyn compress::CertCompressor>,
87    },
88}
89
90impl ClientAuthDetails {
91    pub(super) fn resolve(
92        resolver: &dyn ResolvesClientCert,
93        canames: Option<&[DistinguishedName]>,
94        sigschemes: &[SignatureScheme],
95        auth_context_tls13: Option<Vec<u8>>,
96        compressor: Option<&'static dyn compress::CertCompressor>,
97    ) -> Self {
98        let acceptable_issuers = canames
99            .unwrap_or_default()
100            .iter()
101            .map(|p| p.as_ref())
102            .collect::<Vec<&[u8]>>();
103
104        if let Some(certkey) = resolver.resolve(&acceptable_issuers, sigschemes) {
105            if let Some(signer) = certkey.key.choose_scheme(sigschemes) {
106                debug!("Attempting client auth");
107                return Self::Verify {
108                    certkey,
109                    signer,
110                    auth_context_tls13,
111                    compressor,
112                };
113            }
114        }
115
116        debug!("Client auth requested but no cert/sigscheme available");
117        Self::Empty { auth_context_tls13 }
118    }
119}
rustls/client/common.rs

rustls/client/
common.rs
