ServerVerifier

rustls::client::danger

Trait ServerVerifier 

Source 
pub trait ServerVerifier:
    Debug
    + Send
    + Sync {
    // Required methods
    fn verify_identity(
        &self,
        identity: &ServerIdentity<'_>,
    ) -> Result<PeerVerified, Error>;
    fn verify_tls12_signature(
        &self,
        input: &SignatureVerificationInput<'_>,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn verify_tls13_signature(
        &self,
        input: &SignatureVerificationInput<'_>,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn supported_verify_schemes(&self) -> Vec<SignatureScheme>;
    fn request_ocsp_response(&self) -> bool;

    // Provided methods
    fn supported_certificate_types(&self) -> &'static [CertificateType] { ... }
    fn root_hint_subjects(&self) -> Option<Arc<[DistinguishedName]>> { ... }
}
Expand description

Something that can verify a server certificate chain, and verify signatures made by certificates.

Required Methods§

Source

fn verify_identity( &self, identity: &ServerIdentity<'_>, ) -> Result<PeerVerified, Error>

Verify the server’s identity.

Note that none of the certificates have been parsed yet, so it is the responsibility of the implementer to handle invalid data. It is recommended that the implementer returns Error::InvalidCertificate containing CertificateError::BadEncoding when these cases are encountered.

Source

fn verify_tls12_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate.

If and only if the signature is valid, return Ok(HandshakeSignatureValid). Otherwise, return an error – rustls will send an alert and abort the connection.

This method is only called for TLS1.2 handshakes. Note that, in TLS1.2, SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256 are not in fact bound to the specific curve implied in their name.

Source

fn verify_tls13_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate.

This method is only called for TLS1.3 handshakes.

This method is very similar to verify_tls12_signature: but note the tighter ECDSA SignatureScheme semantics – e.g. SignatureScheme::ECDSA_NISTP256_SHA256 must only validate signatures using public keys on the right curve – rustls does not enforce this requirement for you.

If and only if the signature is valid, return Ok(HandshakeSignatureValid). Otherwise, return an error – rustls will send an alert and abort the connection.

Source

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls.

This should be in priority order, with the most preferred first.

Source

fn request_ocsp_response(&self) -> bool

Return true if this verifier will process stapled OCSP responses.

This controls whether a client will ask the server for a stapled OCSP response. There is no guarantee the server will provide one.

Provided Methods§

Source

fn supported_certificate_types(&self) -> &'static [CertificateType]

Returns which CertificateTypes this verifier supports.

Returning an empty slice will result in an error. The default implementation signals support for X.509 certificates. Implementations should return the same value every time.

See RFC 7250 for more information.

Source

fn root_hint_subjects(&self) -> Option<Arc<[DistinguishedName]>>

Return the DistinguishedNames of certificate authorities that this verifier trusts.

If specified, will be sent as the certificate_authorities extension in ClientHello. Note that this is only applicable to TLS 1.3.

Implementors§