Trait ServerVerifier 

pub trait ServerVerifier:
    Debug
    + Send
    + Sync {
    // Required methods
    fn verify_identity(
        &self,
        identity: &ServerIdentity<'_>,
    ) -> Result<PeerVerified, Error>;
    fn verify_tls12_signature(
        &self,
        input: &SignatureVerificationInput<'_>,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn verify_tls13_signature(
        &self,
        input: &SignatureVerificationInput<'_>,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn supported_verify_schemes(&self) -> Vec<SignatureScheme>;
    fn request_ocsp_response(&self) -> bool;
    fn hash_config(&self, h: &mut dyn Hasher);

    // Provided methods
    fn supported_certificate_types(&self) -> &'static [CertificateType] { ... }
    fn root_hint_subjects(&self) -> Option<Arc<[DistinguishedName]>> { ... }
}

Something that can verify a server certificate chain, and verify signatures made by certificates.

Required Methods

fn verify_identity( &self, identity: &ServerIdentity<'_>, ) -> Result<PeerVerified, Error>

Verify the server’s identity.

Note that none of the certificates have been parsed yet, so it is the responsibility of the implementer to handle invalid data. It is recommended that the implementer returns Error::InvalidCertificate containing CertificateError::BadEncoding when these cases are encountered.

fn verify_tls12_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate.

If and only if the signature is valid, return Ok(HandshakeSignatureValid). Otherwise, return an error – rustls will send an alert and abort the connection.

This method is only called for TLS1.2 handshakes. Note that, in TLS1.2, SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256 are not in fact bound to the specific curve implied in their name.

fn verify_tls13_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given server certificate.

This method is only called for TLS1.3 handshakes.

This method is very similar to verify_tls12_signature: but note the tighter ECDSA SignatureScheme semantics – e.g. SignatureScheme::ECDSA_NISTP256_SHA256 must only validate signatures using public keys on the right curve – rustls does not enforce this requirement for you.

If and only if the signature is valid, return Ok(HandshakeSignatureValid). Otherwise, return an error – rustls will send an alert and abort the connection.

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls.

This should be in priority order, with the most preferred first.

fn request_ocsp_response(&self) -> bool

Return true if this verifier will process stapled OCSP responses.

This controls whether a client will ask the server for a stapled OCSP response. There is no guarantee the server will provide one.

fn hash_config(&self, h: &mut dyn Hasher)

Instance configuration should be input to h.

Provided Methods

fn supported_certificate_types(&self) -> &'static [CertificateType]

Returns which CertificateTypes this verifier supports.

Returning an empty slice will result in an error. The default implementation signals support for X.509 certificates. Implementations should return the same value every time.

See RFC 7250 for more information.

fn root_hint_subjects(&self) -> Option<Arc<[DistinguishedName]>>

Return the DistinguishedNames of certificate authorities that this verifier trusts.

If specified, will be sent as the certificate_authorities extension in ClientHello. Note that this is only applicable to TLS 1.3.

Implementors

impl ServerVerifier for WebPkiServerVerifier