Struct WebPkiClientVerifier 

pub struct WebPkiClientVerifier { /* private fields */ }

A client certificate verifier that uses the webpki crate¹ to perform client certificate validation.

It must be created via WebPkiClientVerifier::builder().

Once built, the provided Arc<dyn ClientVerifier> can be used with a Rustls ServerConfig to configure client certificate validation using with_client_cert_verifier.

Example:

To require all clients present a client certificate issued by a trusted CA:

let client_verifier = WebPkiClientVerifier::builder(roots.into(), &DEFAULT_PROVIDER)
  .build()
  .unwrap();

Or, to allow clients presenting a client certificate authenticated by a trusted CA, or anonymous clients that present no client certificate:

let client_verifier = WebPkiClientVerifier::builder(roots.into(), &DEFAULT_PROVIDER)
  .allow_unauthenticated()
  .build()
  .unwrap();

If you wish to disable advertising client authentication:

let client_verifier = WebPkiClientVerifier::no_client_auth();

You can also configure the client verifier to check for certificate revocation with client certificate revocation lists (CRLs):

let client_verifier = WebPkiClientVerifier::builder(roots.into(), &DEFAULT_PROVIDER)
  .with_crls(crls)
  .build()
  .unwrap();

---

1. https://github.com/rustls/webpki ↩

Implementations

impl WebPkiClientVerifier

pub fn builder( roots: Arc<RootCertStore>, provider: &CryptoProvider, ) -> ClientVerifierBuilder

Create a builder for the webpki client certificate verifier configuration using a specified CryptoProvider.

Client certificate authentication will be offered by the server, and client certificates will be verified using the trust anchors found in the provided roots. If you wish to disable client authentication use WebPkiClientVerifier::no_client_auth() instead.

The cryptography used comes from the specified CryptoProvider.

For more information, see the ClientVerifierBuilder documentation.

pub fn no_client_auth() -> Arc<dyn ClientVerifier>

Create a new WebPkiClientVerifier that disables client authentication. The server will not offer client authentication and anonymous clients will be accepted.

This is in contrast to using WebPkiClientVerifier::builder().allow_unauthenticated().build(), which will produce a verifier that will offer client authentication, but not require it.

Trait Implementations

impl ClientVerifier for WebPkiClientVerifier

fn verify_identity( &self, identity: &ClientIdentity<'_>, ) -> Result<PeerVerified, Error>

Verify the client’s identity.

fn verify_tls12_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate.

fn verify_tls13_signature( &self, input: &SignatureVerificationInput<'_>, ) -> Result<HandshakeSignatureValid, Error>

Verify a signature allegedly by the given client certificate.

fn root_hint_subjects(&self) -> Arc<[DistinguishedName]>

Returns the DistinguishedName subjects that the server will hint to clients to identify acceptable authentication trust anchors.

fn client_auth_mandatory(&self) -> bool

Return true to require a client certificate and false to make client authentication optional. Defaults to self.offer_client_auth().

fn offer_client_auth(&self) -> bool

Returns true to enable the server to request a client certificate and false to skip requesting a client certificate. Defaults to true.

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls.

fn supported_certificate_types(&self) -> &'static [CertificateType]

Returns which CertificateTypes this verifier supports.

impl Debug for WebPkiClientVerifier

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.