特性 ServerCertVerifier 

pub trait ServerCertVerifier:
    Debug
    + Send
    + Sync {
    // Required methods
    fn verify_server_cert(
        &self,
        end_entity: &CertificateDer<'_>,
        intermediates: &[CertificateDer<'_>],
        server_name: &ServerName<'_>,
        ocsp_response: &[u8],
        now: UnixTime,
    ) -> Result<ServerCertVerified, Error>;
    fn verify_tls12_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn verify_tls13_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn supported_verify_schemes(&self) -> Vec<SignatureScheme>;

    // Provided methods
    fn requires_raw_public_keys(&self) -> bool { ... }
    fn root_hint_subjects(&self) -> Option<&[DistinguishedName]> { ... }
}

Something that can 验证 一个 server certificate chain, 并 验证 signatures made by 证书

必需方法

fn verify_server_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], server_name: &ServerName<'_>, ocsp_response: &[u8], now: UnixTime, ) -> Result<ServerCertVerified, Error>

验证 end-entity certificate end_entity is valid 用于 the hostname dns_name 并 chains 到 at least one trust anchor.

intermediates contains 所有证书 other than end_entity that were sent as part of the server’s Certificate message. It is in the same order that the server sent them 并 may be empty.

Note that none of the certificates have been parsed yet, so it 是 responsibility of the implementer 到 handle invalid data. It is recommended that the implementer returns Error::InvalidCertificate containing CertificateError::BadEncoding when these cases are encountered.

fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

验证 一个 signature allegedly by the given server certificate.

message is not hashed, 并 needs hashing during the verification. 此 签名并 算法 are within dss。 cert contains the 公钥 到 use.

cert has already been validated by ServerCertVerifier::verify_server_cert。

If 并 only if the signature is valid, return Ok(HandshakeSignatureValid)。 Otherwise, return an error – rustls will send an alert 并 abort the connection.

This method is only called 用于 TLS1.2 handshakes. Note that, in TLS1.2, SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256 are not in fact bound 到 the specific curve implied in their name.

fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

验证 一个 signature allegedly by the given server certificate.

This method is only called 用于 TLS 1.3 handshakes.

This method is very similar 到 verify_tls12_signature: but note the tighter ECDSA SignatureScheme semantics – e.g. SignatureScheme::ECDSA_NISTP256_SHA256 must only validate signatures using public keys on the right curve – rustls does not enforce this requirement 用于 you.

cert has already been validated by ServerCertVerifier::verify_server_cert。

If 并 only if the signature is valid, return Ok(HandshakeSignatureValid)。 Otherwise, return an error – rustls will send an alert 并 abort the connection.

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

返回此验证器将处理的 SignatureScheme 列表， in verify_tls12_signature 并 verify_tls13_signature calls.

This should be in priority order, with the most preferred first.

提供方法

fn requires_raw_public_keys(&self) -> bool

返回此验证器是否要求 in RFC 7250。

fn root_hint_subjects(&self) -> Option<&[DistinguishedName]>

Return the DistinguishedNames of certificate authorities that this verifier trusts.

If specified, ， sent as the certificate_authorities extension in ClientHello. Note that this is only applicable 到 TLS 1.3.

实现者

impl ServerCertVerifier for WebPkiServerVerifier