特性 ClientCertVerifier 

pub trait ClientCertVerifier:
    Debug
    + Send
    + Sync {
    // Required methods
    fn root_hint_subjects(&self) -> &[DistinguishedName];
    fn verify_client_cert(
        &self,
        end_entity: &CertificateDer<'_>,
        intermediates: &[CertificateDer<'_>],
        now: UnixTime,
    ) -> Result<ClientCertVerified, Error>;
    fn verify_tls12_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn verify_tls13_signature(
        &self,
        message: &[u8],
        cert: &CertificateDer<'_>,
        dss: &DigitallySignedStruct,
    ) -> Result<HandshakeSignatureValid, Error>;
    fn supported_verify_schemes(&self) -> Vec<SignatureScheme>;

    // Provided methods
    fn offer_client_auth(&self) -> bool { ... }
    fn client_auth_mandatory(&self) -> bool { ... }
    fn requires_raw_public_keys(&self) -> bool { ... }
}

Something that can 验证 一个 client certificate chain

必需方法

fn root_hint_subjects(&self) -> &[DistinguishedName]

Returns the DistinguishedName subjects that the server will hint 到 clients 到 identify acceptable authentication trust anchors.

These hint values help the client pick 一个 client certificate it believes the server will accept. 此 hints must be DER-encoded X.500 distinguished names, per RFC 5280 A.1。 They are sent in the certificate_authorities extension of 一个 CertificateRequest message when ClientCertVerifier::offer_client_auth is true. When an empty list is sent the client should always provide 一个 client certificate if it has one.

Generally this list should contain the DistinguishedName of each root trust anchor in the root cert store that the server is configured 到 use 用于 authenticating presented client 证书

In some circumstances this list may be customized 到 include DistinguishedName entries that do not correspond 到 一个 trust anchor in the server’s root cert store. For example, the server may be configured 到 trust 一个 root CA that cross-signed an issuer certificate that the client considers 一个 trust anchor. From the server’s perspective the cross-signed certificate 是 intermediate, 并 not present in the server’s root cert store. 此 client may have the cross-signed certificate configured as 一个 trust anchor, 并 be unaware of the root CA that cross-signed it. If the server’s hints list only contained the subjects of the server’s root store the client would consider 一个 client certificate issued by the cross-signed issuer unacceptable, since its subject was not hinted. To avoid this circumstance the server should customize the hints list 到 include the subject of the cross-signed issuer in addition 到 the subjects 从 the root cert store.

fn verify_client_cert( &self, end_entity: &CertificateDer<'_>, intermediates: &[CertificateDer<'_>], now: UnixTime, ) -> Result<ClientCertVerified, Error>

验证 end-entity certificate end_entity is valid, acceptable, 并 chains 到 at least one of the trust anchors trusted by this verifier.

intermediates contains the intermediate certificates the client sent along with the end-entity certificate; it is in the same order that the peer sent them 并 may be empty.

Note that none of the certificates have been parsed yet, so it 是 responsibility of the implementer 到 handle invalid data. It is recommended that the implementer returns an InvalidCertificate error with the BadEncoding variant when these cases are encountered.

fn verify_tls12_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

验证 一个 signature allegedly by the given client certificate.

message is not hashed, 并 needs hashing during the verification. 此 签名并 算法 are within dss。 cert contains the 公钥 到 use.

cert has already been validated by ClientCertVerifier::verify_client_cert。

If 并 only if the signature is valid, return Ok(HandshakeSignatureValid)。 Otherwise, return an error – rustls will send an alert 并 abort the connection.

This method is only called 用于 TLS1.2 handshakes. Note that, in TLS1.2, SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256 are not in fact bound 到 the specific curve implied in their name.

fn verify_tls13_signature( &self, message: &[u8], cert: &CertificateDer<'_>, dss: &DigitallySignedStruct, ) -> Result<HandshakeSignatureValid, Error>

验证 一个 signature allegedly by the given client certificate.

This method is only called 用于 TLS 1.3 handshakes.

This method is very similar 到 verify_tls12_signature, but note the tighter ECDSA SignatureScheme semantics in TLS 1.3. For example, SignatureScheme::ECDSA_NISTP256_SHA256 must only validate signatures using public keys on the right curve – rustls does not enforce this requirement 用于 you.

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>

返回此验证器将处理的 SignatureScheme 列表， in verify_tls12_signature 并 verify_tls13_signature calls.

This should be in priority order, with the most preferred first.

提供方法

fn offer_client_auth(&self) -> bool

Returns true 到 enable the server 到 request 一个 client certificate 并 false 到 skip requesting 一个 client certificate. Defaults 到 true。

fn client_auth_mandatory(&self) -> bool

Return true 到 require 一个 client certificate 并 false 到 make client authentication optional. Defaults 到 self.offer_client_auth()。

fn requires_raw_public_keys(&self) -> bool

返回此验证器是否要求 in RFC 7250。

实现者

impl ClientCertVerifier for NoClientAuth

impl ClientCertVerifier for WebPkiClientVerifier