结构体 ClientCertVerifierBuilder

Source

pub struct ClientCertVerifierBuilder { /* private fields */ }

展开描述

一个构建器用于 configuring 一个 webpki client certificate verifier.

更多信息请参阅 WebPkiClientVerifier 文档。

实现§

Source §

impl ClientCertVerifierBuilder

Source

pub fn clear_root_hint_subjects(self) -> Self

Clear the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured 用于 client authentication. 调用此函数 will remove these hint subjects, indicating the client should make 一个 free choice of which certificate 到 send.

，请参见ClientCertVerifier::root_hint_subjects 用于 more information on circumstances where you may want 到 clear 默认 hint subjects.

Source

pub fn add_root_hint_subjects( self, subjects: impl IntoIterator<Item = DistinguishedName>, ) -> Self

Add additional DistinguishedNames 到 the list of trust anchor hint subjects.

By default, the client cert verifier will use the subjects provided by the root cert store configured 用于 client authentication. 调用此函数 will add 到 these existing hint subjects. 调用此函数 with empty subjects will have no effect.

，请参见ClientCertVerifier::root_hint_subjects 用于 more information on circumstances where you may want 到 override 默认 hint subjects.

Source

pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> Self

验证提交的 client 证书的吊销状态，对比提供的 certificate revocation lists (CRLs)。调用 with_crls multiple times appends the given CRLs 到现有集合中

By default 所有证书 in the verified chain built 从 the presented client certificate 到一个 trust anchor will have their revocation status 检查. 调用 only_check_end_entity_revocation will change this behavior 到 only 检查 the end entity client certificate.

By default if 一个 certificate’s revocation status can not be determined using the configured CRLs, it ， treated as an error. 调用 allow_unknown_revocation_status will change this behavior 到 allow unknown revocation status.

Source

pub fn only_check_end_entity_revocation(self) -> Self

使用 CRLs.

If CRLs are provided using with_crls only 检查 the end entity certificate’s revocation status. Overrides 默认行为 checking revocation status 用于 each certificate in the verified chain built 到一个 trust anchor (excluding the trust anchor itself)。

If no CRLs are provided then this setting has no effect. Neither the end entity certificate 或 any intermediates will have revocation status 检查.

Source

pub fn allow_unauthenticated(self) -> Self

Allow unauthenticated clients 到 connect.

Clients that offer 一个 client certificate issued by 一个 trusted root, 并 clients that offer no client certificate ， allowed 到 connect.

Source

pub fn allow_unknown_revocation_status(self) -> Self

允许未知的 certificate 吊销状态，在使用 CRLs.

If CRLs are provided with with_crls 并不’t possible 到 determine the revocation status of 一个 certificate, 则不将其视为错误覆盖将未知吊销状态视为错误的默认行为

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

Source

pub fn enforce_revocation_expiration(self) -> Self

强制 CRL 的 nextUpdate 字段（即过期）

If CRLs are provided with with_crls 并 the verification time is beyond ，CRL 的 nextUpdate 字段，则该 CRL 已过期并被视为错误覆盖过期 CRLs 不被视为错误的默认行为

If no CRLs are provided then this setting has no effect as revocation status checks are not performed.

Source

pub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>

构建 client certificate verifier. 此 built verifier ，用用于 the server 到 offer client certificate authentication, 到 control how offered 客户端证书 are validated, 并到 determine what 到 do with anonymous clients that do not respond 到 the client certificate authentication offer with 一个 client certificate.

If with_signature_verification_algorithms 未在 builder 上调用，一个 default set of signature verification algorithms is 用, controlled by the selected CryptoProvider。

Once built, the provided Arc<dyn ClientCertVerifier> can be 用 with 一个 Rustls ServerConfig 到 configure client certificate validation using with_client_cert_verifier。