1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
use super::ResolvesClientCert;
#[cfg(feature = "logging")]
use crate::log::{debug, trace};
use crate::msgs::enums::ExtensionType;
use crate::msgs::handshake::CertificatePayload;
use crate::msgs::handshake::SCTList;
use crate::msgs::handshake::ServerExtension;
use crate::{sign, DistinguishedNames, SignatureScheme};
use std::sync::Arc;
#[derive(Debug)]
pub(super) struct ServerCertDetails {
pub(super) cert_chain: CertificatePayload,
pub(super) ocsp_response: Vec<u8>,
pub(super) scts: Option<SCTList>,
}
impl ServerCertDetails {
pub(super) fn new(
cert_chain: CertificatePayload,
ocsp_response: Vec<u8>,
scts: Option<SCTList>,
) -> Self {
Self {
cert_chain,
ocsp_response,
scts,
}
}
pub(super) fn scts(&self) -> impl Iterator<Item = &[u8]> {
self.scts
.as_deref()
.unwrap_or(&[])
.iter()
.map(|payload| payload.0.as_slice())
}
}
pub(super) struct ClientHelloDetails {
pub(super) sent_extensions: Vec<ExtensionType>,
}
impl ClientHelloDetails {
pub(super) fn new() -> Self {
Self {
sent_extensions: Vec::new(),
}
}
pub(super) fn server_may_send_sct_list(&self) -> bool {
self.sent_extensions
.contains(&ExtensionType::SCT)
}
pub(super) fn server_sent_unsolicited_extensions(
&self,
received_exts: &[ServerExtension],
allowed_unsolicited: &[ExtensionType],
) -> bool {
for ext in received_exts {
let ext_type = ext.get_type();
if !self.sent_extensions.contains(&ext_type) && !allowed_unsolicited.contains(&ext_type)
{
trace!("Unsolicited extension {:?}", ext_type);
return true;
}
}
false
}
}
pub(super) enum ClientAuthDetails {
Empty { auth_context_tls13: Option<Vec<u8>> },
Verify {
certkey: Arc<sign::CertifiedKey>,
signer: Box<dyn sign::Signer>,
auth_context_tls13: Option<Vec<u8>>,
},
}
impl ClientAuthDetails {
pub(super) fn resolve(
resolver: &dyn ResolvesClientCert,
canames: Option<&DistinguishedNames>,
sigschemes: &[SignatureScheme],
auth_context_tls13: Option<Vec<u8>>,
) -> Self {
let acceptable_issuers = canames
.map(Vec::as_slice)
.unwrap_or_default()
.iter()
.map(|p| p.0.as_slice())
.collect::<Vec<&[u8]>>();
if let Some(certkey) = resolver.resolve(&acceptable_issuers, sigschemes) {
if let Some(signer) = certkey.key.choose_scheme(sigschemes) {
debug!("Attempting client auth");
return Self::Verify {
certkey,
signer,
auth_context_tls13,
};
}
}
debug!("Client auth requested but no cert/sigscheme available");
Self::Empty { auth_context_tls13 }
}
}