Trait rustls::ServerCertVerifier [−][src]
pub trait ServerCertVerifier: Send + Sync {
fn verify_server_cert(
&self,
roots: &RootCertStore,
presented_certs: &[Certificate],
dns_name: DNSNameRef<'_>,
ocsp_response: &[u8]
) -> Result<ServerCertVerified, TLSError>;
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError> { ... }
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError> { ... }
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { ... }
}
Expand description
Something that can verify a server certificate chain, and verify signatures made by certificates.
Required methods
fn verify_server_cert(
&self,
roots: &RootCertStore,
presented_certs: &[Certificate],
dns_name: DNSNameRef<'_>,
ocsp_response: &[u8]
) -> Result<ServerCertVerified, TLSError>
fn verify_server_cert(
&self,
roots: &RootCertStore,
presented_certs: &[Certificate],
dns_name: DNSNameRef<'_>,
ocsp_response: &[u8]
) -> Result<ServerCertVerified, TLSError>
Verify a the certificate chain presented_certs
against the roots
configured in roots
. Make sure that dns_name
is quoted by
the top certificate in the chain.
Provided methods
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
Verify a signature allegedly by the given server certificate.
message
is not hashed, and needs hashing during the verification.
The signature and algorithm are within dss
. cert
contains the
public key to use.
cert
is the same certificate that was previously validated by a
call to verify_server_cert
.
If and only if the signature is valid, return HandshakeSignatureValid. Otherwise, return an error – rustls will send an alert and abort the connection.
This method is only called for TLS1.2 handshakes. Note that, in TLS1.2,
SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256
are not
in fact bound to the specific curve implied in their name.
This trait method has a default implementation that uses webpki to verify the signature.
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &Certificate,
dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>
Verify a signature allegedly by the given server certificate.
This method is only called for TLS1.3 handshakes.
This method is very similar to verify_tls12_signature
: but note the
tighter ECDSA SignatureScheme semantics – eg SignatureScheme::ECDSA_NISTP256_SHA256
must only validate signatures using public keys on the right curve –
rustls does not enforce this requirement for you.
This trait method has a default implementation that uses webpki to verify the signature.
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
fn supported_verify_schemes(&self) -> Vec<SignatureScheme>
Return the list of SignatureSchemes that this verifier will handle,
in verify_tls12_signature
and verify_tls13_signature
calls.
This should be in priority order, with the most preferred first.
This trait mehod has a default implementation that reflects the schemes supported by webpki.