Trait rustls::ServerCertVerifier[][src]

pub trait ServerCertVerifier: Send + Sync {
    fn verify_server_cert(
        &self, 
        roots: &RootCertStore, 
        presented_certs: &[Certificate], 
        dns_name: DNSNameRef<'_>, 
        ocsp_response: &[u8]
    ) -> Result<ServerCertVerified, TLSError>;

    fn verify_tls12_signature(
        &self, 
        message: &[u8], 
        cert: &Certificate, 
        dss: &DigitallySignedStruct
    ) -> Result<HandshakeSignatureValid, TLSError> { ... }

    fn verify_tls13_signature(
        &self, 
        message: &[u8], 
        cert: &Certificate, 
        dss: &DigitallySignedStruct
    ) -> Result<HandshakeSignatureValid, TLSError> { ... }

    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> { ... }
}

Something that can verify a server certificate chain, and verify signatures made by certificates.

Required methods

fn verify_server_cert(
    &self,
    roots: &RootCertStore,
    presented_certs: &[Certificate],
    dns_name: DNSNameRef<'_>,
    ocsp_response: &[u8]
) -> Result<ServerCertVerified, TLSError>[src]

Verify a the certificate chain presented_certs against the roots configured in roots. Make sure that dns_name is quoted by the top certificate in the chain.

Loading content...

Provided methods

fn verify_tls12_signature(
    &self,
    message: &[u8],
    cert: &Certificate,
    dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>[src]

Verify a signature allegedly by the given server certificate.

message is not hashed, and needs hashing during the verification. The signature and algorithm are within dss. cert contains the public key to use.

cert is the same certificate that was previously validated by a call to verify_server_cert.

If and only if the signature is valid, return HandshakeSignatureValid. Otherwise, return an error – rustls will send an alert and abort the connection.

This method is only called for TLS1.2 handshakes. Note that, in TLS1.2, SignatureSchemes such as SignatureScheme::ECDSA_NISTP256_SHA256 are not in fact bound to the specific curve implied in their name.

This trait method has a default implementation that uses webpki to verify the signature.

fn verify_tls13_signature(
    &self,
    message: &[u8],
    cert: &Certificate,
    dss: &DigitallySignedStruct
) -> Result<HandshakeSignatureValid, TLSError>[src]

Verify a signature allegedly by the given server certificate.

This method is only called for TLS1.3 handshakes.

This method is very similar to verify_tls12_signature: but note the tighter ECDSA SignatureScheme semantics – eg SignatureScheme::ECDSA_NISTP256_SHA256 must only validate signatures using public keys on the right curve – rustls does not enforce this requirement for you.

This trait method has a default implementation that uses webpki to verify the signature.

fn supported_verify_schemes(&self) -> Vec<SignatureScheme>[src]

Return the list of SignatureSchemes that this verifier will handle, in verify_tls12_signature and verify_tls13_signature calls.

This should be in priority order, with the most preferred first.

This trait mehod has a default implementation that reflects the schemes supported by webpki.

Loading content...

Implementors

impl ServerCertVerifier for WebPKIVerifier[src]

fn verify_server_cert(
    &self,
    roots: &RootCertStore,
    presented_certs: &[Certificate],
    dns_name: DNSNameRef<'_>,
    ocsp_response: &[u8]
) -> Result<ServerCertVerified, TLSError>[src]

Will verify the certificate is valid in the following ways:

  • Signed by a trusted RootCertStore CA
  • Not Expired
  • Valid for DNS entry
  • OCSP data is present
Loading content...