search

rustls / rustls-platform-verifier

A certificate verification library for rustls that uses the operating system's verifier
Apache License 2.0
57 stars 18 forks source link

Enable non default crypto config for initialization of Verifier #79

Closed nnmkhang closed 3 months ago

nnmkhang commented 3 months ago

in src/verification/windows.rs there is a check to ensure that the default CryptoProvider must be used.

Enabling custom crypto providers will allow users who want to opt out of using the rustls the ability to configure platform verifier with their own crypto provider.

From 'windows.rs` on line 427

impl Verifier {
    /// Creates a new instance of a TLS certificate verifier that utilizes the
    /// Windows certificate facilities. The rustls default [`CryptoProvider`]
    /// must be set before the verifier can be used.
    pub fn new() -> Self {
        Self {
            #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
            test_only_root_ca_override: None,
            default_provider: OnceCell::new(),
        }
    }

and also line 448

    fn get_provider(&self) -> &CryptoProvider {
        self.default_provider
            .get_or_init(|| {
                rustls::crypto::CryptoProvider::get_default()
                    .expect("rustls default CryptoProvider not set")
                    .clone()
            })
            .as_ref()
    }

My suggestion: allow passing in a CryptoProvider to the Verifier, and default to the rustls default if no CryptoProvider is supplied.

cpu commented 3 months ago

My suggestion: allow passing in a CryptoProvider to the Verifier, and default to the rustls default if no CryptoProvider is supplied.

This sounds like a good suggestion. WDYT about https://github.com/rustls/rustls-platform-verifier/pull/81 ?

cpu commented 3 months ago

This was resolved by #81. Thanks again for filing the issue! I'm working on a release with this feature in https://github.com/rustls/rustls-platform-verifier/pull/88.