feat: add Verifier::set_provider and Verifier::with_provider

rustls · Apr 9, 2024 · 4063a23 · 4063a23
1 parent b6f6334
commit 4063a23
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 19 deletions.
diff --git a/rustls-platform-verifier/src/verification/android.rs b/rustls-platform-verifier/src/verification/android.rs
@@ -47,7 +47,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Default for Verifier {
@@ -71,13 +71,16 @@ impl Drop for Verifier {
 
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// Android certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Android certificate facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -86,12 +89,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")

diff --git a/rustls-platform-verifier/src/verification/apple.rs b/rustls-platform-verifier/src/verification/apple.rs
@@ -46,18 +46,21 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Verifier {
-    /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// macOS certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Creates a new instance of a TLS certificate verifier that utilizes the macOS certificate
+    /// facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -66,12 +69,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")

diff --git a/rustls-platform-verifier/src/verification/mod.rs b/rustls-platform-verifier/src/verification/mod.rs
@@ -77,3 +77,29 @@ fn invalid_certificate(reason: impl Into<String>) -> rustls::Error {
 /// - id-kp-serverAuth
 // TODO: Chromium also allows for `OID_ANY_EKU` on Android.
 pub const ALLOWED_EKUS: &[&str] = &["1.3.6.1.5.5.7.3.1"];
+
+#[cfg(any(target_os = "macos", target_os = "ios", target_os = "android", windows))]
+impl Verifier {
+    /// Chainable setter to configure the [`CryptoProvider`][rustls::crypto::CryptoProvider] for this `Verifier`.
+    ///
+    /// This will be used instead of the rustls processs-default `CryptoProvider`, even if one has
+    /// been installed.
+    pub fn with_provider(
+        mut self,
+        crypto_provider: std::sync::Arc<rustls::crypto::CryptoProvider>,
+    ) -> Self {
+        self.set_provider(crypto_provider);
+        self
+    }
+
+    /// Configures the [`CryptoProvider`][rustls::crypto::CryptoProvider] for this `Verifier`.
+    ///
+    /// This will be used instead of the rustls processs-default `CryptoProvider`, even if one has
+    /// been installed.
+    pub fn set_provider(
+        &mut self,
+        crypto_provider: std::sync::Arc<rustls::crypto::CryptoProvider>,
+    ) {
+        self.crypto_provider = crypto_provider.into();
+    }
+}
diff --git a/rustls-platform-verifier/src/verification/windows.rs b/rustls-platform-verifier/src/verification/windows.rs
@@ -421,18 +421,21 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// Windows certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Windows certificate facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -441,12 +444,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")