tlsn_core/config/
tls.rs

1//! TLS client configuration.
2
3use serde::{Deserialize, Serialize};
4
5use crate::{
6    connection::ServerName,
7    webpki::{CertificateDer, PrivateKeyDer, RootCertStore},
8};
9
10/// TLS client configuration.
11#[derive(Debug, Clone, Serialize, Deserialize)]
12pub struct TlsClientConfig {
13    server_name: ServerName,
14    /// Root certificates.
15    root_store: RootCertStore,
16    /// Certificate chain and a matching private key for client
17    /// authentication.
18    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
19}
20
21impl TlsClientConfig {
22    /// Creates a new builder.
23    pub fn builder() -> TlsConfigBuilder {
24        TlsConfigBuilder::default()
25    }
26
27    /// Returns the server name.
28    pub fn server_name(&self) -> &ServerName {
29        &self.server_name
30    }
31
32    /// Returns the root certificates.
33    pub fn root_store(&self) -> &RootCertStore {
34        &self.root_store
35    }
36
37    /// Returns a certificate chain and a matching private key for client
38    /// authentication.
39    pub fn client_auth(&self) -> Option<&(Vec<CertificateDer>, PrivateKeyDer)> {
40        self.client_auth.as_ref()
41    }
42}
43
44/// Builder for [`TlsClientConfig`].
45#[derive(Debug, Default)]
46pub struct TlsConfigBuilder {
47    server_name: Option<ServerName>,
48    root_store: Option<RootCertStore>,
49    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
50}
51
52impl TlsConfigBuilder {
53    /// Sets the server name.
54    pub fn server_name(mut self, server_name: ServerName) -> Self {
55        self.server_name = Some(server_name);
56        self
57    }
58
59    /// Sets the root certificates to use for verifying the server's
60    /// certificate.
61    pub fn root_store(mut self, store: RootCertStore) -> Self {
62        self.root_store = Some(store);
63        self
64    }
65
66    /// Sets a DER-encoded certificate chain and a matching private key for
67    /// client authentication.
68    ///
69    /// Often the chain will consist of a single end-entity certificate.
70    ///
71    /// # Arguments
72    ///
73    /// * `cert_key` - A tuple containing the certificate chain and the private
74    ///   key.
75    ///
76    ///   - Each certificate in the chain must be in the X.509 format.
77    ///   - The key must be in the ASN.1 format (either PKCS#8 or PKCS#1).
78    pub fn client_auth(mut self, cert_key: (Vec<CertificateDer>, PrivateKeyDer)) -> Self {
79        self.client_auth = Some(cert_key);
80        self
81    }
82
83    /// Builds the TLS configuration.
84    pub fn build(self) -> Result<TlsClientConfig, TlsConfigError> {
85        let server_name = self.server_name.ok_or(ErrorRepr::MissingField {
86            field: "server_name",
87        })?;
88
89        let root_store = self.root_store.ok_or(ErrorRepr::MissingField {
90            field: "root_store",
91        })?;
92
93        Ok(TlsClientConfig {
94            server_name,
95            root_store,
96            client_auth: self.client_auth,
97        })
98    }
99}
100
101/// TLS configuration error.
102#[derive(Debug, thiserror::Error)]
103#[error(transparent)]
104pub struct TlsConfigError(#[from] ErrorRepr);
105
106#[derive(Debug, thiserror::Error)]
107#[error("tls config error")]
108enum ErrorRepr {
109    #[error("missing required field: {field}")]
110    MissingField { field: &'static str },
111}