tlsn_core/provider.rs
1use tls_core::{
2 anchors::{OwnedTrustAnchor, RootCertStore},
3 verify::WebPkiVerifier,
4};
5
6use crate::{
7 hash::HashProvider,
8 signing::{SignatureVerifierProvider, SignerProvider},
9};
10
11/// Cryptography provider.
12///
13/// ## Custom Algorithms
14///
15/// This is the primary interface for extending cryptographic functionality. The
16/// various providers can be configured with custom algorithms and
17/// implementations.
18///
19/// Algorithms are uniquely identified using an 8-bit ID, eg.
20/// [`HashAlgId`](crate::hash::HashAlgId), half of which is reserved for the
21/// officially supported algorithms. If you think that a new algorithm should be
22/// added to the official set, please open an issue. Beware that other parties
23/// may assign different algorithms to the same ID as you, and we make no effort
24/// to mitigate this.
25pub struct CryptoProvider {
26 /// Hash provider.
27 pub hash: HashProvider,
28 /// Certificate verifier.
29 ///
30 /// This is used to verify the server's certificate chain.
31 ///
32 /// The default verifier uses the Mozilla root certificates.
33 pub cert: WebPkiVerifier,
34 /// Signer provider.
35 ///
36 /// This is used for signing attestations.
37 pub signer: SignerProvider,
38 /// Signature verifier provider.
39 ///
40 /// This is used for verifying signatures of attestations.
41 pub signature: SignatureVerifierProvider,
42}
43
44opaque_debug::implement!(CryptoProvider);
45
46impl Default for CryptoProvider {
47 fn default() -> Self {
48 Self {
49 hash: Default::default(),
50 cert: default_cert_verifier(),
51 signer: Default::default(),
52 signature: Default::default(),
53 }
54 }
55}
56
57pub(crate) fn default_cert_verifier() -> WebPkiVerifier {
58 let mut root_store = RootCertStore::empty();
59 root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
60 OwnedTrustAnchor::from_subject_spki_name_constraints(
61 ta.subject.as_ref(),
62 ta.subject_public_key_info.as_ref(),
63 ta.name_constraints.as_ref().map(|nc| nc.as_ref()),
64 )
65 }));
66 WebPkiVerifier::new(root_store, None)
67}