tlsn_core/
provider.rs

1use tls_core::{
2    anchors::{OwnedTrustAnchor, RootCertStore},
3    verify::WebPkiVerifier,
4};
5
6use crate::{
7    hash::HashProvider,
8    signing::{SignatureVerifierProvider, SignerProvider},
9};
10
11/// Cryptography provider.
12///
13/// ## Custom Algorithms
14///
15/// This is the primary interface for extending cryptographic functionality. The
16/// various providers can be configured with custom algorithms and
17/// implementations.
18///
19/// Algorithms are uniquely identified using an 8-bit ID, eg.
20/// [`HashAlgId`](crate::hash::HashAlgId), half of which is reserved for the
21/// officially supported algorithms. If you think that a new algorithm should be
22/// added to the official set, please open an issue. Beware that other parties
23/// may assign different algorithms to the same ID as you, and we make no effort
24/// to mitigate this.
25pub struct CryptoProvider {
26    /// Hash provider.
27    pub hash: HashProvider,
28    /// Certificate verifier.
29    ///
30    /// This is used to verify the server's certificate chain.
31    ///
32    /// The default verifier uses the Mozilla root certificates.
33    pub cert: WebPkiVerifier,
34    /// Signer provider.
35    ///
36    /// This is used for signing attestations.
37    pub signer: SignerProvider,
38    /// Signature verifier provider.
39    ///
40    /// This is used for verifying signatures of attestations.
41    pub signature: SignatureVerifierProvider,
42}
43
44opaque_debug::implement!(CryptoProvider);
45
46impl Default for CryptoProvider {
47    fn default() -> Self {
48        Self {
49            hash: Default::default(),
50            cert: default_cert_verifier(),
51            signer: Default::default(),
52            signature: Default::default(),
53        }
54    }
55}
56
57pub(crate) fn default_cert_verifier() -> WebPkiVerifier {
58    let mut root_store = RootCertStore::empty();
59    root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
60        OwnedTrustAnchor::from_subject_spki_name_constraints(
61            ta.subject.as_ref(),
62            ta.subject_public_key_info.as_ref(),
63            ta.name_constraints.as_ref().map(|nc| nc.as_ref()),
64        )
65    }));
66    WebPkiVerifier::new(root_store, None)
67}