| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Something that can verify a client certificate chain"><meta name="keywords" content="rust, rustlang, rust-lang, ClientCertVerifier"><title>ClientCertVerifier in rustls - Rust</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../normalize.css"><link rel="stylesheet" href="../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../ayu.css" disabled><link rel="stylesheet" href="../dark.css" disabled><link rel="stylesheet" href="../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../storage.js"></script><script defer src="sidebar-items.js"></script><script defer src="../main.js"></script><noscript><link rel="stylesheet" href="../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../favicon.svg"></head><body class="rustdoc trait"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="mobile-topbar"><button class="sidebar-menu-toggle">☰</button><a class="sidebar-logo" href="../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../rust-logo.svg" alt="logo"></div></a><h2></h2></nav><nav class="sidebar"><a class="sidebar-logo" href="../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../rust-logo.svg" alt="logo"></div></a><h2 class="location"><a href="#">ClientCertVerifier</a></h2><div class="sidebar-elems"><section><h3><a href="#required-methods">Required Methods</a></h3><ul class="block"><li><a href="#tymethod.client_auth_root_subjects">client_auth_root_subjects</a></li><li><a href="#tymethod.verify_client_cert">verify_client_cert</a></li></ul><h3><a href="#provided-methods">Provided Methods</a></h3><ul class="block"><li><a href="#method.client_auth_mandatory">client_auth_mandatory</a></li><li><a href="#method.offer_client_auth">offer_client_auth</a></li><li><a href="#method.supported_verify_schemes">supported_verify_schemes</a></li><li><a href="#method.verify_tls12_signature">verify_tls12_signature</a></li><li><a href="#method.verify_tls13_signature">verify_tls13_signature</a></li></ul><h3><a href="#implementors">Implementors</a></h3></section><h2><a href="index.html">In rustls</a></h2></div></nav><main><div class="width-limiter"><nav class="sub"><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="main-heading"><h1 class="fqn">Trait <a href="index.html">rustls</a>::<wbr><a class="trait" href="#">ClientCertVerifier</a><button id="copy-path" onclick="copy_path(this)" title="Copy item path to clipboard"><img src="../clipboard.svg" width="19" height="18" alt="Copy item path"></button></h1><span class="out-of-band"><a class="srclink" href="../src/rustls/verify.rs.html#155-253">source</a> · <a id="toggle-all-docs" href="javascript:void(0)" title="collapse all docs">[<span class="inner">−</span>]</a></span></div><div class="item-decl"><pre class="rust trait"><code>pub trait ClientCertVerifier: Send + Sync { |
| fn <a href="#tymethod.client_auth_root_subjects" class="fnname">client_auth_root_subjects</a>(<br> &self,<br> sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>><br> ) -> Option<<a class="type" href="internal/msgs/handshake/type.DistinguishedNames.html" title="type rustls::internal::msgs::handshake::DistinguishedNames">DistinguishedNames</a>>; |
| <span class="item-spacer"></span> fn <a href="#tymethod.verify_client_cert" class="fnname">verify_client_cert</a>(<br> &self,<br> presented_certs: &[<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>],<br> sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>><br> ) -> Result<<a class="struct" href="struct.ClientCertVerified.html" title="struct rustls::ClientCertVerified">ClientCertVerified</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>>; |
| |
| fn <a href="#method.offer_client_auth" class="fnname">offer_client_auth</a>(&self) -> bool { ... } |
| <span class="item-spacer"></span> fn <a href="#method.client_auth_mandatory" class="fnname">client_auth_mandatory</a>(&self, _sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>>) -> Option<bool> { ... } |
| <span class="item-spacer"></span> fn <a href="#method.verify_tls12_signature" class="fnname">verify_tls12_signature</a>(<br> &self,<br> message: &[u8],<br> cert: &<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>,<br> dss: &<a class="struct" href="internal/msgs/handshake/struct.DigitallySignedStruct.html" title="struct rustls::internal::msgs::handshake::DigitallySignedStruct">DigitallySignedStruct</a><br> ) -> Result<<a class="struct" href="struct.HandshakeSignatureValid.html" title="struct rustls::HandshakeSignatureValid">HandshakeSignatureValid</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>> { ... } |
| <span class="item-spacer"></span> fn <a href="#method.verify_tls13_signature" class="fnname">verify_tls13_signature</a>(<br> &self,<br> message: &[u8],<br> cert: &<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>,<br> dss: &<a class="struct" href="internal/msgs/handshake/struct.DigitallySignedStruct.html" title="struct rustls::internal::msgs::handshake::DigitallySignedStruct">DigitallySignedStruct</a><br> ) -> Result<<a class="struct" href="struct.HandshakeSignatureValid.html" title="struct rustls::HandshakeSignatureValid">HandshakeSignatureValid</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>> { ... } |
| <span class="item-spacer"></span> fn <a href="#method.supported_verify_schemes" class="fnname">supported_verify_schemes</a>(&self) -> Vec<<a class="enum" href="internal/msgs/enums/enum.SignatureScheme.html" title="enum rustls::internal::msgs::enums::SignatureScheme">SignatureScheme</a>> { ... } |
| }</code></pre></div><details class="rustdoc-toggle top-doc" open><summary class="hideme"><span>Expand description</span></summary><div class="docblock"><p>Something that can verify a client certificate chain</p> |
| </div></details><h2 id="required-methods" class="small-section-header">Required Methods<a href="#required-methods" class="anchor"></a></h2><div class="methods"><details class="rustdoc-toggle method-toggle" open><summary><section id="tymethod.client_auth_root_subjects" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#179-182">source</a><h4 class="code-header">fn <a href="#tymethod.client_auth_root_subjects" class="fnname">client_auth_root_subjects</a>(<br> &self,<br> sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>><br>) -> Option<<a class="type" href="internal/msgs/handshake/type.DistinguishedNames.html" title="type rustls::internal::msgs::handshake::DistinguishedNames">DistinguishedNames</a>></h4></section></summary><div class="docblock"><p>Returns the subject names of the client authentication trust anchors to |
| share with the client when requesting client authentication.</p> |
| <p>Return <code>None</code> to abort the connection.</p> |
| <p><code>sni</code> is the server name quoted by the client in its ClientHello; it has |
| been validated as a proper DNS name but is otherwise untrusted.</p> |
| </div></details><details class="rustdoc-toggle method-toggle" open><summary><section id="tymethod.verify_client_cert" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#188-192">source</a><h4 class="code-header">fn <a href="#tymethod.verify_client_cert" class="fnname">verify_client_cert</a>(<br> &self,<br> presented_certs: &[<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>],<br> sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>><br>) -> Result<<a class="struct" href="struct.ClientCertVerified.html" title="struct rustls::ClientCertVerified">ClientCertVerified</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>></h4></section></summary><div class="docblock"><p>Verify a certificate chain. <code>presented_certs</code> is the certificate chain from the client.</p> |
| <p><code>sni</code> is the server name quoted by the client in its ClientHello; it has |
| been validated as a proper DNS name but is otherwise untrusted.</p> |
| </div></details></div><h2 id="provided-methods" class="small-section-header">Provided Methods<a href="#provided-methods" class="anchor"></a></h2><div class="methods"><details class="rustdoc-toggle method-toggle" open><summary><section id="method.offer_client_auth" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#158-160">source</a><h4 class="code-header">fn <a href="#method.offer_client_auth" class="fnname">offer_client_auth</a>(&self) -> bool</h4></section></summary><div class="docblock"><p>Returns <code>true</code> to enable the server to request a client certificate and |
| <code>false</code> to skip requesting a client certificate. Defaults to <code>true</code>.</p> |
| </div></details><details class="rustdoc-toggle method-toggle" open><summary><section id="method.client_auth_mandatory" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#168-170">source</a><h4 class="code-header">fn <a href="#method.client_auth_mandatory" class="fnname">client_auth_mandatory</a>(&self, _sni: Option<&<a class="struct" href="../webpki/name/struct.DNSName.html" title="struct webpki::name::DNSName">DNSName</a>>) -> Option<bool></h4></section></summary><div class="docblock"><p>Return <code>Some(true)</code> to require a client certificate and <code>Some(false)</code> to make |
| client authentication optional. Return <code>None</code> to abort the connection. |
| Defaults to <code>Some(self.offer_client_auth())</code>.</p> |
| <p><code>sni</code> is the server name quoted by the client in its ClientHello; it has |
| been validated as a proper DNS name but is otherwise untrusted.</p> |
| </div></details><details class="rustdoc-toggle method-toggle" open><summary><section id="method.verify_tls12_signature" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#213-220">source</a><h4 class="code-header">fn <a href="#method.verify_tls12_signature" class="fnname">verify_tls12_signature</a>(<br> &self,<br> message: &[u8],<br> cert: &<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>,<br> dss: &<a class="struct" href="internal/msgs/handshake/struct.DigitallySignedStruct.html" title="struct rustls::internal::msgs::handshake::DigitallySignedStruct">DigitallySignedStruct</a><br>) -> Result<<a class="struct" href="struct.HandshakeSignatureValid.html" title="struct rustls::HandshakeSignatureValid">HandshakeSignatureValid</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>></h4></section></summary><div class="docblock"><p>Verify a signature allegedly by the given server certificate.</p> |
| <p><code>message</code> is not hashed, and needs hashing during the verification. |
| The signature and algorithm are within <code>dss</code>. <code>cert</code> contains the |
| public key to use.</p> |
| <p><code>cert</code> is the same certificate that was previously validated by a |
| call to <code>verify_server_cert</code>.</p> |
| <p>If and only if the signature is valid, return HandshakeSignatureValid. |
| Otherwise, return an error – rustls will send an alert and abort the |
| connection.</p> |
| <p>This method is only called for TLS1.2 handshakes. Note that, in TLS1.2, |
| SignatureSchemes such as <code>SignatureScheme::ECDSA_NISTP256_SHA256</code> are not |
| in fact bound to the specific curve implied in their name.</p> |
| <p>This trait method has a default implementation that uses webpki to verify |
| the signature.</p> |
| </div></details><details class="rustdoc-toggle method-toggle" open><summary><section id="method.verify_tls13_signature" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#234-241">source</a><h4 class="code-header">fn <a href="#method.verify_tls13_signature" class="fnname">verify_tls13_signature</a>(<br> &self,<br> message: &[u8],<br> cert: &<a class="struct" href="struct.Certificate.html" title="struct rustls::Certificate">Certificate</a>,<br> dss: &<a class="struct" href="internal/msgs/handshake/struct.DigitallySignedStruct.html" title="struct rustls::internal::msgs::handshake::DigitallySignedStruct">DigitallySignedStruct</a><br>) -> Result<<a class="struct" href="struct.HandshakeSignatureValid.html" title="struct rustls::HandshakeSignatureValid">HandshakeSignatureValid</a>, <a class="enum" href="enum.TLSError.html" title="enum rustls::TLSError">TLSError</a>></h4></section></summary><div class="docblock"><p>Verify a signature allegedly by the given server certificate.</p> |
| <p>This method is only called for TLS1.3 handshakes.</p> |
| <p>This method is very similar to <code>verify_tls12_signature</code>: but note the |
| tighter ECDSA SignatureScheme semantics – eg <code>SignatureScheme::ECDSA_NISTP256_SHA256</code> |
| must only validate signatures using public keys on the right curve – |
| rustls does not enforce this requirement for you.</p> |
| <p>This trait method has a default implementation that uses webpki to verify |
| the signature.</p> |
| </div></details><details class="rustdoc-toggle method-toggle" open><summary><section id="method.supported_verify_schemes" class="method has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#250-252">source</a><h4 class="code-header">fn <a href="#method.supported_verify_schemes" class="fnname">supported_verify_schemes</a>(&self) -> Vec<<a class="enum" href="internal/msgs/enums/enum.SignatureScheme.html" title="enum rustls::internal::msgs::enums::SignatureScheme">SignatureScheme</a>></h4></section></summary><div class="docblock"><p>Return the list of SignatureSchemes that this verifier will handle, |
| in <code>verify_tls12_signature</code> and <code>verify_tls13_signature</code> calls.</p> |
| <p>This should be in priority order, with the most preferred first.</p> |
| <p>This trait mehod has a default implementation that reflects the schemes |
| supported by webpki.</p> |
| </div></details></div><h2 id="implementors" class="small-section-header">Implementors<a href="#implementors" class="anchor"></a></h2><div id="implementors-list"><section id="impl-ClientCertVerifier-for-AllowAnyAnonymousOrAuthenticatedClient" class="impl has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#426-451">source</a><a href="#impl-ClientCertVerifier-for-AllowAnyAnonymousOrAuthenticatedClient" class="anchor"></a><h3 class="code-header">impl <a class="trait" href="trait.ClientCertVerifier.html" title="trait rustls::ClientCertVerifier">ClientCertVerifier</a> for <a class="struct" href="struct.AllowAnyAnonymousOrAuthenticatedClient.html" title="struct rustls::AllowAnyAnonymousOrAuthenticatedClient">AllowAnyAnonymousOrAuthenticatedClient</a></h3></section><section id="impl-ClientCertVerifier-for-AllowAnyAuthenticatedClient" class="impl has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#371-403">source</a><a href="#impl-ClientCertVerifier-for-AllowAnyAuthenticatedClient" class="anchor"></a><h3 class="code-header">impl <a class="trait" href="trait.ClientCertVerifier.html" title="trait rustls::ClientCertVerifier">ClientCertVerifier</a> for <a class="struct" href="struct.AllowAnyAuthenticatedClient.html" title="struct rustls::AllowAnyAuthenticatedClient">AllowAnyAuthenticatedClient</a></h3></section><section id="impl-ClientCertVerifier-for-NoClientAuth" class="impl has-srclink"><a class="srclink rightside" href="../src/rustls/verify.rs.html#463-482">source</a><a href="#impl-ClientCertVerifier-for-NoClientAuth" class="anchor"></a><h3 class="code-header">impl <a class="trait" href="trait.ClientCertVerifier.html" title="trait rustls::ClientCertVerifier">ClientCertVerifier</a> for <a class="struct" href="struct.NoClientAuth.html" title="struct rustls::NoClientAuth">NoClientAuth</a></h3></section></div><script src="../implementors/rustls/verify/trait.ClientCertVerifier.js" async></script></section></div></main><div id="rustdoc-vars" data-root-path="../" data-current-crate="rustls" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |
