rustls transport module certificate verifier improvement #6

csyJoy · 2024-10-12T09:53:11Z

rats-rs uses tokio-rustls as a dependency to support async tls and tokio-rustls uses rustls as its underlying implementation for certificate verification functionality. In rats-rs, we use custom certificate verifying functionality to verify TEE evidence, this is done by adding RatsClientVerifier/RatsServerVerifier struct instance which has implemented ClientCertVerifier/ClientCertVerifier trait to client/server configuration while building tls.

rats-rs/rats-rs/src/transport/rustls/client.rs

Lines 49 to 63 in 25a123d

    
           .set_certificate_verifier(Arc::new(RatsServerVerifier { 
        
               default_server_verifier: WebPkiServerVerifier::builder(Arc::new({ 
        
                   //XXX: only to bypass empty test of WebPkiServerVerifier 
        
                   let mut root = rustls::RootCertStore::empty(); 
        
                   let privkey = 
        
                       DefaultCrypto::gen_private_key(crate::crypto::AsymmetricAlgo::Rsa2048)?; 
        
                   let cert = CertBuilder::new(AutoAttester::new(), HashAlgo::Sha256) 
        
                       .build_with_private_key(&privkey) 
        
                       .await? 
        
                       .cert_to_der()?; 
        
                   root.add(cert.into())?; 
        
                   root 
        
               })) 
        
               .build()?, 
        
           }));

rats-rs/rats-rs/src/transport/rustls/server.rs

Lines 45 to 59 in 25a123d

    
           .with_client_cert_verifier(Arc::new(RatsClientVerifier { 
        
               default_client_verifier: WebPkiClientVerifier::builder(Arc::new({ 
        
                   //XXX: only to bypass empty test of WebPkiClientVerifier 
        
                   let mut root = rustls::RootCertStore::empty(); 
        
                   let privkey = 
        
                       DefaultCrypto::gen_private_key(crate::crypto::AsymmetricAlgo::Rsa2048)?; 
        
                   let cert = CertBuilder::new(AutoAttester::new(), HashAlgo::Sha256) 
        
                       .build_with_private_key(&privkey) 
        
                       .await? 
        
                       .cert_to_der()?; 
        
                   root.add(cert.into())?; 
        
                   root 
        
               })) 
        
               .build()?, 
        
           }))

The current RatsClientVerifier/RatsServerVerifier wrapper a WebPkiClientVerifier/WebPkiServerVerifier as the default certificate verify logic, but actually there is no need to add such default certificate verify logic since rats-rs cert module has already implemented this. Things get complicated because ClientCertVerifier/ClientCertVerifier trait not only needs a certificate verifying method, but also other methods like message signature which aren't implemented in rats-rs.

The next step to improve RatsClientVerifier/RatsServerVerifier is trying to implement ClientCertVerifier/ClientCertVerifier trait without WebPkiClientVerifier/WebPkiServerVerifier.

The text was updated successfully, but these errors were encountered:

imlk0 added the enhancement New feature or request label Oct 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rustls transport module certificate verifier improvement #6

rustls transport module certificate verifier improvement #6

csyJoy commented Oct 12, 2024

rustls transport module certificate verifier improvement #6

rustls transport module certificate verifier improvement #6

Comments

csyJoy commented Oct 12, 2024