Skip to content

Commit

Permalink
feat(tls): Add ability to add multiple ca certificates (#1724)
Browse files Browse the repository at this point in the history
* feat(tls): Add ability to add multiple ca certificates

* feat(tls): Add method to add multiple ca certificates at once
  • Loading branch information
tottoto authored Jun 15, 2024
1 parent 53cbd0e commit 3457f92
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 11 deletions.
22 changes: 14 additions & 8 deletions tonic/src/transport/channel/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ use std::fmt;
#[derive(Clone, Default)]
pub struct ClientTlsConfig {
domain: Option<String>,
cert: Option<Certificate>,
certs: Vec<Certificate>,
identity: Option<Identity>,
assume_http2: bool,
}
Expand All @@ -19,7 +19,7 @@ impl fmt::Debug for ClientTlsConfig {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("ClientTlsConfig")
.field("domain", &self.domain)
.field("cert", &self.cert)
.field("certs", &self.certs)
.field("identity", &self.identity)
.finish()
}
Expand All @@ -30,7 +30,7 @@ impl ClientTlsConfig {
pub fn new() -> Self {
ClientTlsConfig {
domain: None,
cert: None,
certs: Vec::new(),
identity: None,
assume_http2: false,
}
Expand All @@ -46,10 +46,16 @@ impl ClientTlsConfig {

/// Sets the CA Certificate against which to verify the server's TLS certificate.
pub fn ca_certificate(self, ca_certificate: Certificate) -> Self {
ClientTlsConfig {
cert: Some(ca_certificate),
..self
}
let mut certs = self.certs;
certs.push(ca_certificate);
ClientTlsConfig { certs, ..self }
}

/// Sets the multiple CA Certificates against which to verify the server's TLS certificate.
pub fn ca_certificates(self, ca_certificates: impl IntoIterator<Item = Certificate>) -> Self {
let mut certs = self.certs;
certs.extend(ca_certificates);
ClientTlsConfig { certs, ..self }
}

/// Sets the client identity to present to the server.
Expand All @@ -75,7 +81,7 @@ impl ClientTlsConfig {
None => uri.host().ok_or_else(Error::new_invalid_uri)?,
};
TlsConnector::new(
self.cert.clone(),
self.certs.clone(),
self.identity.clone(),
domain,
self.assume_http2,
Expand Down
2 changes: 1 addition & 1 deletion tonic/src/transport/service/connector.rs
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ impl<C> Connector<C> {
_ => return None,
};

TlsConnector::new(None, None, host, self.assume_http2).ok()
TlsConnector::new(Vec::new(), None, host, self.assume_http2).ok()
}
}

Expand Down
4 changes: 2 additions & 2 deletions tonic/src/transport/service/tls.rs
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ pub(crate) struct TlsConnector {

impl TlsConnector {
pub(crate) fn new(
ca_cert: Option<Certificate>,
ca_certs: Vec<Certificate>,
identity: Option<Identity>,
domain: &str,
assume_http2: bool,
Expand All @@ -53,7 +53,7 @@ impl TlsConnector {
#[cfg(feature = "tls-webpki-roots")]
roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());

if let Some(cert) = ca_cert {
for cert in ca_certs {
add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?;
}

Expand Down

0 comments on commit 3457f92

Please sign in to comment.