From 3457f9203226f88524b31bf5d64ce6e5ec7c993c Mon Sep 17 00:00:00 2001 From: tottoto Date: Sat, 15 Jun 2024 21:10:35 +0900 Subject: [PATCH] feat(tls): Add ability to add multiple ca certificates (#1724) * feat(tls): Add ability to add multiple ca certificates * feat(tls): Add method to add multiple ca certificates at once --- tonic/src/transport/channel/tls.rs | 22 ++++++++++++++-------- tonic/src/transport/service/connector.rs | 2 +- tonic/src/transport/service/tls.rs | 4 ++-- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs index 346071fad..a3c64a65c 100644 --- a/tonic/src/transport/channel/tls.rs +++ b/tonic/src/transport/channel/tls.rs @@ -10,7 +10,7 @@ use std::fmt; #[derive(Clone, Default)] pub struct ClientTlsConfig { domain: Option, - cert: Option, + certs: Vec, identity: Option, assume_http2: bool, } @@ -19,7 +19,7 @@ impl fmt::Debug for ClientTlsConfig { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("ClientTlsConfig") .field("domain", &self.domain) - .field("cert", &self.cert) + .field("certs", &self.certs) .field("identity", &self.identity) .finish() } @@ -30,7 +30,7 @@ impl ClientTlsConfig { pub fn new() -> Self { ClientTlsConfig { domain: None, - cert: None, + certs: Vec::new(), identity: None, assume_http2: false, } @@ -46,10 +46,16 @@ impl ClientTlsConfig { /// Sets the CA Certificate against which to verify the server's TLS certificate. pub fn ca_certificate(self, ca_certificate: Certificate) -> Self { - ClientTlsConfig { - cert: Some(ca_certificate), - ..self - } + let mut certs = self.certs; + certs.push(ca_certificate); + ClientTlsConfig { certs, ..self } + } + + /// Sets the multiple CA Certificates against which to verify the server's TLS certificate. + pub fn ca_certificates(self, ca_certificates: impl IntoIterator) -> Self { + let mut certs = self.certs; + certs.extend(ca_certificates); + ClientTlsConfig { certs, ..self } } /// Sets the client identity to present to the server. @@ -75,7 +81,7 @@ impl ClientTlsConfig { None => uri.host().ok_or_else(Error::new_invalid_uri)?, }; TlsConnector::new( - self.cert.clone(), + self.certs.clone(), self.identity.clone(), domain, self.assume_http2, diff --git a/tonic/src/transport/service/connector.rs b/tonic/src/transport/service/connector.rs index 978441d75..4c73d13f2 100644 --- a/tonic/src/transport/service/connector.rs +++ b/tonic/src/transport/service/connector.rs @@ -65,7 +65,7 @@ impl Connector { _ => return None, }; - TlsConnector::new(None, None, host, self.assume_http2).ok() + TlsConnector::new(Vec::new(), None, host, self.assume_http2).ok() } } diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs index 2ce9dc5da..0e38d87ee 100644 --- a/tonic/src/transport/service/tls.rs +++ b/tonic/src/transport/service/tls.rs @@ -39,7 +39,7 @@ pub(crate) struct TlsConnector { impl TlsConnector { pub(crate) fn new( - ca_cert: Option, + ca_certs: Vec, identity: Option, domain: &str, assume_http2: bool, @@ -53,7 +53,7 @@ impl TlsConnector { #[cfg(feature = "tls-webpki-roots")] roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); - if let Some(cert) = ca_cert { + for cert in ca_certs { add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?; }