From cf79e201a498e387cbea7af1e7532efe6346d3bd Mon Sep 17 00:00:00 2001 From: tottoto Date: Thu, 13 Jun 2024 07:31:03 +0900 Subject: [PATCH 1/2] feat(tls): Add ability to add multiple ca certificates --- tonic/src/transport/channel/tls.rs | 15 +++++++-------- tonic/src/transport/service/connector.rs | 2 +- tonic/src/transport/service/tls.rs | 4 ++-- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs index 346071fad..ee35d7801 100644 --- a/tonic/src/transport/channel/tls.rs +++ b/tonic/src/transport/channel/tls.rs @@ -10,7 +10,7 @@ use std::fmt; #[derive(Clone, Default)] pub struct ClientTlsConfig { domain: Option, - cert: Option, + certs: Vec, identity: Option, assume_http2: bool, } @@ -19,7 +19,7 @@ impl fmt::Debug for ClientTlsConfig { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("ClientTlsConfig") .field("domain", &self.domain) - .field("cert", &self.cert) + .field("certs", &self.certs) .field("identity", &self.identity) .finish() } @@ -30,7 +30,7 @@ impl ClientTlsConfig { pub fn new() -> Self { ClientTlsConfig { domain: None, - cert: None, + certs: Vec::new(), identity: None, assume_http2: false, } @@ -46,10 +46,9 @@ impl ClientTlsConfig { /// Sets the CA Certificate against which to verify the server's TLS certificate. pub fn ca_certificate(self, ca_certificate: Certificate) -> Self { - ClientTlsConfig { - cert: Some(ca_certificate), - ..self - } + let mut certs = self.certs; + certs.push(ca_certificate); + ClientTlsConfig { certs, ..self } } /// Sets the client identity to present to the server. @@ -75,7 +74,7 @@ impl ClientTlsConfig { None => uri.host().ok_or_else(Error::new_invalid_uri)?, }; TlsConnector::new( - self.cert.clone(), + self.certs.clone(), self.identity.clone(), domain, self.assume_http2, diff --git a/tonic/src/transport/service/connector.rs b/tonic/src/transport/service/connector.rs index 978441d75..4c73d13f2 100644 --- a/tonic/src/transport/service/connector.rs +++ b/tonic/src/transport/service/connector.rs @@ -65,7 +65,7 @@ impl Connector { _ => return None, }; - TlsConnector::new(None, None, host, self.assume_http2).ok() + TlsConnector::new(Vec::new(), None, host, self.assume_http2).ok() } } diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs index 2ce9dc5da..0e38d87ee 100644 --- a/tonic/src/transport/service/tls.rs +++ b/tonic/src/transport/service/tls.rs @@ -39,7 +39,7 @@ pub(crate) struct TlsConnector { impl TlsConnector { pub(crate) fn new( - ca_cert: Option, + ca_certs: Vec, identity: Option, domain: &str, assume_http2: bool, @@ -53,7 +53,7 @@ impl TlsConnector { #[cfg(feature = "tls-webpki-roots")] roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); - if let Some(cert) = ca_cert { + for cert in ca_certs { add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?; } From 2c3ebee04a548460ca20be69860b3577548a6d57 Mon Sep 17 00:00:00 2001 From: tottoto Date: Sat, 15 Jun 2024 09:11:23 +0900 Subject: [PATCH 2/2] feat(tls): Add method to add multiple ca certificates at once --- tonic/src/transport/channel/tls.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs index ee35d7801..a3c64a65c 100644 --- a/tonic/src/transport/channel/tls.rs +++ b/tonic/src/transport/channel/tls.rs @@ -51,6 +51,13 @@ impl ClientTlsConfig { ClientTlsConfig { certs, ..self } } + /// Sets the multiple CA Certificates against which to verify the server's TLS certificate. + pub fn ca_certificates(self, ca_certificates: impl IntoIterator) -> Self { + let mut certs = self.certs; + certs.extend(ca_certificates); + ClientTlsConfig { certs, ..self } + } + /// Sets the client identity to present to the server. pub fn identity(self, identity: Identity) -> Self { ClientTlsConfig {