feat:tofu certificate validation #193
Conversation
- Added using to persist server certificates - Integrated TOFU verification in for both OpenSSL and Rustls backends when domain validation is disabled - Implemented for Rustls to handle custom certificate validation logic - Added and variants to the enum. - Added dependency in
- verifies initial certificate storage on first use - ensures stored certificates are retrieved correctly - tests certificate updates and replacement - confirms data persistence across store instances - tests handling of large certificates and empty certificates
Remove concrete SQLite implementation and replace with TofuStore trait to allow flexible certificate storage backends. This provides better flexibility for users to implement custom certificate storage. This change: - Removes rusqlite dependency - Create a trait with get_certificate/set_certificate methods - Updates `raw_client.rs` to accept TofuStore implementations - Adds new_ssl_with_tofu constructors for SSL clients implementations - Refactors TofuVerifier to use trait instead of concrete implementation - Updates TOFU tests to use in-memory implementation
This allows users to use the TOFU flow directly through the high-level API by providing a store implementation in the - Update to automatically establish TOFU-validated SSL connections when a store is provided in the configuration - Add the field to the struct to support Trust On First Use (TOFU) validation. Also change to allow injecting custom store implementations through the builder pattern
Add examples/tofu.rs, demonstrating Trust On First Use (TOFU) certificate validation for SSL connections. The example shows how to implement a custom TofuStore and how to configure a client to use TOFU for secure certificate verification. It uses a simple in-memory TofuStore implementation for demonstration purposes only.
lucasdbr05
changed the title
tnull
left a comment
tnull
left a comment
There was a problem hiding this comment.
Took an initial quick look and added some comments (though have yet to do a full review). Though before I proceed, please rewrite the commit history to avoid changing the approach mid-history. Basically, you should try to avoid to touch the same code paths in following commits as far as possible.
Given the code structure and verbosity I'm also suspecting that some form of AI agent was involved here. If this is indeed the case, please note that it is best practice to disclose such use in the PR and commit descriptions.
|
|
||
| /// A trait for storing and retrieving TOFU (Trust On First Use) certificate data. | ||
| /// Implementors of this trait are responsible for persisting certificate data and retrieving it based on the host. | ||
| pub trait TofuStore: Send + Sync + Debug { |
There was a problem hiding this comment.
Why does this need to be Send + Sync?
There was a problem hiding this comment.
I did it this way to ensure that the Client remains thread-safe for concurrent applications, so I designed it to allow the store to be shared and safely accessed across multiple threads via an Arc.
There was a problem hiding this comment.
I guess? Though the Rust compiler should usually infer the bounds when needed.
| /// when ssl, validate the domain, default true | ||
| validate_domain: bool, | ||
| /// TOFU store for certificate validation | ||
| tofu_store: Option<Arc<dyn TofuStore>>, |
There was a problem hiding this comment.
As mentioned over at the issue, it would likely be preferable to add this via a separate constructor. Having an Arc<dyn ..> in a config is rather odd, as it mixes code and data, basically.
| .connect(&domain, stream) | ||
| .map_err(Error::SslHandshakeError)?; | ||
|
|
||
| if !validate_domain { |
There was a problem hiding this comment.
Not quite sure why we here error out? Care to explain?
| builder.set_verify(SslVerifyMode::NONE); | ||
| let connector = builder.build(); | ||
|
|
||
| let domain = socket_addrs.domain().unwrap_or("NONE").to_string(); |
There was a problem hiding this comment.
No, if we don't have a domain we should just abort rather than try to connect to NONE?
There was a problem hiding this comment.
That makes sense, I’ll update it.
First of all, thanks for the feedback. When rewriting the history, the best approach would be to avoid keeping commits that record my refactor from persistence-based usage to the trait-based approach, right? |
Yes, this would be preferable. Basically, you could just do a |
oleonardolima
left a comment
oleonardolima
left a comment
There was a problem hiding this comment.
I agree with tnull's comments above, you should narrow it down to few commits, for example: feat(tofu): add tofu store mod; feat(client): add new tofu method/feature, docs(example): add new tofu example.
Also, it's best if it's added under a new feature, and by a separate constructor. I don't think many changes to already-existing methods are needed, maybe it's something remaining from previous changes you did.
It's failing in CI, please make sure that everything is building successfully and passing CI too.
|
|
||
| let builder = ClientConfig::builder(); | ||
|
|
||
| let domain = socket_addr.domain().unwrap_or("NONE").to_string(); |
There was a problem hiding this comment.
Same as tnull's previous comment, it should error-out and it's been handled below.
| let error_msg = format!("{}", e); | ||
| if error_msg.contains("TLS certificate changed") { | ||
| Error::TlsCertificateChanged(domain.clone()) | ||
| } else if error_msg.contains("TOFU") { | ||
| Error::TofuPersistError(error_msg) | ||
| } else { | ||
| Error::CouldNotCreateConnection(e) | ||
| } |
There was a problem hiding this comment.
IMHO it's not ideal to handle the error variants by checking if it contains certain strings on it, you should properly return an map a new error variant where needed.
3 participants
What does this merge request do?
This feature (see the reference issue #176) adds SSL certificate validation based on Trust On First Use (TOFU), storing the certificate on the first connection and verifying its consistency on subsequent connections.
It is implemented via the
TofuStoretrait, which allows customizable certificate persistence.Clientconfiguration SSL client initialization flow to accept a TofuStore via ConfigBuilder.examplesdirectory and scripts to demonstrate how TOFU can be integrated and used in practice.