Add client certificate validation.

Related to sfackler#161

Author: gxtaillon

src/imp/openssl.rs

@@ -16,7 +16,7 @@ use std::fmt;
 use std::io;
 use std::sync::Once;
 
-use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder};
+use {Protocol, TlsAcceptorBuilder, TlsConnectorBuilder, TlsClientCertificateVerification};
 use self::openssl::pkey::Private;
 
 #[cfg(have_min_max_version)]
@@ -307,6 +307,17 @@ impl TlsAcceptor {
         let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
         acceptor.set_private_key(&builder.identity.0.pkey)?;
         acceptor.set_certificate(&builder.identity.0.cert)?;
+
+        if let Some(client_ca_cert) = &builder.client_cert_verification_ca_cert {
+            acceptor.add_client_ca((client_ca_cert.0).0.as_ref())?;
+        }
+        let verify_mode = match &builder.client_cert_verification {
+            TlsClientCertificateVerification::DoNotRequestCertificate => SslVerifyMode::NONE,
+            TlsClientCertificateVerification::RequestCertificate => SslVerifyMode::PEER,
+            TlsClientCertificateVerification::RequireCertificate => SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT,
+        };
+        acceptor.set_verify(verify_mode);
+        
         for cert in builder.identity.0.chain.iter().rev() {
             acceptor.add_extra_chain_cert(cert.to_owned())?;
         }

src/lib.rs

@@ -482,11 +482,30 @@ impl TlsConnector {
     }
 }
 
+/// Client certificate verification modes
+pub enum TlsClientCertificateVerification {
+    /// The server will not request certificates from the client.
+    /// 
+    /// # Warning
+    /// The client will not be able to send any certificates with this setting.
+    DoNotRequestCertificate,
+    /// The server will request a certificate from the client, then will validate 
+    /// any certificate it receives. The client may choose not to send any.
+    RequestCertificate,
+    /// The server will request a certificate from the client, then will validate 
+    /// any certificate it receives or reject the connection none are provided.
+    RequireCertificate,
+}
+
 /// A builder for `TlsAcceptor`s.
 pub struct TlsAcceptorBuilder {
     identity: Identity,
     min_protocol: Option<Protocol>,
     max_protocol: Option<Protocol>,
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    client_cert_verification: TlsClientCertificateVerification,
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    client_cert_verification_ca_cert: Option<Certificate>
 }
 
 impl TlsAcceptorBuilder {
@@ -510,6 +529,26 @@ impl TlsAcceptorBuilder {
         self
     }
 
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    /// Sets the verification mode for client certificates.
+    /// 
+    /// Defaults to `TlsClientCertificateVerification::DoNotRequestCertificate`.
+    pub fn client_cert_verification(&mut self, client_cert_verification: TlsClientCertificateVerification) -> &mut TlsAcceptorBuilder {
+        self.client_cert_verification = client_cert_verification;
+        self
+    }
+
+    #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+    /// Sets which ca to tell the client is acceptable to send to the server.
+    /// 
+    /// A value of `None` will not tell the client it is acceptable to send certificates signed by any ca.
+    /// 
+    /// Defaults `None`.
+    pub fn client_cert_verification_ca_cert(&mut self, client_cert_verification_ca_cert: Option<Certificate>) -> &mut TlsAcceptorBuilder {
+        self.client_cert_verification_ca_cert = client_cert_verification_ca_cert;
+        self
+    }
+
     /// Creates a new `TlsAcceptor`.
     pub fn build(&self) -> Result<TlsAcceptor> {
         let acceptor = imp::TlsAcceptor::new(self)?;
@@ -574,6 +613,10 @@ impl TlsAcceptor {
             identity,
             min_protocol: Some(Protocol::Tlsv10),
             max_protocol: None,
+            #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+            client_cert_verification: TlsClientCertificateVerification::DoNotRequestCertificate,
+            #[cfg(not(any(target_os = "macos", target_os = "windows", target_os = "ios")))]
+            client_cert_verification_ca_cert: None
         }
     }