Merge pull request #160 from cyang1/no-roots

sfackler · web-flow · commit 97b77f423a74 · 2020-04-29T20:05:45.000-04:00
Implement bindings to only use supplied root certificates for validating the server
diff --git a/Cargo.toml b/Cargo.toml
@@ -22,8 +22,8 @@ schannel = "0.1.16"
 
 [target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "ios")))'.dependencies]
 log = "0.4.5"
-openssl = "0.10.25"
-openssl-sys = "0.9.30"
+openssl = "0.10.29"
+openssl-sys = "0.9.55"
 openssl-probe = "0.1"
 
 [dev-dependencies]
diff --git a/src/imp/openssl.rs b/src/imp/openssl.rs
@@ -10,7 +10,7 @@ use self::openssl::ssl::{
     self, MidHandshakeSslStream, SslAcceptor, SslConnector, SslContextBuilder, SslMethod,
     SslVerifyMode,
 };
-use self::openssl::x509::{X509, X509VerifyResult};
+use self::openssl::x509::{X509, store::X509StoreBuilder, X509VerifyResult};
 use std::error;
 use std::fmt;
 use std::io;
@@ -264,6 +264,10 @@ impl TlsConnector {
         }
         supported_protocols(builder.min_protocol, builder.max_protocol, &mut connector)?;
 
+        if builder.disable_built_in_roots {
+            connector.set_cert_store(X509StoreBuilder::new()?.build());
+        }
+
         for cert in &builder.root_certificates {
             if let Err(err) = connector.cert_store_mut().add_cert((cert.0).0.clone()) {
                 debug!("add_cert error: {:?}", err);
diff --git a/src/imp/schannel.rs b/src/imp/schannel.rs
@@ -185,6 +185,7 @@ pub struct TlsConnector {
     use_sni: bool,
     accept_invalid_hostnames: bool,
     accept_invalid_certs: bool,
+    disable_built_in_roots: bool,
 }
 
 impl TlsConnector {
@@ -203,6 +204,7 @@ impl TlsConnector {
             use_sni: builder.use_sni,
             accept_invalid_hostnames: builder.accept_invalid_hostnames,
             accept_invalid_certs: builder.accept_invalid_certs,
+            disable_built_in_roots: builder.disable_built_in_roots,
         })
     }
 
@@ -224,6 +226,28 @@ impl TlsConnector {
             .accept_invalid_hostnames(self.accept_invalid_hostnames);
         if self.accept_invalid_certs {
             builder.verify_callback(|_| Ok(()));
+        } else if self.disable_built_in_roots {
+            let roots_copy = self.roots.clone();
+            builder.verify_callback(move |res| {
+                if let Err(err) = res.result() {
+                    // Propagate previous error encountered during normal cert validation.
+                    return Err(err);
+                }
+
+                if let Some(chain) = res.chain() {
+                    if chain
+                        .certificates()
+                        .any(|cert| roots_copy.certs().any(|root_cert| root_cert == cert))
+                    {
+                        return Ok(());
+                    }
+                }
+
+                Err(io::Error::new(
+                    io::ErrorKind::Other,
+                    "unable to find any user-specified roots in the final cert chain",
+                ))
+            });
         }
         match builder.connect(cred, stream) {
             Ok(s) => Ok(TlsStream(s)),
diff --git a/src/imp/security_framework.rs b/src/imp/security_framework.rs
@@ -262,6 +262,7 @@ pub struct TlsConnector {
     use_sni: bool,
     danger_accept_invalid_hostnames: bool,
     danger_accept_invalid_certs: bool,
+    disable_built_in_roots: bool,
 }
 
 impl TlsConnector {
@@ -278,6 +279,7 @@ impl TlsConnector {
             use_sni: builder.use_sni,
             danger_accept_invalid_hostnames: builder.accept_invalid_hostnames,
             danger_accept_invalid_certs: builder.accept_invalid_certs,
+            disable_built_in_roots: builder.disable_built_in_roots,
         })
     }
 
@@ -299,6 +301,7 @@ impl TlsConnector {
         builder.use_sni(self.use_sni);
         builder.danger_accept_invalid_hostnames(self.danger_accept_invalid_hostnames);
         builder.danger_accept_invalid_certs(self.danger_accept_invalid_certs);
+        builder.trust_anchor_certificates_only(self.disable_built_in_roots);
 
         match builder.handshake(domain, stream) {
             Ok(stream) => Ok(TlsStream { stream, cert: None }),
diff --git a/src/lib.rs b/src/lib.rs
@@ -327,6 +327,7 @@ pub struct TlsConnectorBuilder {
     accept_invalid_certs: bool,
     accept_invalid_hostnames: bool,
     use_sni: bool,
+    disable_built_in_roots: bool,
 }
 
 impl TlsConnectorBuilder {
@@ -367,6 +368,14 @@ impl TlsConnectorBuilder {
         self
     }
 
+    /// Controls the use of built-in system certificates during certificate validation.
+    ///
+    /// Defaults to `false` -- built-in system certs will be used.
+    pub fn disable_built_in_roots(&mut self, disable: bool) -> &mut TlsConnectorBuilder {
+        self.disable_built_in_roots = disable;
+        self
+    }
+
     /// Controls the use of certificate validation.
     ///
     /// Defaults to `false`.
@@ -454,6 +463,7 @@ impl TlsConnector {
             use_sni: true,
             accept_invalid_certs: false,
             accept_invalid_hostnames: false,
+            disable_built_in_roots: false,
         }
     }
 
diff --git a/src/test.rs b/src/test.rs
@@ -50,6 +50,51 @@ mod tests {
         builder.connect("goggle.com", s).unwrap();
     }
 
+    #[test]
+    fn connect_no_root_certs() {
+        let builder = p!(TlsConnector::builder().disable_built_in_roots(true).build());
+        let s = p!(TcpStream::connect("google.com:443"));
+        assert!(builder.connect("google.com", s).is_err());
+    }
+
+    #[test]
+    fn server_no_root_certs() {
+        let buf = include_bytes!("../test/identity.p12");
+        let identity = p!(Identity::from_pkcs12(buf, "mypass"));
+        let builder = p!(TlsAcceptor::new(identity));
+
+        let listener = p!(TcpListener::bind("0.0.0.0:0"));
+        let port = p!(listener.local_addr()).port();
+
+        let j = thread::spawn(move || {
+            let socket = p!(listener.accept()).0;
+            let mut socket = p!(builder.accept(socket));
+
+            let mut buf = [0; 5];
+            p!(socket.read_exact(&mut buf));
+            assert_eq!(&buf, b"hello");
+
+            p!(socket.write_all(b"world"));
+        });
+
+        let root_ca = include_bytes!("../test/root-ca.der");
+        let root_ca = Certificate::from_der(root_ca).unwrap();
+
+        let socket = p!(TcpStream::connect(("localhost", port)));
+        let builder = p!(TlsConnector::builder()
+            .disable_built_in_roots(true)
+            .add_root_certificate(root_ca)
+            .build());
+        let mut socket = p!(builder.connect("foobar.com", socket));
+
+        p!(socket.write_all(b"hello"));
+        let mut buf = vec![];
+        p!(socket.read_to_end(&mut buf));
+        assert_eq!(buf, b"world");
+
+        p!(j.join());
+    }
+
     #[test]
     fn server() {
         let buf = include_bytes!("../test/identity.p12");
