libcoap_rs::crypto::pki_rpk

Struct PkiRpkContextBuilder

Source 
pub struct PkiRpkContextBuilder<'a, KTY: KeyType, V: CertVerificationMode> { /* private fields */ }
Expand description

Builder for a PKI or RPK configuration context.

Implementations§

Source§

impl<'a> PkiRpkContextBuilder<'a, Pki, NonCertVerifying>

Source

pub fn verify_peer_cert(self) -> PkiRpkContextBuilder<'a, Pki, CertVerifying>

Enables PKI certificate verification of the peer’s certificate when using the build encryption context.

Note: While this will enable peer certificate validation, the other settings relating to certificate validation will not automatically be enabled. In particular, you might want to consider enabling certificate chain validation using PkiRpkContextBuilder::cert_chain_validation.

Depending on your circumstances, you might want to add additional root certificates using CoapContext::set_pki_root_cas.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting verify_peer_cert to 1 in the underlying [coap_dtls_pki_t] structure.

Source§

impl<'a> PkiRpkContextBuilder<'a, Pki, CertVerifying>

Source

pub fn new<K: KeyDef<KeyType = Pki> + 'a>(key: K) -> Self

Source§

impl<'a, V: CertVerificationMode> PkiRpkContextBuilder<'a, Pki, V>

Source

pub fn cn_validator(self, validator: impl PkiCnValidator + 'a) -> Self

Sets the common name validator for this encryption context.

The common name validator’s validate_cn function will be called after the TLS level validation checks have been completed in order to check whether the common name provided by the peer is allowed/as expected.

§Implementation details (informative, not covered by semver guarantees)

Setting a cn_validator will set the validate_cn_call_back of the underlying [coap_dtls_pki_t] to a wrapper function, which will then call the CN validator.

Source§

impl<'a> PkiRpkContextBuilder<'a, Rpk, NonCertVerifying>

Source

pub fn rpk_validator(self, validator: impl RpkValidator + 'a) -> Self

Sets the raw public key validator for this encryption context.

The raw public key validator’s validate_rpk function will be called after the TLS-level validation checks have been completed in order to check whether the RPK provided by the peer is allowed/as expected.

§Implementation details (informative, not covered by semver guarantees)

Setting an RPK validator will set the validate_cn_call_back of the underlying [coap_dtls_pki_t] to a wrapper function, which will then call the RPK validator.

Source§

impl<'a, KTY: KeyType> PkiRpkContextBuilder<'a, KTY, NonCertVerifying>

Source

pub fn new<K: KeyDef<KeyType = KTY> + 'a>(key: K) -> Self

Creates a new context builder with the given key as the default key to use.

§Implementation details (informative, not covered by semver guarantees)

Providing a raw public key will set is_rpk_not_cert to 1 in the underlying [coap_dtls_pki_t] structure. pki_key will be set to the provided key regardless of key type.

Source§

impl<KTY: KeyType, V: CertVerificationMode> PkiRpkContextBuilder<'_, KTY, V>

Source

pub fn use_cid(self, use_cid: bool) -> Self

Enables/disables use of DTLS connection identifiers (RFC 9146) for the built context if used in a client-side session.

For server-side sessions, this setting is ignored, and connection identifiers will always be used if supported by the underlying DTLS library.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting use_cid in the underlying [coap_dtls_pki_t] structure.

Source

pub fn client_sni( self, client_sni: impl Into<Vec<u8>>, ) -> Result<Self, NulError>

Sets the server name indication that should be sent to servers if the built PkiRpkContext is used in a client-side session.

client_sni should be convertible into a byte string that does not contain null bytes. Typically, you would provide a &str or String.

§Errors

Will return NulError if the provided byte string contains null bytes.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting client_sni in the underlying [coap_dtls_pki_t] structure.

The provided client_sni will be converted into a Box<[u8]>, which will be owned and stored by the built context.

Source§

impl<KTY: KeyType> PkiRpkContextBuilder<'_, KTY, CertVerifying>

Source

pub fn check_common_ca(self, check_common_ca: bool) -> Self

Enables or disables checking whether both peers’ certificates are signed by the same CA.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting check_common_ca in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_self_signed(self, allow_self_signed: bool) -> Self

Allows or disallows use of self-signed certificates by the peer.

If check_common_ca has been enabled, this setting will be ignored.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_self_signed in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_expired_certs(self, allow_expired_certs: bool) -> Self

Allows or disallows usage of expired certificates by the peer.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_expired_certs in the underlying [coap_dtls_pki_t] structure.

Source

pub fn cert_chain_validation(self, cert_chain_verify_depth: u8) -> Self

Enables or disables verification of the entire certificate chain (up to cert_chain_verify_depth).

If cert_chain_verify_depth is 0, certificate chain validation is disabled.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting cert_chain_verify_depth and cert_chain_validation in the underlying [coap_dtls_pki_t] structure.

Source

pub fn check_cert_revocation(self, check_cert_revocation: bool) -> Self

Enables or disables certificate revocation checking.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting check_cert_revocation in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_no_crl(self, allow_no_crl: bool) -> Self

Allows or disallows disabling certificate revocation checking if a certificate does not have a CRL.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_no_crl in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_expired_crl(self, allow_expired_crl: bool) -> Self

Allows or disallows disabling certificate revocation checking if a certificate has an expired CRL.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_expired_crl in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_bad_md_hash(self, allow_bad_md_hash: bool) -> Self

Allows or disallows use of unsupported MD hashes.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_bad_md_hash in the underlying [coap_dtls_pki_t] structure.

Source

pub fn allow_short_rsa_length(self, allow_short_rsa_length: bool) -> Self

Allows or disallows small RSA key sizes.

§Implementation details (informative, not covered by semver guarantees)

Equivalent to setting allow_short_rsa_length in the underlying [coap_dtls_pki_t] structure.

Source§

impl<'a, KTY: KeyType, V: CertVerificationMode> PkiRpkContextBuilder<'a, KTY, V>

Source

pub fn sni_key_provider( self, sni_key_provider: impl PkiRpkSniKeyProvider<KTY> + 'a, ) -> Self

Sets the key provider that provides keys for a SNI provided by a client (only used in server-side operation).

§Implementation details (informative, not covered by semver guarantees)

Setting a sni_key_provider will set the validate_sni_call_back of the underlying [coap_dtls_pki_t] to a wrapper function, which will then call the key provider.

Keys returned by the key provider will be stored in the context for at least as long as they are used by the respective session.

Source

pub fn build(self) -> PkiRpkContext<'a, KTY>

Builds the configured PkiRpkContext by consuming this builder.

Auto Trait Implementations§

§

impl<'a, KTY, V> Freeze for PkiRpkContextBuilder<'a, KTY, V>

§

impl<'a, KTY, V> !RefUnwindSafe for PkiRpkContextBuilder<'a, KTY, V>

§

impl<'a, KTY, V> !Send for PkiRpkContextBuilder<'a, KTY, V>

§

impl<'a, KTY, V> !Sync for PkiRpkContextBuilder<'a, KTY, V>

§

impl<'a, KTY, V> Unpin for PkiRpkContextBuilder<'a, KTY, V>
where V: Unpin,

§

impl<'a, KTY, V> !UnwindSafe for PkiRpkContextBuilder<'a, KTY, V>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

§

fn vzip(self) -> V

§

impl<T> ErasedDestructor for T
where T: 'static,

§

impl<T> MaybeSendSync for T