feature(*): Add missing implementation to support Client Certificate Authorization

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+- Add missing implementation to support Client Certificate Authorization (#135)
+
 ## 0.17.0 - 2024-01-06
 
 - Update to stable rust

Cargo.toml

@@ -13,13 +13,19 @@ exclude = [".github"]
 
 [dependencies]
 atomic-polyfill = "1"
-p256 = { version = "0.13.2", default-features = false, features = [ "ecdh", "arithmetic" ] }
+p256 = { version = "0.13.2", default-features = false, features = [
+    "ecdh",
+    "ecdsa",
+    "sha256",
+] }
 rand_core = { version = "0.6.3", default-features = false }
 hkdf = "0.12.3"
 hmac = "0.12.1"
 sha2 = { version = "0.10.2", default-features = false }
 aes-gcm = { version = "0.10.1", default-features = false, features = ["aes"] }
-digest = { version = "0.10.3", default-features = false, features = ["core-api"] }
+digest = { version = "0.10.3", default-features = false, features = [
+    "core-api",
+] }
 typenum = { version = "1.15.0", default-features = false }
 heapless = { version = "0.8", default-features = false }
 heapless_typenum = { package = "heapless", version = "0.6", default-features = false }
@@ -28,13 +34,15 @@ embedded-io-async = "0.6"
 embedded-io-adapters = { version = "0.6", optional = true }
 generic-array = { version = "0.14", default-features = false }
 webpki = { package = "rustls-webpki", version = "0.101.7", default-features = false, optional = true }
+signature = { version = "2.2", default-features = false }
+ecdsa = { version = "0.16.9", default-features = false }
 
 # Logging alternatives
 log = { version = "0.4", optional = true }
 defmt = { version = "0.3", optional = true }
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
 tokio = { version = "1", features = ["full"] }
 mio = { version = "0.8.3", features = ["os-poll", "net"] }
 rustls = "0.21.6"

examples/blocking/src/main.rs

@@ -6,6 +6,27 @@ use rand::rngs::OsRng;
 use std::net::TcpStream;
 use std::time::SystemTime;
 
+struct Provider {
+    rng: OsRng,
+    verifier: CertVerifier<Aes128GcmSha256, SystemTime, 4096>,
+}
+
+impl CryptoProvider for Provider {
+    type CipherSuite = Aes128GcmSha256;
+
+    type Signature = &'static [u8];
+
+    fn rng(&mut self) -> impl embedded_tls::CryptoRngCore {
+        &mut self.rng
+    }
+
+    fn verifier(
+        &mut self,
+    ) -> Result<&mut impl TlsVerifier<Self::CipherSuite>, embedded_tls::TlsError> {
+        Ok(&mut self.verifier)
+    }
+}
+
 fn main() {
     env_logger::init();
     let stream = TcpStream::connect("127.0.0.1:12345").expect("error connecting to server");
@@ -14,15 +35,18 @@ fn main() {
     let mut read_record_buffer = [0; 16384];
     let mut write_record_buffer = [0; 16384];
     let config = TlsConfig::new().with_server_name("localhost");
-    let mut tls: TlsConnection<FromStd<TcpStream>, Aes128GcmSha256> = TlsConnection::new(
+    let mut tls = TlsConnection::new(
         FromStd::new(stream),
         &mut read_record_buffer,
         &mut write_record_buffer,
     );
-    let mut rng = OsRng;
 
-    tls.open::<OsRng, CertVerifier<Aes128GcmSha256, SystemTime, 4096>>(TlsContext::new(
-        &config, &mut rng,
+    tls.open(TlsContext::new(
+        &config,
+        Provider {
+            rng: OsRng,
+            verifier: CertVerifier::new(),
+        },
     ))
     .expect("error establishing TLS connection");
 

examples/embassy/src/main.rs

@@ -5,7 +5,7 @@ use embassy_net::{Config, Ipv4Address, Ipv4Cidr, Stack, StackResources};
 use embassy_net_tuntap::TunTapDevice;
 use embassy_time::Duration;
 use embedded_io_async::Write;
-use embedded_tls::{Aes128GcmSha256, NoVerify, TlsConfig, TlsConnection, TlsContext};
+use embedded_tls::{Aes128GcmSha256, TlsConfig, TlsConnection, TlsContext, UnsecureProvider};
 use heapless::Vec;
 use log::*;
 use rand::{rngs::OsRng, RngCore};
@@ -57,7 +57,7 @@ async fn main_task(spawner: Spawner) {
         device,
         config,
         RESOURCES.init(StackResources::<3>::new()),
-        seed
+        seed,
     ));
 
     // Launch network task
@@ -81,14 +81,15 @@ async fn main_task(spawner: Spawner) {
 
     let mut read_record_buffer = [0; 16384];
     let mut write_record_buffer = [0; 16384];
-    let mut rng = OsRng;
     let config = TlsConfig::new().with_server_name("example.com");
-    let mut tls: TlsConnection<TcpSocket, Aes128GcmSha256> =
-        TlsConnection::new(socket, &mut read_record_buffer, &mut write_record_buffer);
-
-    tls.open::<OsRng, NoVerify>(TlsContext::new(&config, &mut rng))
-        .await
-        .expect("error establishing TLS connection");
+    let mut tls = TlsConnection::new(socket, &mut read_record_buffer, &mut write_record_buffer);
+
+    tls.open(TlsContext::new(
+        &config,
+        UnsecureProvider::new::<Aes128GcmSha256>(OsRng),
+    ))
+    .await
+    .expect("error establishing TLS connection");
 
     tls.write_all(b"ping").await.expect("error writing data");
     tls.flush().await.expect("error flushing data");

examples/nrf52/src/main.rs

@@ -17,16 +17,18 @@ use hal::rng::Rng;
 #[entry]
 fn main() -> ! {
     let p = hal::pac::Peripherals::take().unwrap();
-    let mut rng = Rng::new(p.RNG);
+    let rng = Rng::new(p.RNG);
     defmt::info!("Connected");
     let mut read_record_buffer = [0; 16384];
     let mut write_record_buffer = [0; 16384];
     let config = TlsConfig::new().with_server_name("example.com");
-    let mut tls: TlsConnection<Dummy, Aes128GcmSha256> =
-        TlsConnection::new(Dummy {}, &mut read_record_buffer, &mut write_record_buffer);
+    let mut tls = TlsConnection::new(Dummy {}, &mut read_record_buffer, &mut write_record_buffer);
 
-    tls.open::<Rng, NoVerify>(TlsContext::new(&config, &mut rng))
-        .expect("error establishing TLS connection");
+    tls.open(TlsContext::new(
+        &config,
+        UnsecureProvider::new::<Aes128GcmSha256>(rng),
+    ))
+    .expect("error establishing TLS connection");
 
     tls.write_all(b"ping").expect("error writing data");
     tls.flush().expect("error flushing data");

examples/tokio-psk/src/main.rs

@@ -19,16 +19,18 @@ async fn main() -> Result<(), Box<dyn Error>> {
     let config = TlsConfig::new()
         .with_server_name("localhost")
         .with_psk(&[0xaa, 0xbb, 0xcc, 0xdd], &[b"vader"]);
-    let mut rng = OsRng;
-    let mut tls: TlsConnection<FromTokio<TcpStream>, Aes128GcmSha256> = TlsConnection::new(
+    let mut tls = TlsConnection::new(
         FromTokio::new(stream),
         &mut read_record_buffer,
         &mut write_record_buffer,
     );
 
-    tls.open::<OsRng, NoVerify>(TlsContext::new(&config, &mut rng))
-        .await
-        .expect("error establishing TLS connection");
+    tls.open(TlsContext::new(
+        &config,
+        UnsecureProvider::new::<Aes128GcmSha256>(OsRng),
+    ))
+    .await
+    .expect("error establishing TLS connection");
 
     tls.write_all(b"ping").await.expect("error writing data");
     tls.flush().await.expect("error flushing data");

examples/tokio/src/main.rs

@@ -17,16 +17,18 @@ async fn main() -> Result<(), Box<dyn Error>> {
     let mut read_record_buffer = [0; 16384];
     let mut write_record_buffer = [0; 16384];
     let config = TlsConfig::new().with_server_name("localhost");
-    let mut rng = OsRng;
-    let mut tls: TlsConnection<FromTokio<TcpStream>, Aes128GcmSha256> = TlsConnection::new(
+    let mut tls = TlsConnection::new(
         FromTokio::new(stream),
         &mut read_record_buffer,
         &mut write_record_buffer,
     );
 
-    tls.open::<OsRng, NoVerify>(TlsContext::new(&config, &mut rng))
-        .await
-        .expect("error establishing TLS connection");
+    tls.open(TlsContext::new(
+        &config,
+        UnsecureProvider::new::<Aes128GcmSha256>(OsRng),
+    ))
+    .await
+    .expect("error establishing TLS connection");
 
     tls.write_all(b"ping").await.expect("error writing data");
     tls.flush().await.expect("error flushing data");

src/asynch.rs

@@ -12,7 +12,6 @@ use crate::TlsError;
 use embedded_io::Error as _;
 use embedded_io::ErrorType;
 use embedded_io_async::{BufRead, Read as AsyncRead, Write as AsyncWrite};
-use rand_core::{CryptoRng, RngCore};
 
 pub use crate::config::*;
 #[cfg(feature = "std")]
@@ -71,16 +70,20 @@ where
     ///
     /// Returns an error if the handshake does not proceed. If an error occurs, the connection
     /// instance must be recreated.
-    pub async fn open<'v, RNG, Verifier>(
+    pub async fn open<'v, Provider>(
         &mut self,
-        context: TlsContext<'v, CipherSuite, RNG>,
+        mut context: TlsContext<'v, Provider>,
     ) -> Result<(), TlsError>
     where
-        RNG: CryptoRng + RngCore,
-        Verifier: TlsVerifier<'v, CipherSuite>,
+        Provider: CryptoProvider<CipherSuite = CipherSuite>,
     {
-        let mut handshake: Handshake<CipherSuite, Verifier> =
-            Handshake::new(Verifier::new(context.config.server_name));
+        let mut handshake: Handshake<CipherSuite> = Handshake::new();
+        if let (Ok(verifier), Some(server_name)) = (
+            context.crypto_provider.verifier(),
+            context.config.server_name,
+        ) {
+            verifier.set_hostname_verification(server_name)?;
+        }
         let mut state = State::ClientHello;
 
         while state != State::ApplicationData {
@@ -92,7 +95,7 @@ where
                     &mut self.record_write_buf,
                     &mut self.key_schedule,
                     context.config,
-                    context.rng,
+                    &mut context.crypto_provider,
                 )
                 .await?;
             trace!("State {:?} -> {:?}", state, next_state);

src/blocking.rs

@@ -10,7 +10,6 @@ use crate::split::{SplitState, SplitStateContainer};
 use crate::write_buffer::WriteBuffer;
 use embedded_io::Error as _;
 use embedded_io::{BufRead, ErrorType, Read, Write};
-use rand_core::{CryptoRng, RngCore};
 
 pub use crate::config::*;
 #[cfg(feature = "std")]
@@ -70,16 +69,20 @@ where
     ///
     /// Returns an error if the handshake does not proceed. If an error occurs, the connection
     /// instance must be recreated.
-    pub fn open<'v, RNG, Verifier>(
+    pub fn open<'v, Provider>(
         &mut self,
-        context: TlsContext<'v, CipherSuite, RNG>,
+        mut context: TlsContext<'v, Provider>,
     ) -> Result<(), TlsError>
     where
-        RNG: CryptoRng + RngCore,
-        Verifier: TlsVerifier<'v, CipherSuite>,
+        Provider: CryptoProvider<CipherSuite = CipherSuite>,
     {
-        let mut handshake: Handshake<CipherSuite, Verifier> =
-            Handshake::new(Verifier::new(context.config.server_name));
+        let mut handshake: Handshake<CipherSuite> = Handshake::new();
+        if let (Ok(verifier), Some(server_name)) = (
+            context.crypto_provider.verifier(),
+            context.config.server_name,
+        ) {
+            verifier.set_hostname_verification(server_name)?;
+        }
         let mut state = State::ClientHello;
 
         while state != State::ApplicationData {
@@ -90,7 +93,7 @@ where
                 &mut self.record_write_buf,
                 &mut self.key_schedule,
                 context.config,
-                context.rng,
+                &mut context.crypto_provider,
             )?;
             trace!("State {:?} -> {:?}", state, next_state);
             state = next_state;