Apply verifier wrappers (CRLCheckVerifier and StrictCertVerifier) This helper function consolidates the duplicated verifier wrapping logic.
(
verifier: Arc<dyn rustls::client::danger::ServerCertVerifier>,
verify_flags: i32,
has_crls: bool,
ca_certs_der: Vec<Vec<u8>>,
)
| 804 | /// |
| 805 | /// This helper function consolidates the duplicated verifier wrapping logic. |
| 806 | fn apply_verifier_wrappers( |
| 807 | verifier: Arc<dyn rustls::client::danger::ServerCertVerifier>, |
| 808 | verify_flags: i32, |
| 809 | has_crls: bool, |
| 810 | ca_certs_der: Vec<Vec<u8>>, |
| 811 | ) -> Arc<dyn rustls::client::danger::ServerCertVerifier> { |
| 812 | let crl_check_requested = verify_flags & X509_V_FLAG_CRL_CHECK != 0; |
| 813 | |
| 814 | // Wrap with CRLCheckVerifier to enforce CRL checking when flags are set |
| 815 | let verifier = if crl_check_requested { |
| 816 | use crate::ssl::cert::CRLCheckVerifier; |
| 817 | Arc::new(CRLCheckVerifier::new( |
| 818 | verifier, |
| 819 | has_crls, |
| 820 | crl_check_requested, |
| 821 | )) |
| 822 | } else { |
| 823 | verifier |
| 824 | }; |
| 825 | |
| 826 | // Always use PartialChainVerifier when trust store is not empty |
| 827 | // This allows self-signed certificates in trust store to be trusted |
| 828 | // (OpenSSL behavior: self-signed certs are always trusted, non-self-signed require flag) |
| 829 | let verifier = if !ca_certs_der.is_empty() { |
| 830 | use crate::ssl::cert::PartialChainVerifier; |
| 831 | Arc::new(PartialChainVerifier::new( |
| 832 | verifier, |
| 833 | ca_certs_der, |
| 834 | verify_flags, |
| 835 | )) |
| 836 | } else { |
| 837 | verifier |
| 838 | }; |
| 839 | |
| 840 | // Wrap with StrictCertVerifier if VERIFY_X509_STRICT flag is set |
| 841 | if verify_flags & VERIFY_X509_STRICT != 0 { |
| 842 | Arc::new(super::cert::StrictCertVerifier::new(verifier, verify_flags)) |
| 843 | } else { |
| 844 | verifier |
| 845 | } |
| 846 | } |
| 847 | |
| 848 | /// Apply ALPN protocols |
| 849 | /// |
no test coverage detected