feat:tofu certificate validation #193
Conversation
lucasdbr05
changed the title
tnull
left a comment
tnull
left a comment
There was a problem hiding this comment.
Took an initial quick look and added some comments (though have yet to do a full review). Though before I proceed, please rewrite the commit history to avoid changing the approach mid-history. Basically, you should try to avoid to touch the same code paths in following commits as far as possible.
Given the code structure and verbosity I'm also suspecting that some form of AI agent was involved here. If this is indeed the case, please note that it is best practice to disclose such use in the PR and commit descriptions.
|
|
||
| /// A trait for storing and retrieving TOFU (Trust On First Use) certificate data. | ||
| /// Implementors of this trait are responsible for persisting certificate data and retrieving it based on the host. | ||
| pub trait TofuStore: Send + Sync + Debug { |
There was a problem hiding this comment.
Why does this need to be Send + Sync?
There was a problem hiding this comment.
I did it this way to ensure that the Client remains thread-safe for concurrent applications, so I designed it to allow the store to be shared and safely accessed across multiple threads via an Arc.
There was a problem hiding this comment.
I guess? Though the Rust compiler should usually infer the bounds when needed.
src/config.rs
Outdated
| /// when ssl, validate the domain, default true | ||
| validate_domain: bool, | ||
| /// TOFU store for certificate validation | ||
| tofu_store: Option<Arc<dyn TofuStore>>, |
There was a problem hiding this comment.
As mentioned over at the issue, it would likely be preferable to add this via a separate constructor. Having an Arc<dyn ..> in a config is rather odd, as it mixes code and data, basically.
src/raw_client.rs
Outdated
| .connect(&domain, stream) | ||
| .map_err(Error::SslHandshakeError)?; | ||
|
|
||
| if !validate_domain { |
There was a problem hiding this comment.
Not quite sure why we here error out? Care to explain?
src/raw_client.rs
Outdated
| builder.set_verify(SslVerifyMode::NONE); | ||
| let connector = builder.build(); | ||
|
|
||
| let domain = socket_addrs.domain().unwrap_or("NONE").to_string(); |
There was a problem hiding this comment.
No, if we don't have a domain we should just abort rather than try to connect to NONE?
There was a problem hiding this comment.
That makes sense, I’ll update it.
First of all, thanks for the feedback. When rewriting the history, the best approach would be to avoid keeping commits that record my refactor from persistence-based usage to the trait-based approach, right? |
Yes, this would be preferable. Basically, you could just do a |
oleonardolima
left a comment
oleonardolima
left a comment
There was a problem hiding this comment.
I agree with tnull's comments above, you should narrow it down to few commits, for example: feat(tofu): add tofu store mod; feat(client): add new tofu method/feature, docs(example): add new tofu example.
Also, it's best if it's added under a new feature, and by a separate constructor. I don't think many changes to already-existing methods are needed, maybe it's something remaining from previous changes you did.
It's failing in CI, please make sure that everything is building successfully and passing CI too.
src/raw_client.rs
Outdated
|
|
||
| let builder = ClientConfig::builder(); | ||
|
|
||
| let domain = socket_addr.domain().unwrap_or("NONE").to_string(); |
There was a problem hiding this comment.
Same as tnull's previous comment, it should error-out and it's been handled below.
src/raw_client.rs
Outdated
| let error_msg = format!("{}", e); | ||
| if error_msg.contains("TLS certificate changed") { | ||
| Error::TlsCertificateChanged(domain.clone()) | ||
| } else if error_msg.contains("TOFU") { | ||
| Error::TofuPersistError(error_msg) | ||
| } else { | ||
| Error::CouldNotCreateConnection(e) | ||
| } |
There was a problem hiding this comment.
IMHO it's not ideal to handle the error variants by checking if it contains certain strings on it, you should properly return an map a new error variant where needed.
Trust On First Use (TOFU) is a security model where a client trusts a certificate upon the first connection and subsequent connections are verified against that initially stored record. - Introduce the trait to manage certificates - Add module and export the trait in the library root
- Update signature to accept an optional - Implement for both OpenSSL and Rustls - Add custom certificate verifier for Rustls (with AI help) - Extend enum with error variants specifics to TOFU - Support TOFU validation in proxy SSL connections
Implemented a dedicated constructor in the to handle Trust On First Use (TOFU) certificate validation. - New method to initialize a client with TOFU from config - Update existing constructors to support the revised SSL backend signatures
- Implement for testing purposes - Add comprehensive tests covering first-use storage, certificate matching/replacement, and large payloads NOTE: Unit tests and supporting mock implementation were created with AI assistance.
- Provide an usage example for the trait - Demonstrate how to initialize a using - Include a sample in-memory store implementation for demonstration purposes
lucasdbr05
force-pushed
the
feat/TOFU-certificate-validation
branch
from
9178ff9 to
42639ae
Compare
3 participants
What does this merge request do?
This feature (see the reference issue #176) adds SSL certificate validation based on Trust On First Use (TOFU), storing the certificate on the first connection and verifying its consistency on subsequent connections.
It is implemented via the
TofuStoretrait, which allows customizable certificate persistence.Clientconfiguration SSL client initialization flow to accept a TofuStore via ConfigBuilder.examplesdirectory and scripts to demonstrate how TOFU can be integrated and used in practice.