Skip to content

feat:tofu certificate validation #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
lucasdbr05 wants to merge 5 commits into
base: master
Choose a base branch
from
+508 −25
Draft

feat:tofu certificate validation #193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4c3af47
feat(tofu): add TofuStore trait for certificate persistence
lucasdbr05 Jan 21, 2026
5ba22fc
feat(ssl): integrate TOFU validation into OpenSSL and Rustls backends
lucasdbr05 Jan 21, 2026
3ddfa45
feat(client): introduce constructors for TOFU certificate validation
lucasdbr05 Jan 21, 2026
f1dd212
test(tofu): add unit tests for TofuStore trait
lucasdbr05 Jan 21, 2026
42639ae
feat(example): add TOFU certificate validation example
lucasdbr05 Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions examples/tofu.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
extern crate electrum_client;

use electrum_client::{Client, Config, ElectrumApi, TofuStore};
use std::collections::HashMap;
use std::sync::{Arc, Mutex};

/// A simple in-memory implementation of TofuStore for demonstration purposes.
#[derive(Debug, Default)]
struct MyTofuStore {
certs: Mutex<HashMap<String, Vec<u8>>>,
}

impl TofuStore for MyTofuStore {
fn get_certificate(
&self,
host: &str,
) -> Result<Option<Vec<u8>>, Box<dyn std::error::Error + Send + Sync>> {
let certs = self.certs.lock().unwrap();
Ok(certs.get(host).cloned())
}

fn set_certificate(
&self,
host: &str,
cert: Vec<u8>,
) -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
let mut certs = self.certs.lock().unwrap();
certs.insert(host.to_string(), cert);
Ok(())
}
}

fn main() {
let store = Arc::new(MyTofuStore::default());

let client = Client::from_config_with_tofu(
"ssl://electrum.blockstream.info:50002",
Config::default(),
store,
)
.unwrap();

let res = client.server_features();
println!("{:#?}", res);
}
61 changes: 58 additions & 3 deletions src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
//! Electrum Client

use std::sync::Arc;
use std::{borrow::Borrow, sync::RwLock};

use log::{info, warn};
Expand All @@ -10,6 +11,7 @@ use crate::api::ElectrumApi;
use crate::batch::Batch;
use crate::config::Config;
use crate::raw_client::*;
use crate::tofu::TofuStore;
use crate::types::*;
use std::convert::TryFrom;

Expand Down Expand Up @@ -116,10 +118,14 @@ impl ClientType {
config.validate_domain(),
socks5,
config.timeout(),
None,
)?,
None => RawClient::new_ssl(
url.as_str(),
config.validate_domain(),
config.timeout(),
None,
)?,
None => {
RawClient::new_ssl(url.as_str(), config.validate_domain(), config.timeout())?
}
};

Ok(ClientType::SSL(client))
Expand All @@ -136,6 +142,39 @@ impl ClientType {
})
}
}

/// Constructor that supports TOFU (Trust On First Use) certificate validation.
/// Only works with SSL connections.
pub fn from_config_with_tofu(
url: &str,
config: &Config,
tofu_store: Arc<dyn TofuStore>,
) -> Result<Self, Error> {
if !url.starts_with("ssl://") {
return Err(Error::Message(
"TOFU validation is available only for SSL connections".to_string(),
));
}

let url = url.replacen("ssl://", "", 1);
let client = match config.socks5() {
Some(socks5) => RawClient::new_proxy_ssl(
url.as_str(),
config.validate_domain(),
socks5,
config.timeout(),
Some(tofu_store),
)?,
None => RawClient::new_ssl(
url.as_str(),
config.validate_domain(),
config.timeout(),
Some(tofu_store),
)?,
};

Ok(ClientType::SSL(client))
}
}

impl Client {
Expand Down Expand Up @@ -163,6 +202,22 @@ impl Client {
url: url.to_string(),
})
}

/// Creates a new client with TOFU (Trust On First Use) certificate validation.
/// This constructor creates a SSL client that uses TOFU for certificate validation.
pub fn from_config_with_tofu(
url: &str,
config: Config,
tofu_store: Arc<dyn TofuStore>,
) -> Result<Self, Error> {
let client_type = RwLock::new(ClientType::from_config_with_tofu(url, &config, tofu_store)?);

Ok(Client {
client_type,
config,
url: url.to_string(),
})
}
}

impl ElectrumApi for Client {
Expand Down
3 changes: 3 additions & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,6 @@ pub use batch::Batch;
pub use client::*;
pub use config::{Config, ConfigBuilder, Socks5Config};
pub use types::*;

mod tofu;
pub use tofu::TofuStore;
Loading
Loading