rustls · ctz · Sep 10, 2017 · Sep 3, 2017
diff --git a/examples/internal/bench.rs b/examples/internal/bench.rs
@@ -13,7 +13,7 @@ use rustls::{ClientConfig, ClientSession};
 use rustls::{ServerConfig, ServerSession};
 use rustls::ServerSessionMemoryCache;
 use rustls::ClientSessionMemoryCache;
-use rustls::{NoClientAuth, RootCertStore, WebPKIClientAuth};
+use rustls::{NoClientAuth, RootCertStore, AllowAnyAuthenticatedClient};
 use rustls::Session;
 use rustls::Ticketer;
 use rustls::internal::pemfile;
@@ -129,7 +129,7 @@ fn make_server_config(version: rustls::ProtocolVersion,
             for root in roots {
                 client_auth_roots.add(&root).unwrap();
             }
-            WebPKIClientAuth::mandatory(client_auth_roots)
+            AllowAnyAuthenticatedClient::new(client_auth_roots)
         },
         &ClientAuth::No => {
             NoClientAuth::new()

diff --git a/examples/tlsserver.rs b/examples/tlsserver.rs
@@ -21,7 +21,8 @@ extern crate env_logger;
 
 extern crate rustls;
 
-use rustls::{RootCertStore, Session, NoClientAuth, WebPKIClientAuth};
+use rustls::{RootCertStore, Session, NoClientAuth, AllowAnyAuthenticatedClient,
+             AllowAnyAnonymousOrAuthenticatedClient};
 
 // Token for our listening socket.
 const LISTENER: mio::Token = mio::Token(0);
@@ -505,9 +506,9 @@ fn make_config(args: &Args) -> Arc<rustls::ServerConfig> {
        
10000
     client_auth_roots.add(&root).unwrap();
         }
         if args.flag_require_auth {
-            WebPKIClientAuth::mandatory(client_auth_roots)
+            AllowAnyAuthenticatedClient::new(client_auth_roots)
         } else {
-            WebPKIClientAuth::optional(client_auth_roots)
+            AllowAnyAnonymousOrAuthenticatedClient::new(client_auth_roots)
         }
     } else {
         NoClientAuth::new()

diff --git a/src/lib.rs b/src/lib.rs
@@ -274,7 +274,8 @@ pub use server::{ServerConfig, ServerSession};
 pub use server::ResolvesServerCert;
 pub use server::ProducesTickets;
 pub use ticketer::Ticketer;
-pub use verify::{NoClientAuth, WebPKIClientAuth};
+pub use verify::{NoClientAuth, AllowAnyAuthenticatedClient,
+                 AllowAnyAnonymousOrAuthenticatedClient};
 pub use suites::{ALL_CIPHERSUITES, SupportedCipherSuite};
 pub use key::{Certificate, PrivateKey};
 

diff --git a/src/server/mod.rs b/src/server/mod.rs
@@ -276,7 +276,7 @@ impl ServerConfig {
     ///
     /// Publicly-available web servers on the internet generally don't do client
     /// authentication; for this use case, `client_cert_verifier` should be a
-    /// `NoClientAuth`. Otherwise, use `WebPKIClientAuth` or another
+    /// `NoClientAuth`. Otherwise, use `AllowAnyAuthenticatedClient` or another
     /// implementation to enforce client authentication.
     //
     // We don't provide a default for `client_cert_verifier` because the safest

diff --git a/src/verify.rs b/src/verify.rs
@@ -155,42 +155,25 @@ fn try_now() -> Result<webpki::Time, TLSError> {
         .map_err( |_ | TLSError::FailedToGetCurrentTime)
 }
 
-/// Client certificate verification using the webpki crate.
-pub struct WebPKIClientAuth {
+/// A `ClientCertVerifier` that will ensure that every client provides a trusted
+/// certificate, without any name checking.
+pub struct AllowAnyAuthenticatedClient {
     roots: RootCertStore,
-    mandatory: bool,
 }
 
-impl WebPKIClientAuth {
-    /// Construct a new `WebPKIClientAuth` that will ensure that every client
-    /// provides a trusted certificate.
+impl AllowAnyAuthenticatedClient {
+    /// Construct a new `AllowAnyAuthenticatedClient`.
     ///
     /// `roots` is the list of trust anchors to use for certificate validation.
-    pub fn mandatory(roots: RootCertStore) -> Arc<ClientCertVerifier> {
-        Arc::new(WebPKIClientAuth {
-            roots: roots,
-            mandatory: true,
-        })
-    }
-
-    /// Construct a new `WebPKIClientAuth` that will allow both anonymous and
-    /// authenticated clients.
-    ///
-    /// If the client presents a certificate then it must be valid.
-    ///
-    /// `roots` is the list of trust anchors to use for certificate validation.
-    pub fn optional(roots: RootCertStore) -> Arc<ClientCertVerifier>  {
-        Arc::new(WebPKIClientAuth {
-            roots: roots,
-            mandatory: false,
-        })
+    pub fn new(roots: RootCertStore) -> Arc< ClientCertVerifier > {
+        Arc::new(AllowAnyAuthenticatedClient { roots })
     }
 }
 
-impl ClientCertVerifier for WebPKIClientAuth {
+impl ClientCertVerifier for AllowAnyAuthenticatedClient {
     fn offer_client_auth(&self) -> bool { true }
 
-    fn client_auth_mandatory(&self) -> bool { self.mandatory }
+    fn client_auth_mandatory(&self) -> bool { true }
 
     fn client_auth_root_subjects<'a>(&'a self) -> DistinguishedNames {
         self.roots.get_subjects()
@@ -208,6 +191,42 @@ impl ClientCertVerifier for WebPKIClientAuth {
     }
 }
 
+/// A `ClientCertVerifier` that will allow both anonymous and authenticated
+/// clients, without any name checking.
+///
+/// Client authentication will be requested during the TLS handshake. If the
+/// client offers a certificate then this acts like
+/// `AllowAnyAuthenticatedClient`, otherwise this acts like `NoClientAuth`.
+pub struct AllowAnyAnonymousOrAuthenticatedClient {
+    inner: AllowAnyAuthenticatedClient,
+}
+
+impl AllowAnyAnonymousOrAuthenticatedClient {
+    /// Construct a new `AllowAnyAnonymousOrAuthenticatedClient`.
+    ///
+    /// `roots` is the list of trust anchors to use for certificate validation.
+    pub fn new(roots: RootCertStore) -> Arc<ClientCertVerifier> {
+        Arc::new(AllowAnyAnonymousOrAuthenticatedClient {
+            inner: AllowAnyAuthenticatedClient { roots }
+        })
+    }
+}
+
+impl ClientCertVerifier for AllowAnyAnonymousOrAuthenticatedClient {
+    fn offer_client_auth(&self) -> bool { self.inner.offer_client_auth() }
+
+    fn client_auth_mandatory(&self) -> bool { false }
+
+    fn client_auth_root_subjects<'a>(&'a self) -> DistinguishedNames {
+        self.inner.client_auth_root_subjects()
+    }
+
+    fn verify_client_cert(&self, presented_certs: &[Certificate])
+            -> Result<ClientCertVerified, TLSError> {
+        self.inner.verify_client_cert(presented_certs)
+    }
+}
+
 /// Turns off client authentication.
 pub struct NoClientAuth;
 

diff --git a/tests/api.rs b/tests/api.rs
@@ -15,7 +15,7 @@ use rustls::TLSError;
 use rustls::sign;
 use rustls::{Certificate, PrivateKey};
 use rustls::internal::pemfile;
-use rustls::{RootCertStore, NoClientAuth, WebPKIClientAuth};
+use rustls::{RootCertStore, NoClientAuth, AllowAnyAuthenticatedClient};
 
 extern crate webpki;
 
@@ -64,7 +64,8 @@ fn make_server_config_with_mandatory_client_auth() -> ServerConfig {
         client_auth_roots.add(&root).unwrap();
     }
 
-    let mut cfg = ServerConfig::new(WebPKIClientAuth::mandatory(client_auth_roots));
+    let client_auth = AllowAnyAuthenticatedClient::new(client_auth_roots);
+    let mut cfg = ServerConfig::new(client_auth);
     cfg.set_single_cert(get_chain(), get_key());
 
     cfg