Fix "Validate TLS Certificates" option for WS and GRPC (#218)

2026-03-31 14:33:18 +02:00 · 2025-05-29 10:02:27 -04:00
parent 085b640b3c
commit bd1986f31f
17 changed files with 124 additions and 66 deletions
--- a/src-tauri/yaak-http/src/lib.rs
+++ b/src-tauri/yaak-http/src/lib.rs
@@ -1,3 +1,5 @@
+pub mod tls;
+
 use yaak_models::models::HttpUrlParameter;

 pub fn apply_path_placeholders(
--- a/src-tauri/yaak-http/src/tls.rs
+++ b/src-tauri/yaak-http/src/tls.rs
@@ -0,0 +1,77 @@
+use std::sync::Arc;
+use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
+use rustls::{ClientConfig, DigitallySignedStruct, SignatureScheme};
+use rustls::crypto::ring;
+use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
+use rustls_platform_verifier::BuilderVerifierExt;
+
+pub fn get_config(validate_certificates: bool) -> ClientConfig {
+    let arc_crypto_provider = Arc::new(ring::default_provider());
+    let config_builder = ClientConfig::builder_with_provider(arc_crypto_provider)
+        .with_safe_default_protocol_versions()
+        .unwrap();
+    if validate_certificates {
+        // Use platform-native verifier to validate certificates
+        config_builder
+            .with_platform_verifier()
+            .with_no_client_auth()
+    } else {
+        config_builder
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(NoVerifier))
+            .with_no_client_auth()
+    }
+}
+
+// Copied from reqwest: https://github.com/seanmonstar/reqwest/blob/595c80b1fbcdab73ac2ae93e4edc3406f453df25/src/tls.rs#L608
+#[derive(Debug)]
+struct NoVerifier;
+
+impl ServerCertVerifier for NoVerifier {
+    fn verify_server_cert(
+        &self,
+        _end_entity: &CertificateDer,
+        _intermediates: &[CertificateDer],
+        _server_name: &ServerName,
+        _ocsp_response: &[u8],
+        _now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        _message: &[u8],
+        _cert: &CertificateDer,
+        _dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        Ok(HandshakeSignatureValid::assertion())
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        vec![
+            SignatureScheme::RSA_PKCS1_SHA1,
+            SignatureScheme::ECDSA_SHA1_Legacy,
+            SignatureScheme::RSA_PKCS1_SHA256,
+            SignatureScheme::ECDSA_NISTP256_SHA256,
+            SignatureScheme::RSA_PKCS1_SHA384,
+            SignatureScheme::ECDSA_NISTP384_SHA384,
+            SignatureScheme::RSA_PKCS1_SHA512,
+            SignatureScheme::ECDSA_NISTP521_SHA512,
+            SignatureScheme::RSA_PSS_SHA256,
+            SignatureScheme::RSA_PSS_SHA384,
+            SignatureScheme::RSA_PSS_SHA512,
+            SignatureScheme::ED25519,
+            SignatureScheme::ED448,
+        ]
+    }
+}