code improve

Author: Taowyoo

.github/workflows/build.yml

@@ -193,8 +193,8 @@ jobs:
         uses: dtolnay/rust-toolchain@stable
         with:
           components: clippy
-      - run: cargo clippy --locked --package rustls-mbedcrypto-provider --all-features --all-targets -- --deny warnings
-      - run: cargo clippy --locked --package rustls-mbedcrypto-provider --no-default-features --all-targets -- --deny warnings
+      - run: cargo clippy --locked --all-features --all-targets -- --deny warnings
+      - run: cargo clippy --locked --no-default-features --all-targets -- --deny warnings
 
   clippy-nightly:
     name: Clippy (Nightly)
@@ -212,5 +212,5 @@ jobs:
         uses: dtolnay/rust-toolchain@nightly
         with:
           components: clippy
-      - run: cargo clippy --locked --package rustls-mbedcrypto-provider --all-features --all-targets
-      - run: cargo clippy --locked --package rustls-mbedcrypto-provider --no-default-features --all-targets
+      - run: cargo clippy --locked --all-features --all-targets
+      - run: cargo clippy --locked --no-default-features --all-targets

rustls-mbedpki-provider/src/client_cert_verifier.rs

@@ -24,7 +24,7 @@ use crate::{
 #[derive(Clone)]
 pub struct MbedTlsClientCertVerifier {
     trusted_cas: mbedtls::alloc::List<mbedtls::x509::Certificate>,
-    root_subjects: Vec<rustls::DistinguishedName>,
+    root_subjects: Vec<DistinguishedName>,
     verify_callback: Option<Arc<dyn mbedtls::x509::VerifyCallback + 'static>>,
     cert_active_check: CertActiveCheck,
 }
@@ -105,7 +105,7 @@ impl ClientCertVerifier for MbedTlsClientCertVerifier {
         end_entity: &CertificateDer,
         intermediates: &[CertificateDer],
         now: UnixTime,
-    ) -> Result<rustls::server::danger::ClientCertVerified, rustls::Error> {
+    ) -> Result<ClientCertVerified, rustls::Error> {
         let now = NaiveDateTime::from_timestamp_opt(
             now.as_secs()
                 .try_into()
@@ -128,7 +128,7 @@ impl ClientCertVerifier for MbedTlsClientCertVerifier {
         let mut error_msg = String::default();
         match &self.verify_callback {
             Some(callback) => {
-                let callback = callback.clone();
+                let callback = Arc::clone(callback);
                 mbedtls::x509::Certificate::verify_with_callback(
                     &chain,
                     &self.trusted_cas,

rustls-mbedpki-provider/src/lib.rs

@@ -5,6 +5,34 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
+//! rustls-mbedpki-provider
+//!
+//! rustls-mbedpki-provider is a pki provider for rustls based on [mbedtls].
+//!
+//! [mbedtls]: https://github.com/fortanix/rust-mbedtls
+
+// Require docs for public APIs, deny unsafe code, etc.
+#![forbid(unsafe_code, unused_must_use)]
+#![cfg_attr(not(bench), forbid(unstable_features))]
+#![deny(
+    clippy::alloc_instead_of_core,
+    clippy::clone_on_ref_ptr,
+    clippy::std_instead_of_core,
+    clippy::use_self,
+    clippy::upper_case_acronyms,
+    trivial_casts,
+    trivial_numeric_casts,
+    missing_docs,
+    unreachable_pub,
+    unused_import_braces,
+    unused_extern_crates,
+    unused_qualifications
+)]
+
+// Enable documentation for all features on docs.rs
+#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
+#![cfg_attr(bench, feature(test))]
+
 use chrono::NaiveDateTime;
 use mbedtls::hash::Type;
 use pki_types::CertificateDer;
@@ -14,27 +42,24 @@ use std::sync::Arc;
 #[cfg(test)]
 mod tests_common;
 
+/// module for implementation of [ClientCertVerifier]
 pub mod client_cert_verifier;
+/// module for implementation of [ServerCertVerifier]
 pub mod server_cert_verifier;
 
 pub use client_cert_verifier::MbedTlsClientCertVerifier;
 pub use server_cert_verifier::MbedTlsServerCertVerifier;
 
 /// A config about whether to check certificate validity period
-#[derive(Debug, PartialEq, Eq, Clone)]
+#[derive(Debug, PartialEq, Eq, Clone, Default)]
 pub struct CertActiveCheck {
-    /// If accept expired certificate, default to false
+    /// Accept expired certificates
     pub ignore_expired: bool,
-    /// If accept not active certificate, default to false
+    /// Accept certificates that are not yet active
     pub ignore_not_active_yet: bool,
 }
 
-impl Default for CertActiveCheck {
-    fn default() -> Self {
-        Self { ignore_expired: false, ignore_not_active_yet: false }
-    }
-}
-
+/// Helper function to convert a [`CertificateDer`] to [`mbedtls::x509::Certificate`]
 pub fn rustls_cert_to_mbedtls_cert(cert: &CertificateDer) -> mbedtls::Result<mbedtls::alloc::Box<mbedtls::x509::Certificate>> {
     let cert = mbedtls::x509::Certificate::from_der(cert)?;
     Ok(cert)
@@ -45,6 +70,7 @@ pub fn mbedtls_err_into_rustls_err(err: mbedtls::Error) -> rustls::Error {
     mbedtls_err_into_rustls_err_with_error_msg(err, "")
 }
 
+/// All supported signature schemas
 pub const SUPPORTED_SIGNATURE_SCHEMA: [SignatureScheme; 9] = [
     rustls::SignatureScheme::RSA_PSS_SHA512,
     rustls::SignatureScheme::RSA_PSS_SHA384,
@@ -90,7 +116,8 @@ pub fn mbedtls_err_into_rustls_err_with_error_msg(err: mbedtls::Error, msg: &str
     }
 }
 
-pub fn rustls_signature_scheme_to_mbedtls_hash_type(signature_scheme: SignatureScheme) -> mbedtls::hash::Type {
+/// Helper function to convert rustls [`SignatureScheme`] to mbedtls [`Type`]
+pub fn rustls_signature_scheme_to_mbedtls_hash_type(signature_scheme: SignatureScheme) -> Type {
     match signature_scheme {
         SignatureScheme::RSA_PKCS1_SHA1 => Type::Sha1,
         SignatureScheme::ECDSA_SHA1_Legacy => Type::Sha1,
@@ -110,6 +137,7 @@ pub fn rustls_signature_scheme_to_mbedtls_hash_type(signature_scheme: SignatureS
     }
 }
 
+/// Helper function to convert rustls [`SignatureScheme`] to mbedtls [`mbedtls::pk::Options`]
 pub fn rustls_signature_scheme_to_mbedtls_pk_options(signature_scheme: SignatureScheme) -> Option<mbedtls::pk::Options> {
     use mbedtls::pk::Options;
     use mbedtls::pk::RsaPadding;
@@ -133,7 +161,8 @@ pub fn rustls_signature_scheme_to_mbedtls_pk_options(signature_scheme: Signature
     }
 }
 
-fn rustls_signature_scheme_to_mbedtls_curve_id(signature_scheme: SignatureScheme) -> mbedtls::pk::EcGroupId {
+/// Helper function to convert rustls [`SignatureScheme`] to mbedtls [`mbedtls::pk::EcGroupId`]
+pub fn rustls_signature_scheme_to_mbedtls_curve_id(signature_scheme: SignatureScheme) -> mbedtls::pk::EcGroupId {
     // reference: https://www.rfc-editor.org/rfc/rfc8446.html#section-4.2.3
     use mbedtls::pk::EcGroupId;
     match signature_scheme {
@@ -156,7 +185,7 @@ fn rustls_signature_scheme_to_mbedtls_curve_id(signature_scheme: SignatureScheme
 }
 
 /// Returns the size of the message digest given the hash type.
-fn hash_size_bytes(hash_type: mbedtls::hash::Type) -> Option<usize> {
+fn hash_size_bytes(hash_type: Type) -> Option<usize> {
     match hash_type {
         mbedtls::hash::Type::None => None,
         mbedtls::hash::Type::Md2 => Some(16),
@@ -171,7 +200,8 @@ fn hash_size_bytes(hash_type: mbedtls::hash::Type) -> Option<usize> {
     }
 }
 
-pub fn buffer_for_hash_type(hash_type: mbedtls::hash::Type) -> Option<Vec<u8>> {
+/// Returns the a ready to use empty [`Vec<u8>`] for the message digest with given hash type.
+pub fn buffer_for_hash_type(hash_type: Type) -> Option<Vec<u8>> {
     let size = hash_size_bytes(hash_type)?;
     Some(vec![0; size])
 }

rustls-mbedpki-provider/src/server_cert_verifier.rs

@@ -86,7 +86,7 @@ impl MbedTlsServerCertVerifier {
     }
 }
 
-fn server_name_to_str(server_name: &rustls::ServerName) -> String {
+fn server_name_to_str(server_name: &ServerName) -> String {
     match server_name {
         ServerName::DnsName(name) => name.as_ref().to_string(),
         ServerName::IpAddress(addr) => addr.to_string(),
@@ -102,11 +102,11 @@ impl ServerCertVerifier for MbedTlsServerCertVerifier {
         &self,
         end_entity: &CertificateDer,
         intermediates: &[CertificateDer],
-        server_name: &rustls::ServerName,
+        server_name: &ServerName,
         // Mbedtls does not support OSCP (Online Certificate Status Protocol).
         _ocsp_response: &[u8],
         now: UnixTime,
-    ) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
+    ) -> Result<ServerCertVerified, rustls::Error> {
         let now = NaiveDateTime::from_timestamp_opt(
             now.as_secs()
                 .try_into()
@@ -130,7 +130,7 @@ impl ServerCertVerifier for MbedTlsServerCertVerifier {
         let mut error_msg = String::default();
         match &self.verify_callback {
             Some(callback) => {
-                let callback = callback.clone();
+                let callback = Arc::clone(callback);
                 mbedtls::x509::Certificate::verify_with_callback_expected_common_name(
                     &chain,
                     &self.trusted_cas,
@@ -233,7 +233,7 @@ mod tests {
     }
 
     fn test_connection_server_cert_verifier(
-        supported_verify_schemes: Vec<rustls::SignatureScheme>,
+        supported_verify_schemes: Vec<SignatureScheme>,
         protocol_versions: &[&'static SupportedProtocolVersion],
     ) {
         let root_ca = CertificateDer::from(include_bytes!("../test-data/rsa/ca.der").to_vec());

rustls-mbedpki-provider/src/tests_common.rs

@@ -5,16 +5,15 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-use std::{
-    io,
-    ops::{Deref, DerefMut},
-};
+use std::io;
+
+use core::ops::{Deref, DerefMut};
 
 use pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, UnixTime};
 use rustls::{client::danger::ServerCertVerifier, ClientConnection, ConnectionCommon, ServerConnection, SideData};
 
 /// Get a certificate chain from the contents of a pem file
-pub fn get_chain(bytes: &[u8]) -> Vec<CertificateDer> {
+pub(crate) fn get_chain(bytes: &[u8]) -> Vec<CertificateDer> {
     rustls_pemfile::certs(&mut io::BufReader::new(bytes))
         .unwrap()
         .into_iter()
@@ -23,7 +22,7 @@ pub fn get_chain(bytes: &[u8]) -> Vec<CertificateDer> {
 }
 
 /// Get a private key from the contents of a pem file
-pub fn get_key(bytes: &[u8]) -> PrivateKeyDer {
+pub(crate) fn get_key(bytes: &[u8]) -> PrivateKeyDer {
     let value = rustls_pemfile::pkcs8_private_keys(&mut io::BufReader::new(bytes))
         .unwrap()
         .into_iter()
@@ -33,7 +32,7 @@ pub fn get_key(bytes: &[u8]) -> PrivateKeyDer {
 }
 
 // Copied from rustls repo
-pub fn transfer(
+pub(crate) fn transfer(
     left: &mut (impl DerefMut + Deref<Target = ConnectionCommon<impl SideData>>),
     right: &mut (impl DerefMut + Deref<Target = ConnectionCommon<impl SideData>>),
 ) -> usize {
@@ -64,7 +63,10 @@ pub fn transfer(
 }
 
 // Copied from rustls repo
-pub fn do_handshake_until_error(client: &mut ClientConnection, server: &mut ServerConnection) -> Result<(), rustls::Error> {
+pub(crate) fn do_handshake_until_error(
+    client: &mut ClientConnection,
+    server: &mut ServerConnection,
+) -> Result<(), rustls::Error> {
     while server.is_handshaking() || client.is_handshaking() {
         transfer(client, server);
         server.process_new_packets()?;
@@ -74,9 +76,9 @@ pub fn do_handshake_until_error(client: &mut ClientConnection, server: &mut Serv
     Ok(())
 }
 
-pub struct VerifierWithSupportedVerifySchemes<V> {
-    pub verifier: V,
-    pub supported_verify_schemes: Vec<rustls::SignatureScheme>,
+pub(crate) struct VerifierWithSupportedVerifySchemes<V> {
+    pub(crate) verifier: V,
+    pub(crate) supported_verify_schemes: Vec<rustls::SignatureScheme>,
 }
 
 impl<V: ServerCertVerifier> ServerCertVerifier for VerifierWithSupportedVerifySchemes<V> {