google-apis-rs/rustls/manual/_03_howto/index.html

<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="API documentation for the Rust `_03_howto` mod in crate `rustls`."><meta name="keywords" content="rust, rustlang, rust-lang, _03_howto"><title>rustls::manual::_03_howto - Rust</title><link rel="stylesheet" type="text/css" href="../../../normalize.css"><link rel="stylesheet" type="text/css" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" type="text/css" href="../../../light.css"  id="themeStyle"><link rel="stylesheet" type="text/css" href="../../../dark.css" disabled ><link rel="stylesheet" type="text/css" href="../../../ayu.css" disabled ><script id="default-settings"></script><script src="../../../storage.js"></script><noscript><link rel="stylesheet" href="../../../noscript.css"></noscript><link rel="icon" type="image/svg+xml" href="../../../favicon.svg">
<link rel="alternate icon" type="image/png" href="../../../favicon-16x16.png">
<link rel="alternate icon" type="image/png" href="../../../favicon-32x32.png"><style type="text/css">#crate-search{background-image:url("../../../down-arrow.svg");}</style></head><body class="rustdoc mod"><!--[if lte IE 8]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><div class="sidebar-menu">&#9776;</div><a href='../../../rustls/index.html'><div class='logo-container rust-logo'><img src='../../../rust-logo.png' alt='logo'></div></a><p class="location">Module _03_howto</p><div class="sidebar-elems"><p class="location"><a href="../../index.html">rustls</a>::<wbr><a href="../index.html">manual</a></p><div id="sidebar-vars" data-name="_03_howto" data-ty="mod" data-relpath="../"></div><script defer src="../sidebar-items.js"></script></div></nav><div class="theme-picker"><button id="theme-picker" aria-label="Pick another theme!" aria-haspopup="menu"><img src="../../../brush.svg" width="18" alt="Pick another theme!"></button><div id="theme-choices" role="menu"></div></div><script src="../../../theme.js"></script><nav class="sub"><form class="search-form"><div class="search-container"><div><select id="crate-search"><option value="All crates">All crates</option></select><input class="search-input" name="search" disabled autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"></div><button type="button" class="help-button">?</button>
                <a id="settings-menu" href="../../../settings.html"><img src="../../../wheel.svg" width="18" alt="Change settings"></a></div></form></nav><section id="main" class="content"><h1 class="fqn"><span class="in-band">Module <a href="../../index.html">rustls</a>::<wbr><a href="../index.html">manual</a>::<wbr><a class="mod" href="">_03_howto</a></span><span class="out-of-band"><span id="render-detail"><a id="toggle-all-docs" href="javascript:void(0)" title="collapse all docs">[<span class="inner">&#x2212;</span>]</a></span><a class="srclink" href="../../../src/rustls/manual/howto.rs.html#1-36" title="goto source code">[src]</a></span></h1><div class="docblock"><p>This section collects together goal-oriented documentation.</p>
<h1 id="customising-private-key-usage" class="section-header"><a href="#customising-private-key-usage">Customising private key usage</a></h1>
<p>By default rustls supports PKCS#8-format<sup id="fnref1"><a href="#fn1">1</a></sup> RSA or ECDSA keys, plus PKCS#1-format RSA keys.</p>
<p>However, if your private key resides in a HSM, or in another process, or perhaps
another machine, rustls has some extension points to support this:</p>
<p>The main trait you must implement is <a href="../../sign/trait.SigningKey.html"><code>sign::SigningKey</code></a>. The primary method here
is <a href="../../sign/trait.SigningKey.html#tymethod.choose_scheme"><code>choose_scheme</code></a> where you are given a set of <a href="../../enum.SignatureScheme.html"><code>SignatureScheme</code>s</a> the client says
it supports: you must choose one (or return <code>None</code> -- this aborts the handshake). Having
done that, you return an implementation of the <a href="../../sign/trait.Signer.html"><code>sign::Signer</code></a> trait.
The <a href="../../sign/trait.Signer.html#tymethod.sign"><code>sign()</code></a> performs the signature and returns it.</p>
<p>(Unfortunately this is currently designed for keys with low latency access, like in a
PKCS#11 provider, Microsoft CryptoAPI, etc. so is blocking rather than asynchronous.
It's a TODO to make these and other extension points async.)</p>
<p>Once you have these two pieces, configuring a server to use them involves, briefly:</p>
<ul>
<li>packaging your <code>sign::SigningKey</code> with the matching certificate chain into a <a href="../../sign/struct.CertifiedKey.html"><code>sign::CertifiedKey</code></a></li>
<li>making a <a href="../../struct.ResolvesServerCertUsingSNI.html"><code>ResolvesServerCertUsingSNI</code></a> and feeding in your <code>sign::CertifiedKey</code> for all SNI hostnames you want to use it for,</li>
<li>setting that as your <code>ServerConfig</code>'s <a href="../../struct.ServerConfig.html#structfield.cert_resolver"><code>cert_resolver</code></a></li>
</ul>
<div class="footnotes"><hr><ol><li id="fn1"><p>For PKCS#8 it does not support password encryption -- there's not a meaningful threat
model addressed by this, and the encryption supported is typically extremely poor.&nbsp;<a href="#fnref1" rev="footnote">↩</a></p></li></ol></div></div></section><section id="search" class="content hidden"></section><section class="footer"></section><div id="rustdoc-vars" data-root-path="../../../" data-current-crate="rustls"></div>
    <script src="../../../main.js"></script><script defer src="../../../search-index.js"></script></body></html>