feat(tls): Add CA Certificate settings (#112)

Author: 0x676e67

.gitignore

@@ -6,5 +6,4 @@ Cargo.lock
 .direnv
 result
 curl
-.idea
-examples
+.idea

Cargo.toml

@@ -229,6 +229,10 @@ path = "examples/set_local_address.rs"
 name = "set_interface"
 path = "examples/set_interface.rs"
 
+[[example]]
+name = "set_ca_cert"
+path = "examples/set_ca_cert.rs"
+
 [[example]]
 name = "websocket"
 path = "examples/websocket.rs"

examples/data/root-ca.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAOIvDiVb18eVMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTYwODE0MTY1NjExWhcNMjYwODEyMTY1NjExWjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEArVHWFn52Lbl1l59exduZntVSZyDYpzDND+S2LUcO6fRBWhV/1Kzox+2G
+ZptbuMGmfI3iAnb0CFT4uC3kBkQQlXonGATSVyaFTFR+jq/lc0SP+9Bd7SBXieIV
+eIXlY1TvlwIvj3Ntw9zX+scTA4SXxH6M0rKv9gTOub2vCMSHeF16X8DQr4XsZuQr
+7Cp7j1I4aqOJyap5JTl5ijmG8cnu0n+8UcRlBzy99dLWJG0AfI3VRJdWpGTNVZ92
+aFff3RpK3F/WI2gp3qV1ynRAKuvmncGC3LDvYfcc2dgsc1N6Ffq8GIrkgRob6eBc
+klDHp1d023Lwre+VaVDSo1//Y72UFwIDAQABo1AwTjAdBgNVHQ4EFgQUbNOlA6sN
+XyzJjYqciKeId7g3/ZowHwYDVR0jBBgwFoAUbNOlA6sNXyzJjYqciKeId7g3/Zow
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAVVaR5QWLZIRR4Dw6TSBn
+BQiLpBSXN6oAxdDw6n4PtwW6CzydaA+creiK6LfwEsiifUfQe9f+T+TBSpdIYtMv
+Z2H2tjlFX8VrjUFvPrvn5c28CuLI0foBgY8XGSkR2YMYzWw2jPEq3Th/KM5Catn3
+AFm3bGKWMtGPR4v+90chEN0jzaAmJYRrVUh9vea27bOCn31Nse6XXQPmSI6Gyncy
+OAPUsvPClF3IjeL1tmBotWqSGn1cYxLo+Lwjk22A9h6vjcNQRyZF2VLVvtwYrNU3
+mwJ6GCLsLHpwW/yjyvn8iEltnJvByM/eeRnfXV6WDObyiZsE/n6DxIRJodQzFqy9
+GA==
+-----END CERTIFICATE-----

examples/psk_impersonate.rs

@@ -5,7 +5,7 @@ use std::error::Error;
 async fn main() -> Result<(), Box<dyn Error>> {
     // Build a client to mimic Edge127
     let client = rquest::Client::builder()
-        .impersonate(Impersonate::SafariIos17_2)
+        .impersonate(Impersonate::Edge127)
         .enable_ech_grease()
         .permute_extensions()
         .build()?;

examples/set_ca_cert.rs

@@ -0,0 +1,19 @@
+use rquest::tls::Impersonate;
+use std::error::Error;
+
+#[tokio::main]
+async fn main() -> Result<(), Box<dyn Error>> {
+    // Build a client to mimic Edge127
+    let client = rquest::Client::builder()
+        .impersonate(Impersonate::Edge127)
+        .enable_ech_grease()
+        .permute_extensions()
+        .ca_cert_file("examples/data/root-ca.pem")
+        .build()?;
+
+    // Use the API you're already familiar with
+    let resp = client.get("https://tls.peet.ws/api/all").send().await?;
+    println!("{}", resp.text().await?);
+
+    Ok(())
+}

src/async_impl/client.rs

@@ -97,11 +97,11 @@ struct Config {
     cookie_store: Option<Arc<dyn cookie::CookieStore>>,
     hickory_dns: bool,
     error: Option<crate::Error>,
-    https_only: bool,
     http_version_pref: HttpVersionPref,
     dns_overrides: HashMap<String, Vec<SocketAddr>>,
     dns_resolver: Option<Arc<dyn Resolve>>,
     builder: hyper::client::Builder,
+    https_only: bool,
     #[cfg(feature = "boring-tls")]
     tls_info: bool,
     #[cfg(feature = "boring-tls")]
@@ -150,11 +150,11 @@ impl ClientBuilder {
                 hickory_dns: cfg!(feature = "hickory-dns"),
                 #[cfg(feature = "cookies")]
                 cookie_store: None,
-                https_only: false,
                 http_version_pref: HttpVersionPref::All,
                 dns_overrides: HashMap::new(),
                 dns_resolver: None,
                 builder: hyper::Client::builder(),
+                https_only: false,
                 #[cfg(feature = "boring-tls")]
                 tls_info: false,
                 #[cfg(feature = "boring-tls")]
@@ -1115,6 +1115,13 @@ impl ClientBuilder {
         self
     }
 
+    /// Set CA certificate file path.
+    #[cfg(feature = "boring-tls")]
+    pub fn ca_cert_file<P: AsRef<std::path::Path>>(mut self, ca_cert_file: P) -> ClientBuilder {
+        self.config.ssl_settings.ca_cert_file = Some(ca_cert_file.as_ref().to_path_buf());
+        self
+    }
+
     /// Enables the [hickory-dns](hickory-dns) async resolver instead of a default threadpool using `getaddrinfo`.
     ///
     /// If the `hickory-dns` feature is turned on, the default option is enabled.

src/blocking/client.rs

@@ -19,6 +19,8 @@ use crate::tls;
 #[cfg(feature = "boring-tls")]
 use crate::tls::Impersonate;
 use crate::{async_impl, header, redirect, IntoUrl, Method, Proxy};
+#[cfg(feature = "http2")]
+use hyper::{PseudoOrder, SettingsOrder, StreamDependency};
 
 /// A `Client` to make Requests with.
 ///
@@ -119,8 +121,8 @@ impl ClientBuilder {
 
     /// Enable TLS pre_shared_key
     #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
-    pub fn pre_shared_key(self) -> ClientBuilder {
-        self.with_inner(move |inner| inner.pre_shared_key())
+    pub fn pre_shared_key(self, enable: bool) -> ClientBuilder {
+        self.with_inner(move |inner| inner.pre_shared_key(enable))
     }
 
     // Higher-level options
@@ -568,6 +570,38 @@ impl ClientBuilder {
         self.with_inner(|inner| inner.http2_header_table_size(sz))
     }
 
+    /// Sets the pseudo header order for HTTP2.
+    /// This is an array of 4 elements, each element is a `PseudoOrder` enum.
+    /// Default is `None`.
+    #[cfg(feature = "http2")]
+    pub fn http2_headers_pseudo_order(
+        self,
+        order: impl Into<Option<[PseudoOrder; 4]>>,
+    ) -> ClientBuilder {
+        self.with_inner(|inner| inner.http2_headers_pseudo_order(order))
+    }
+
+    /// Sets the priority for HTTP2 headers.
+    /// Default is `None`.
+    #[cfg(feature = "http2")]
+    pub fn http2_headers_priority(
+        self,
+        priority: impl Into<Option<StreamDependency>>,
+    ) -> ClientBuilder {
+        self.with_inner(|inner| inner.http2_headers_priority(priority))
+    }
+
+    /// Sets the settings order for HTTP2.
+    /// This is an array of 2 elements, each element is a `SettingsOrder` enum.
+    /// Default is `None`.
+    #[cfg(feature = "http2")]
+    pub fn http2_settings_order(
+        self,
+        order: impl Into<Option<[SettingsOrder; 2]>>,
+    ) -> ClientBuilder {
+        self.with_inner(|inner| inner.http2_settings_order(order))
+    }
+
     // TCP options
 
     /// Set whether sockets have `TCP_NODELAY` enabled.
@@ -690,6 +724,12 @@ impl ClientBuilder {
         self.with_inner(|inner| inner.tls_info(tls_info))
     }
 
+    /// Set CA certificate file path.
+    #[cfg(feature = "boring-tls")]
+    pub fn ca_cert_file<P: AsRef<std::path::Path>>(self, path: P) -> ClientBuilder {
+        self.with_inner(|inner| inner.ca_cert_file(path))
+    }
+
     /// Enables the [hickory-dns](hickory-dns) async resolver instead of a default threadpool using `getaddrinfo`.
     ///
     /// If the `hickory-dns` feature is turned on, the default option is enabled.

src/tls/extension.rs

@@ -7,6 +7,7 @@ use boring::ssl::{
     SslVerifyMode, SslVersion,
 };
 use foreign_types::ForeignTypeRef;
+use std::path::Path;
 
 fn sv_handler(r: c_int) -> Result<c_int, ErrorStack> {
     if r == 0 {
@@ -62,6 +63,12 @@ pub trait SslExtension {
         self,
         cert_compression_alg: CertCompressionAlgorithm,
     ) -> TlsResult<SslConnectorBuilder>;
+
+    /// Configure the ca certificate file for the given `SslConnectorBuilder`.
+    fn configure_ca_cert_file<P: AsRef<Path>>(
+        self,
+        ca_cert_file: Option<P>,
+    ) -> TlsResult<SslConnectorBuilder>;
 }
 
 /// Context Extension trait for `ConnectConfiguration`.
@@ -310,6 +317,16 @@ impl SslExtension for SslConnectorBuilder {
             .map(|_| self)
         }
     }
+
+    fn configure_ca_cert_file<P: AsRef<Path>>(
+        mut self,
+        ca_cert_file: Option<P>,
+    ) -> TlsResult<SslConnectorBuilder> {
+        if let Some(file) = ca_cert_file {
+            self.set_ca_file(file)?;
+        }
+        Ok(self)
+    }
 }
 
 impl SslConnectExtension for ConnectConfiguration {

src/tls/mod.rs

@@ -10,9 +10,8 @@ mod cert_compression;
 pub mod connector;
 pub mod extension;
 mod profile;
+mod settings;
 
-pub(crate) use self::profile::tls_settings;
-use crate::async_impl::client::HttpVersionPref;
 use crate::connect::HttpConnector;
 use crate::tls::extension::{SslConnectExtension, SslExtension};
 use boring::ssl::{SslConnector, SslMethod};
@@ -21,112 +20,21 @@ use boring::{
     ssl::{ConnectConfiguration, SslConnectorBuilder},
 };
 use connector::{HttpsConnector, HttpsLayer, HttpsLayerSettings};
-use hyper::{PseudoOrder, SettingsOrder, StreamDependency};
+pub(crate) use profile::tls_settings;
 pub use profile::Impersonate;
 use profile::TypedImpersonate;
+
+pub use settings::{Http2Settings, SslBuilderSettings, SslContextSettings, SslSettings};
 use std::any::Any;
 use std::fmt::{self, Debug};
 
 type TlsResult<T> = std::result::Result<T, ErrorStack>;
 
-/// The TLS connector configuration.
-#[derive(Clone)]
-pub struct SslSettings {
-    /// The client to impersonate.
-    pub impersonate: Impersonate,
-    /// The minimum TLS version to use.
-    pub min_tls_version: Option<Version>,
-    /// The maximum TLS version to use.
-    pub max_tls_version: Option<Version>,
-    /// Enable ECH grease.
-    pub enable_ech_grease: bool,
-    /// Permute extensions.
-    pub permute_extensions: bool,
-    /// Verify certificates.
-    pub certs_verification: bool,
-    /// Use a pre-shared key.
-    pub pre_shared_key: bool,
-    /// The HTTP version preference.
-    pub http_version_pref: HttpVersionPref,
-}
-
-/// Connection settings
-pub struct SslBuilderSettings {
-    /// The SSL connector builder.
-    pub ssl_builder: SslConnectorBuilder,
-    /// Enable PSK.
-    pub enable_psk: bool,
-    /// HTTP/2 settings.
-    pub http2: Http2Settings,
-}
-
-impl Debug for SslBuilderSettings {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("TlsSettings")
-            .field("tls_builder", &self.ssl_builder.type_id())
-            .field("http2", &self.http2)
-            .finish()
-    }
-}
-
-/// HTTP/2 settings.
-#[derive(Debug)]
-pub struct Http2Settings {
-    /// The initial stream window size.
-    pub initial_stream_window_size: Option<u32>,
-    /// The initial connection window size.
-    pub initial_connection_window_size: Option<u32>,
-    /// The maximum concurrent streams.
-    pub max_concurrent_streams: Option<u32>,
-    /// The maximum header list size.
-    pub max_header_list_size: Option<u32>,
-    /// The header table size.
-    pub header_table_size: Option<u32>,
-    /// Enable push.
-    pub enable_push: Option<bool>,
-    /// The priority of the headers.
-    pub headers_priority: Option<StreamDependency>,
-    /// The pseudo header order.
-    pub headers_pseudo_header: Option<[PseudoOrder; 4]>,
-    /// The settings order.
-    pub settings_order: Option<[SettingsOrder; 2]>,
-}
-
-impl Default for SslSettings {
-    fn default() -> Self {
-        Self {
-            min_tls_version: None,
-            max_tls_version: None,
-            impersonate: Default::default(),
-            enable_ech_grease: false,
-            permute_extensions: false,
-            certs_verification: true,
-            pre_shared_key: false,
-            http_version_pref: HttpVersionPref::All,
-        }
-    }
-}
-
-impl Debug for SslSettings {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        f.debug_struct("TlsConnector")
-            .field("min_tls_version", &self.min_tls_version)
-            .field("max_tls_version", &self.max_tls_version)
-            .field("impersonate", &self.impersonate)
-            .field("enable_ech_grease", &self.enable_ech_grease)
-            .field("permute_extensions", &self.permute_extensions)
-            .field("certs_verification", &self.certs_verification)
-            .field("pre_shared_key", &self.pre_shared_key)
-            .field("http_version_pref", &self.http_version_pref)
-            .finish()
-    }
-}
-
 /// A wrapper around a `SslConnectorBuilder` that allows for additional settings.
 #[derive(Clone)]
 pub struct TlsConnector {
-    /// The TLS connector builder settings.
-    settings: SslSettings,
+    /// The TLS connector context settings.
+    settings: SslContextSettings,
     /// The TLS connector layer.
     layer: HttpsLayer,
 }
@@ -139,7 +47,7 @@ impl TlsConnector {
             None => SslConnector::builder(SslMethod::tls_client())?,
         };
         Ok(Self {
-            settings: settings.clone(),
+            settings: SslContextSettings::from(&settings),
             layer: Self::build_layer(settings, ssl)?,
         })
     }
@@ -154,8 +62,8 @@ impl TlsConnector {
         let mut http = HttpsConnector::with_connector_layer(http, self.layer.clone());
 
         // Set the callback to add application settings.
-        let builder = self.settings.clone();
-        http.set_callback(move |conf, _| configure_ssl_context(conf, &builder));
+        let ctx = self.settings.clone();
+        http.set_callback(move |conf, _| configure_ssl_context(conf, &ctx));
 
         Ok(http)
     }
@@ -166,7 +74,8 @@ impl TlsConnector {
             .configure_alpn_protos(&settings.http_version_pref)?
             .configure_cert_verification(settings.certs_verification)?
             .configure_min_tls_version(settings.min_tls_version)?
-            .configure_max_tls_version(settings.max_tls_version)?;
+            .configure_max_tls_version(settings.max_tls_version)?
+            .configure_ca_cert_file(settings.ca_cert_file.as_deref())?;
 
         // Create the `HttpsLayerSettings` with the default session cache capacity.
         let settings = HttpsLayerSettings::builder()
@@ -178,11 +87,11 @@ impl TlsConnector {
 }
 
 /// Add application settings to the given `ConnectConfiguration`.
-fn configure_ssl_context(conf: &mut ConnectConfiguration, ctx: &SslSettings) -> TlsResult<()> {
-    if matches!(
-        ctx.impersonate.profile(),
-        TypedImpersonate::Chrome | TypedImpersonate::Edge
-    ) {
+fn configure_ssl_context(
+    conf: &mut ConnectConfiguration,
+    ctx: &SslContextSettings,
+) -> TlsResult<()> {
+    if matches!(ctx.typed, TypedImpersonate::Chrome | TypedImpersonate::Edge) {
         conf.configure_permute_extensions(ctx.permute_extensions)?
             .configure_enable_ech_grease(ctx.enable_ech_grease)?
             .configure_add_application_settings(ctx.http_version_pref)?;