Make logic independant from server certificates

ThibsG · ThibsG · commit 682cd13664da · 2022-11-28T20:35:27.000+01:00
diff --git a/sqlx-core/src/net/tls/mod.rs b/sqlx-core/src/net/tls/mod.rs
@@ -138,14 +138,14 @@ async fn configure_tls_connector(
 
             builder.add_root_certificate(cert);
         }
+    }
 
-        // authentication using user's key-file and its associated certificate
-        if let (Some(cert_path), Some(key_path)) = (client_cert_path, client_key_path) {
-            let cert_path = cert_path.data().await?;
-            let key_path = key_path.data().await?;
-            let identity = Identity::from_pkcs8(&cert_path, &key_path)?;
-            builder.identity(identity);
-        }
+    // authentication using user's key-file and its associated certificate
+    if let (Some(cert_path), Some(key_path)) = (client_cert_path, client_key_path) {
+        let cert_path = cert_path.data().await?;
+        let key_path = key_path.data().await?;
+        let identity = Identity::from_pkcs8(&cert_path, &key_path)?;
+        builder.identity(identity);
     }
 
     #[cfg(not(feature = "_rt-async-std"))]
diff --git a/sqlx-core/src/net/tls/rustls.rs b/sqlx-core/src/net/tls/rustls.rs
@@ -16,12 +16,34 @@ pub async fn configure_tls_connector(
     client_cert_path: Option<&CertificateInput>,
     client_key_path: Option<&CertificateInput>,
 ) -> Result<sqlx_rt::TlsConnector, Error> {
-    let mut config = ClientConfig::builder().with_safe_defaults();
+    let config = ClientConfig::builder().with_safe_defaults();
+
+    // authentication using user's key and its associated certificate
+    let user_auth = match (client_cert_path, client_key_path) {
+        (Some(cert_path), Some(key_path)) => {
+            let cert_chain = certs_from_pem(cert_path.data().await?)?;
+            let key_der = private_key_from_pem(key_path.data().await?)?;
+            Some((cert_chain, key_der))
+        }
+        (None, None) => None,
+        (_, _) => {
+            return Err(Error::Configuration(
+                "user auth key and certs must be given together".into(),
+            ))
+        }
+    };
 
     let config = if accept_invalid_certs {
-        config
-            .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
-            .with_no_client_auth()
+        if let Some(user_auth) = user_auth {
+            config
+                .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
+                .with_single_cert(user_auth.0, user_auth.1)
+                .map_err(|err| Error::Tls(err.into()))?
+        } else {
+            config
+                .with_custom_certificate_verifier(Arc::new(DummyTlsVerifier))
+                .with_no_client_auth()
+        }
     } else {
         let mut cert_store = RootCertStore::empty();
         cert_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
@@ -45,21 +67,6 @@ pub async fn configure_tls_connector(
             }
         }
 
-        // authentication using user's key and its associated certificate
-        let user_auth = match (client_cert_path, client_key_path) {
-            (Some(cert_path), Some(key_path)) => {
-                let cert_chain = certs_from_pem(cert_path.data().await?)?;
-                let key_der = private_key_from_pem(key_path.data().await?)?;
-                Some((cert_chain, key_der))
-            }
-            (None, None) => None,
-            (_, _) => {
-                return Err(Error::Configuration(
-                    "user auth key and certs must be given together".into(),
-                ))
-            }
-        };
-
         if accept_invalid_hostnames {
             let verifier = WebPkiVerifier::new(cert_store, None);
 
