Implement ClientCertVerifier

[brianwp3000]

This crate offers the Verifier class which implements ServerCertVerifier--this allows users to create a ClientConfig that verifies server TLS certificates using the platform's native store. There is no implementation of ClientCertVerifier, however, so there is no way to create a ServerConfig that verifies client TLS certificates using the platform's native store.

For context, I want to host an HTTPS endpoint on Windows that accepts client certificates. I need to be able to verify that those client certificates are valid according to the installed root CAs, but that isn't going to be possible without a ClientCertVerifier implementation in this crate--the default WebPkiClientVerifier that rustls offers doesn't work with Windows certificate stores.

[djc]

I'm not sure this is a use case we want to fully support in this crate -- it seems relatively niche. I would be interested what you would need in terms of exposing currently-private API in order to make it feasible to implement this on the outside using some of the abstractions implemented in this crate.

[brianwp3000]

I ended up working around this by using the rustls-cng crate to create a WebPkiClientVerifier that uses root CAs from the Windows certificate store:

use rustls_cng::store::{CertStore, CertStoreType};

let mut root_cert_store = RootCertStore::empty();

for store_name in ["Root", "AuthRoot", "CA"] {
    root_cert_store.add_parsable_certificates(
        CertStore::open(CertStoreType::LocalMachine, store_name)?
            .find_all()?
            .iter()
            .map(|cert_context| CertificateDer::from_slice(cert_context.as_der())),
    );
}

let web_pki_client_verifier =
    WebPkiClientVerifier::builder(Arc::new(root_cert_store)).build()?;

let rustls_config = ServerConfig::builder()
        .with_client_cert_verifier(web_pki_client_verifier)
        .with_cert_resolver(my_server_certificate_resolver);

I don't know what it would take but it would be nice to just use:

let rustls_config = ServerConfig::builder()
        .with_client_cert_verifier(Verifier::new()),
        .with_cert_resolver(my_server_certificate_resolver);

// or

let rustls_config = ServerConfig::builder()
        .with_platform_verifier(),
        .with_cert_resolver(my_server_certificate_resolver);