feat(rumqttc): optional client certificates while using native-tls (#758

)
bytebeamio · Nov 27, 2023 · 22d7fae · 22d7fae
1 parent 8499789
commit 22d7fae
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 9 deletions.
diff --git a/rumqttc/CHANGELOG.md b/rumqttc/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Synchronous client methods take `&self` instead of `&mut self` (#646)
 - Removed the `Key` enum: users do not need to specify the TLS key variant in the `TlsConfiguration` anymore, this is inferred automatically.
 To update your code simply remove `Key::ECC()` or `Key::RSA()` from the initialization.
+- certificate for client authentication is now optional while using native-tls. `der` & `password` fields are replaced by `client_auth`.
 
 ### Deprecated
 

diff --git a/rumqttc/src/lib.rs b/rumqttc/src/lib.rs
@@ -335,10 +335,9 @@ pub enum TlsConfiguration {
     SimpleNative {
         /// ca certificate
         ca: Vec<u8>,
-        /// pkcs12 binary der
-        der: Vec<u8>,
+        /// pkcs12 binary der and
         /// password for use with der
-        password: String,
+        client_auth: Option<(Vec<u8>, String)>,
     },
     #[cfg(feature = "use-rustls")]
     /// Injected rustls ClientConfig for TLS, to allow more customisation.

diff --git a/rumqttc/src/tls.rs b/rumqttc/src/tls.rs
@@ -150,13 +150,18 @@ pub async fn native_tls_connector(
     tls_config: &TlsConfiguration,
 ) -> Result<NativeTlsConnector, Error> {
     let connector = match tls_config {
-        TlsConfiguration::SimpleNative { ca, der, password } => {
+        TlsConfiguration::SimpleNative { ca, client_auth } => {
             let cert = native_tls::Certificate::from_pem(ca)?;
-            let identity = Identity::from_pkcs12(der, password)?;
-            native_tls::TlsConnector::builder()
-                .add_root_certificate(cert)
-                .identity(identity)
-                .build()?
+
+            let mut connector_builder = native_tls::TlsConnector::builder();
+            connector_builder.add_root_certificate(cert);
+
+            if let Some((der, password)) = client_auth {
+                let identity = Identity::from_pkcs12(der, password)?;
+                connector_builder.identity(identity);
+            }
+
+            connector_builder.build()?
         }
         TlsConfiguration::Native => native_tls::TlsConnector::new()?,
         #[allow(unreachable_patterns)]