Add a flag to manually specify roots. (#98)
This commit is contained in:
parent
c5b3e5cb8d
commit
a30f313439
|
@ -24,6 +24,13 @@ pub struct Config {
|
|||
#[arg(long)]
|
||||
pub tls_key: Vec<path::PathBuf>,
|
||||
|
||||
/// Use the TLS root at this path, encoded as PEM.
|
||||
///
|
||||
/// This value can be provided multiple times for multiple roots.
|
||||
/// If this is empty, system roots will be used instead
|
||||
#[arg(long)]
|
||||
pub tls_root: Vec<path::PathBuf>,
|
||||
|
||||
/// Optional: Use the moq-api via HTTP to store origin information.
|
||||
#[arg(long)]
|
||||
pub api: Option<Url>,
|
||||
|
|
|
@ -38,10 +38,23 @@ impl Tls {
|
|||
// Create a list of acceptable root certificates.
|
||||
let mut roots = RootCertStore::empty();
|
||||
|
||||
if config.tls_root.is_empty() {
|
||||
// Add the platform's native root certificates.
|
||||
for cert in rustls_native_certs::load_native_certs().context("could not load platform certs")? {
|
||||
roots.add(&Certificate(cert.0)).context("failed to add root cert")?;
|
||||
}
|
||||
} else {
|
||||
// Add the specified root certificates.
|
||||
for root in &config.tls_root {
|
||||
let root = fs::File::open(root).context("failed to open root cert file")?;
|
||||
let mut root = io::BufReader::new(root);
|
||||
let root = rustls_pemfile::certs(&mut root).context("failed to read root cert")?;
|
||||
anyhow::ensure!(root.len() == 1, "expected a single root cert");
|
||||
let root = Certificate(root[0].to_owned());
|
||||
|
||||
roots.add(&root).context("failed to add root cert")?;
|
||||
}
|
||||
}
|
||||
|
||||
let certs = Self {
|
||||
serve: Arc::new(serve),
|
||||
|
|
Loading…
Reference in New Issue