Skip to content

feat:tofu certificate validation #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lucasdbr05 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat:tofu certificate validation #193

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions examples/tofu.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
extern crate electrum_client;

use electrum_client::{Client, Config, ElectrumApi, TofuStore};
use std::collections::HashMap;
use std::io::Result;
use std::sync::{Arc, Mutex};

/// A simple in-memory implementation of TofuStore for demonstration purposes.
#[derive(Debug, Default)]
struct MyTofuStore {
certs: Mutex<HashMap<String, Vec<u8>>>,
}

impl TofuStore for MyTofuStore {
fn get_certificate(&self, host: &str) -> Result<Option<Vec<u8>>> {
let certs = self.certs.lock().unwrap();
Ok(certs.get(host).cloned())
}

fn set_certificate(&self, host: &str, cert: Vec<u8>) -> Result<()> {
let mut certs = self.certs.lock().unwrap();
certs.insert(host.to_string(), cert);
Ok(())
}
}

fn main() {
let store = Arc::new(MyTofuStore::default());

let client = Client::from_config_with_tofu(
"ssl://electrum.blockstream.info:50002",
Config::default(),
store,
)
.unwrap();

let res = client.server_features();
println!("{:#?}", res);
}
59 changes: 51 additions & 8 deletions src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
//! Electrum Client

use std::sync::Arc;
use std::{borrow::Borrow, sync::RwLock};

use log::{info, warn};
Expand All @@ -10,6 +11,7 @@ use crate::api::ElectrumApi;
use crate::batch::Batch;
use crate::config::Config;
use crate::raw_client::*;
use crate::tofu::TofuStore;
use crate::types::*;
use std::convert::TryFrom;

Expand All @@ -35,6 +37,7 @@ pub struct Client {
client_type: RwLock<ClientType>,
config: Config,
url: String,
tofu_store: Option<Arc<dyn TofuStore>>,
}

macro_rules! impl_inner_call {
Expand Down Expand Up @@ -74,7 +77,7 @@ macro_rules! impl_inner_call {
if let Ok(mut write_client) = $self.client_type.try_write() {
loop {
std::thread::sleep(std::time::Duration::from_secs((1 << errors.len()).min(30) as u64));
match ClientType::from_config(&$self.url, &$self.config) {
match ClientType::from_config(&$self.url, &$self.config, $self.tofu_store.clone()) {
Ok(new_client) => {
info!("Succesfully created new client");
*write_client = new_client;
Expand Down Expand Up @@ -111,7 +114,11 @@ fn retries_exhausted(failed_attempts: usize, configured_retries: u8) -> bool {
impl ClientType {
/// Constructor that supports multiple backends and allows configuration through
/// the [Config]
pub fn from_config(url: &str, config: &Config) -> Result<Self, Error> {
pub fn from_config(
url: &str,
config: &Config,
tofu_store: Option<Arc<dyn TofuStore>>,
Copy link
Collaborator

@oleonardolima oleonardolima Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's best to keep ClientType::from_config as it was, without a new parameter for the tofu_store, passing None when creating the client's below.

Instead, you can add a new method from_config_with_tofu for ClientType too.

) -> Result<Self, Error> {
#[cfg(any(feature = "openssl", feature = "rustls", feature = "rustls-ring"))]
if url.starts_with("ssl://") {
let url = url.replacen("ssl://", "", 1);
Expand All @@ -122,14 +129,22 @@ impl ClientType {
config.validate_domain(),
socks5,
config.timeout(),
tofu_store,
)?,
None => RawClient::new_ssl(
url.as_str(),
config.validate_domain(),
config.timeout(),
tofu_store,
)?,
None => {
RawClient::new_ssl(url.as_str(), config.validate_domain(), config.timeout())?
}
};
#[cfg(not(feature = "proxy"))]
let client =
RawClient::new_ssl(url.as_str(), config.validate_domain(), config.timeout())?;
let client = RawClient::new_ssl(
url.as_str(),
config.validate_domain(),
config.timeout(),
tofu_store,
)?;

return Ok(ClientType::SSL(client));
}
Expand All @@ -142,6 +157,12 @@ impl ClientType {
}

{
if tofu_store.is_some() {
return Err(Error::Message(
"TOFU validation is available only for SSL connections".to_string(),
));
}

let url = url.replacen("tcp://", "", 1);
#[cfg(feature = "proxy")]
let client = match config.socks5() {
Expand Down Expand Up @@ -178,12 +199,34 @@ impl Client {
/// Generic constructor that supports multiple backends and allows configuration through
/// the [Config]
pub fn from_config(url: &str, config: Config) -> Result<Self, Error> {
let client_type = RwLock::new(ClientType::from_config(url, &config)?);
let client_type = RwLock::new(ClientType::from_config(url, &config, None)?);

Ok(Client {
client_type,
config,
url: url.to_string(),
tofu_store: None,
})
}
Comment on lines +202 to +210
Copy link
Collaborator

@oleonardolima oleonardolima Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you add the new ClientType::from_config_with_tofu you won't need these changes here.


/// Creates a new client with TOFU (Trust On First Use) certificate validation.
/// This constructor creates a SSL client that uses TOFU for certificate validation.
pub fn from_config_with_tofu(
url: &str,
config: Config,
tofu_store: Arc<dyn TofuStore>,
) -> Result<Self, Error> {
let client_type = RwLock::new(ClientType::from_config(
url,
&config,
Some(tofu_store.clone()),
)?);
Comment on lines +212 to +223
Copy link
Collaborator

@oleonardolima oleonardolima Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should use the new ClienType::from_config_with_tofu here.


Ok(Client {
client_type,
config,
url: url.to_string(),
tofu_store: Some(tofu_store),
})
}
}
Expand Down
3 changes: 3 additions & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,6 @@ pub use batch::Batch;
pub use client::*;
pub use config::{Config, ConfigBuilder, Socks5Config};
pub use types::*;

mod tofu;
Copy link
Contributor

@tnull tnull Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we want to feature-gate the whole module?

Copy link
Author

@lucasdbr05 lucasdbr05 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not created the tofu feature.
I tried to add, but imho the code become too messy when doing so. Adding a feature-gate for it introduces many cases to handle with using [cfg(feature = "tofu")] and [cfg(not(feature = "tofu"))], and since the param tofu_store is optional, I'd rather keep without it. Could you give some feedback about it?

Copy link
Collaborator

@oleonardolima oleonardolima Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, it's best to have it behind a feature, though I didn't try to check how messy it would become.

pub use tofu::TofuStore;
Loading
Loading