I’m planning to build an open source project with rust (coming from c++/python). One important point is TLS connections between multiple clients.
The basic environment is:
- Each user has a uniqe x509 certificate
- Each user has multiple devices
- Each device creates a x509 certificate, signed by the user certificate
- Each device accepts connections from other devices if:
- the device sends a device certificate
- the device certificate is signed by a user certificate
- the user certificate is known and trusted by the local user
For this, I want to use rustls and mio to implement the TLS communication. But I have not found a resource/documentation how to:
- Create x509 certificates with rustls/ring/webpki
- Sign a x509 certificate with rustls/ring/webpki
- Customize the client certificate validation
Could someone provide me a little help with these topics?
Also, I’m not sure if rustls/webpki fits my requirements. There are two statements in the rustls documentation which confuses me:
You do not need to provide anything other than a set of root certificates to trust. Certificate verification cannot be turned off or disabled in the main API.
I don’t use/need root certificates.
You need to provide the server’s hostname so we know what to expect to find in the server’s certificate.
I don’t work with hostnames. The devices announces itself via UDP multicast in a LAN with their IP addresses and user/device IDs.
I have not figured out if rustls and webpki works without a root certificate store and plain IP addresses instead of hostnames.
Target platforms are Win/Linux/Mac/Android, later iOS.
PS: As I just started with rust a few days ago, please be a little more verbose in an answer