pub struct NativeTlsAcceptor(/* private fields */);Expand description
trillium Acceptor for native-tls
Implementations§
Source§impl NativeTlsAcceptor
impl NativeTlsAcceptor
Sourcepub fn new(t: impl Into<Self>) -> Self
pub fn new(t: impl Into<Self>) -> Self
constructs a NativeTlsAcceptor from a native_tls::TlsAcceptor,
an async_native_tls::TlsAcceptor, or an Identity
Sourcepub fn from_cert_and_key(cert: &[u8], key: &[u8]) -> Self
pub fn from_cert_and_key(cert: &[u8], key: &[u8]) -> Self
Construct a NativeTlsAcceptor from a PEM-encoded certificate chain
and a PEM-encoded private key.
This is the recommended entrypoint and matches the input format used by
trillium-rustls and trillium-openssl. The cert input may contain one
or more CERTIFICATE blocks (the leaf followed by any intermediates).
The key input is accepted in any of the three common PEM key forms:
-----BEGIN PRIVATE KEY-----(PKCS#8)-----BEGIN RSA PRIVATE KEY-----(PKCS#1)-----BEGIN EC PRIVATE KEY-----(SEC1)
Either argument may also be a single concatenated bundle containing
both the cert chain and the key; the relevant blocks are extracted from
each input. Encrypted keys are not supported here — decrypt first or
use Self::from_pkcs12.
Internally we first try Identity::from_pkcs8 with the normalized
PEM inputs; on backends that reject that import path (notably macOS
Secure Transport, which refuses EC keys this way with
errSecUnknownFormat), we fall back to packaging the cert chain and
key into an in-memory PKCS#12 archive and calling
Identity::from_pkcs12. The fallback only runs when the first
attempt fails, so OpenSSL-backed platforms never hit it.
Windows + EC keys: SChannel rejects EC keys via both paths — its
PKCS#8 PEM import is strict, and our fallback archive omits the
LocalKeyId attribute SChannel uses to pair cert and key. For EC
keys on Windows, prefer trillium-rustls, or supply a pre-built
PKCS#12 archive (e.g. from openssl pkcs12 -export) via
Self::from_pkcs12. RSA keys work on Windows.
§Example
use trillium_native_tls::NativeTlsAcceptor;
const CERT: &[u8] = include_bytes!("../tests/fixtures/rsa.crt");
const KEY: &[u8] = include_bytes!("../tests/fixtures/rsa-pkcs8.key");
let acceptor = NativeTlsAcceptor::from_cert_and_key(CERT, KEY);Sourcepub fn from_pkcs12(der: &[u8], password: &str) -> Self
pub fn from_pkcs12(der: &[u8], password: &str) -> Self
Construct a NativeTlsAcceptor from a PKCS#12 archive and password.
PKCS#12 (.p12/.pfx) bundles a certificate chain and a private key
in a single password-protected archive. Prefer
Self::from_cert_and_key when you have separate cert and key PEM
files, which is by far the more common provisioning format.
Sourcepub fn from_pkcs8(pem: &[u8], key: &[u8]) -> Self
pub fn from_pkcs8(pem: &[u8], key: &[u8]) -> Self
Construct a NativeTlsAcceptor directly from PKCS#8 PEM cert and key
inputs, without normalization.
Prefer Self::from_cert_and_key, which accepts the same inputs plus
PKCS#1 and SEC1 keys. This constructor is retained for backwards
compatibility and forwards directly to Identity::from_pkcs8.
Trait Implementations§
Source§impl<Input> Acceptor<Input> for NativeTlsAcceptorwhere
Input: Transport,
impl<Input> Acceptor<Input> for NativeTlsAcceptorwhere
Input: Transport,
Source§type Error = Error
type Error = Error
Acceptor::accept may returnSource§type Output = NativeTlsServerTransport<Input>
type Output = NativeTlsServerTransport<Input>
TlsStream<Input>Source§impl Clone for NativeTlsAcceptor
impl Clone for NativeTlsAcceptor
Source§fn clone(&self) -> NativeTlsAcceptor
fn clone(&self) -> NativeTlsAcceptor
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more