in attestation/src/service.rs [120:156]
fn new_tls_stream(
url: &url::Url,
) -> Result<rustls::StreamOwned<rustls::client::ClientConnection, TcpStream>> {
let host_str = url
.host_str()
.ok_or(AttestationServiceError::InvalidAddress)?;
let mut root_certs = rustls::RootCertStore::empty();
#[cfg(dcap)]
{
let certs = rustls_pemfile::certs(&mut DCAP_ROOT_CA_CERT.to_string().as_bytes())
.map_err(|_| AttestationServiceError::TlsError)?;
let (valid_count, _) = root_certs.add_parsable_certificates(&certs);
anyhow::ensure!(valid_count >= 1, "DCAP_ROOT_CA_CERT error");
}
root_certs.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(
|trust_anchor| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
trust_anchor.subject,
trust_anchor.spki,
trust_anchor.name_constraints,
)
},
));
let config = rustls::ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(root_certs)
.with_no_client_auth();
let client = rustls::client::ClientConnection::new(Arc::new(config), host_str.try_into()?)?;
let addrs = url.socket_addrs(|| match url.scheme() {
"https" => Some(443),
_ => None,
})?;
let socket = TcpStream::connect(&*addrs)?;
let stream = rustls::StreamOwned::new(client, socket);
Ok(stream)
}