Enable access to the peer's certificate chain #126
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: The peer certificate chain can contain relevant information in some mTLS scenarios. NIO SSL only exposes the validated certificate chain when using custom verification callbacks. Now that this configuration option is available here, we can expose this property as well. Modifications: Make the property available and expose it as a validated certificate chain type from swift-certificates. Add tests to confirm the implementation. Result: The validated certificate chain is available when using mTLS with a custom certificate validation callback.
glbrntt
requested changes
Sep 16, 2025
| if let peerValidatedCertificateChain = | ||
| try await channel.nioSSL_peerValidatedCertificateChain().get() | ||
| { | ||
| context.peerValidatedCertificateChain = |
There was a problem hiding this comment.
Can we grab the peer cert from the chain to make the do-catch block above a little cheaper?
|
|
||
| /// The validated peer certificate chain from the mTLS handshake. This is only available when using a custom verification callback. | ||
| @available(gRPCSwiftNIOTransport 2.2, *) | ||
| public var peerValidatedCertificateChain: X509.ValidatedCertificateChain? |
There was a problem hiding this comment.
This name makes it sound like the peer validated the cert chain. Do we need validated in the name at all here? It's documented and in the type name so I think peerCertificateChain would be sufficient.
Comment on lines
21
to
32
| @available(gRPCSwiftNIOTransport 2.2, *) | ||
| extension NIOSSL.ValidatedCertificateChain { | ||
| // The precondition holds because the `NIOSSL.ValidatedCertificateChain` always contains one `NIOSSLCertificate`. | ||
| func usingX509Certificates() throws -> X509.ValidatedCertificateChain { | ||
| return .init( | ||
| uncheckedCertificateChain: try self.map { | ||
| let derBytes = try $0.toDERBytes() | ||
| return try Certificate(derEncoded: derBytes) | ||
| } | ||
| ) | ||
| } | ||
| } |
There was a problem hiding this comment.
The more natural spelling here is probably an extension on X509.ValidatedCertificateChain which adds an init(_ chain: NIOSSL.ValidatedCertificateChain) throws
Comment on lines
351
to
355
| let expectedCertificateChain: [Certificate] | ||
| init(_ expectedCertificateChain: [Certificate]) { | ||
| self.expectedCertificateChain = expectedCertificateChain | ||
| } | ||
| func intercept<Input, Output>( |
There was a problem hiding this comment.
Suggested change
| let expectedCertificateChain: [Certificate] | |
| init(_ expectedCertificateChain: [Certificate]) { | |
| self.expectedCertificateChain = expectedCertificateChain | |
| } | |
| func intercept<Input, Output>( | |
| let expectedCertificateChain: [Certificate] | |
| init(_ expectedCertificateChain: [Certificate]) { | |
| self.expectedCertificateChain = expectedCertificateChain | |
| } | |
| func intercept<Input, Output>( |
|
Thank you for the review! I pushed a commit to address your feedback. |
glbrntt
approved these changes
Sep 16, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
The peer certificate chain can contain relevant information in some mTLS scenarios. NIO SSL only exposes the validated certificate chain when using custom verification callbacks. Now that this configuration option is available here, we can expose this property as well.
Modifications:
Make the property available and expose it as a validated certificate chain type from swift-certificates. Add tests to confirm the implementation.
Result:
The validated certificate chain is available when using mTLS with a custom certificate validation callback.