[pbs-devel] [PATCH proxmox v7 1/9] s3 client: add crate for AWS s3 compatible object store client

[Christian Ebner]

On 7/11/25 09:42, Thomas Lamprecht wrote:
> Am 10.07.25 um 19:06 schrieb Christian Ebner:
>> +    fn verify_certificate_fingerprint(
>> +        openssl_valid: bool,
>> +        context: &mut X509StoreContextRef,
>> +        expected_fingerprint: Option<String>,
>> +        trust_openssl: Arc<Mutex<bool>>,
>> +    ) -> Result<Option<String>, Error> {
> 
> This method seems a bit like it might fit better into a (micro) crate specific for
> "cert stuff". FWIW, there is a verify_fingerprint function in the proxmox-client
> crate already, this one here seems to be a bit more generic, or well also include
> things like the fp_string function for doing &[u8] -> String the client has separately.
> 
> 
> As both use openssl, i.e. X509StoreContextRef as base, it quite probably can share
> most of the implementation.
> 
> FWIW, I'd be even open for a quite specific proxmox-tls-cert-fingerprint micro
> crate, as IMO those micro crates to not produce much maintenance cost, especially
> if one assembles it after having the use case already in a few places, thus being
> pretty likely that the API will work OK that way for new future use cases too.
> Note, not promoting creation of trivial things, e.g. the famous leftpad crates,
> but TLS (fingerprint) cert verification is not really trivial and can have
> critical implications, which then can be IMO enough to justify a micro crate.
> 
> Anyhow, this can be refactored out transparently at any time, so really not
> a blocker for getting this client in.

There is this series by Dominik which already does try to unify this 
AFAIK, so refactoring this might be done once that has landed?

https://lore.proxmox.com/pbs-devel/20250521084524.829496-1-d.csapak@proxmox.com/

Will adapt the code according to the rest of your other comments for now!