[Feature proposal] Dynamic signing of TLS connection

[FaustXVI]

The actual need

Let's say we have a hardware token like a HSM, a Yubikey or any security token compatible with PKCS#11.

We could imagine using the key/certificate pair stored in the security token to secure the TLS connection. That way, on the other side of the connection, we are sure that we are talking to someone who has that unique security token.

The problem

The private key cannot be extracted from the security token (that's the whole purpose) so we can't give it to reqwest.

The solution

When creating a TLS connection, data needs to be signed by the security token. This means that, instead of giving a private key as an identity, we need to give a function that will sign the data. On step further would be to also allow a dynamic certificate.

The good news is that rustls already have this feature. However, as you stated in #2569 and #605, exposing rustls API means risking breaking changes on a simple update. A wrapper would do the trick but it doesn't seems that native_tls would support that feature.

Would having a feature for rustls only but without exposing rustls API be acceptable for you ?

[seanmonstar]

Maybe... Though, designing a callback/trait that is sufficiently forwards compatible is probably difficult here.

At the moment, I'd suggest use_preconfigured_tls().

[FaustXVI]

Yeah, I thought of that too, but then I have to redo what you have done about the configuration and monitor any change made to that specific file in case any issue is present (and currently unknown) in the TLS configuration. Doable, but not optimal.