From 25cc0a7c1a32237b6a2599c22d06712b6dc20d50 Mon Sep 17 00:00:00 2001
From: Dirkjan Ochtman <dirkjan@ochtman.nl>
Date: Fri, 25 Oct 2024 10:11:29 +0200
Subject: [PATCH] Use rustls-platform-verifier instead of rustls-native-certs

---
 Cargo.toml    |  6 +++---
 deny.toml     |  1 +
 src/client.rs | 19 +++++--------------
 3 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 91ab659..2ecd110 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -9,8 +9,8 @@ repository = "https://github.com/instant-labs/instant-epp"
 
 [features]
 default = ["rustls-aws-lc-rs"]
-rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-native-certs"]
-rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-native-certs"]
+rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-platform-verifier"]
+rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-platform-verifier"]
 __rustls = []
 
 [dependencies]
@@ -18,7 +18,7 @@ async-trait = "0.1.52"
 celes = "2.1"
 chrono = { version = "0.4.23", features = ["serde"] }
 instant-xml = { version = "0.5", features = ["chrono"] }
-rustls-native-certs = { version = "0.8", optional = true }
+rustls-platform-verifier = { version = "0.3", optional = true }
 serde = { version = "1.0", features = ["derive"] }
 tokio = { version = "1.0", features = ["io-util", "net", "time"] }
 tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["logging", "tls12"] }
diff --git a/deny.toml b/deny.toml
index 68bc2e1..97f22e4 100644
--- a/deny.toml
+++ b/deny.toml
@@ -4,6 +4,7 @@ allow = [
     "BSD-3-Clause",
     "ISC",
     "MIT",
+    "MPL-2.0",
     "OpenSSL",
     "Unicode-DFS-2016",
 ]
diff --git a/src/client.rs b/src/client.rs
index 14ee530..3b94b9a 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -215,12 +215,12 @@ mod rustls_connector {
     use std::time::Duration;
 
     use async_trait::async_trait;
-    use rustls_native_certs::CertificateResult;
+    use rustls_platform_verifier::Verifier;
     use tokio::net::lookup_host;
     use tokio::net::TcpStream;
     use tokio_rustls::client::TlsStream;
     use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
-    use tokio_rustls::rustls::{ClientConfig, RootCertStore};
+    use tokio_rustls::rustls::ClientConfig;
     use tokio_rustls::TlsConnector;
     use tracing::info;
 
@@ -238,19 +238,10 @@ mod rustls_connector {
             server: (String, u16),
             identity: Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>,
         ) -> Result<Self, Error> {
-            let mut roots = RootCertStore::empty();
-            let CertificateResult {
-                certs, mut errors, ..
-            } = rustls_native_certs::load_native_certs();
-            if let Some(err) = errors.pop() {
-                return Err(Error::Other(err.into()));
-            }
+            let builder = ClientConfig::builder()
+                .dangerous()
+                .with_custom_certificate_verifier(Arc::new(Verifier::new()));
 
-            for cert in certs {
-                roots.add(cert).map_err(|err| Error::Other(err.into()))?;
-            }
-
-            let builder = ClientConfig::builder().with_root_certificates(roots);
             let config = match identity {
                 Some((certs, key)) => builder
                     .with_client_auth_cert(certs, key)