Use rustls-platform-verifier instead of rustls-native-certs

2024-10-25 10:11:29 +02:00 · 2024-10-25 10:11:29 +02:00 · 25cc0a7c1a
parent 492ac1c808
commit 25cc0a7c1a
3 changed files with 9 additions and 17 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -9,8 +9,8 @@ repository = "https://github.com/instant-labs/instant-epp"
 [features]
 default = ["rustls-aws-lc-rs"]
-rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-native-certs"]
+rustls-aws-lc-rs = ["dep:tokio-rustls", "tokio-rustls/aws-lc-rs", "dep:rustls-platform-verifier"]
-rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-native-certs"]
+rustls-ring = ["dep:tokio-rustls", "tokio-rustls/ring", "dep:rustls-platform-verifier"]
 __rustls = []
 [dependencies]
@ -18,7 +18,7 @@ async-trait = "0.1.52"
 celes = "2.1"
 chrono = { version = "0.4.23", features = ["serde"] }
 instant-xml = { version = "0.5", features = ["chrono"] }
-rustls-native-certs = { version = "0.8", optional = true }
+rustls-platform-verifier = { version = "0.3", optional = true }
 serde = { version = "1.0", features = ["derive"] }
 tokio = { version = "1.0", features = ["io-util", "net", "time"] }
 tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["logging", "tls12"] }
--- a/deny.toml
+++ b/deny.toml
@ -4,6 +4,7 @@ allow = [
    "BSD-3-Clause",
    "ISC",
    "MIT",
    "MPL-2.0",
    "OpenSSL",
    "Unicode-DFS-2016",
 ]
--- a/src/client.rs
+++ b/src/client.rs
@ -215,12 +215,12 @@ mod rustls_connector {
    use std::time::Duration;
    use async_trait::async_trait;
-    use rustls_native_certs::CertificateResult;
+    use rustls_platform_verifier::Verifier;
    use tokio::net::lookup_host;
    use tokio::net::TcpStream;
    use tokio_rustls::client::TlsStream;
    use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
-    use tokio_rustls::rustls::{ClientConfig, RootCertStore};
+    use tokio_rustls::rustls::ClientConfig;
    use tokio_rustls::TlsConnector;
    use tracing::info;
@ -238,19 +238,10 @@ mod rustls_connector {
            server: (String, u16),
            identity: Option<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)>,
        ) -> Result<Self, Error> {
-            let mut roots = RootCertStore::empty();
+            let builder = ClientConfig::builder()
-            let CertificateResult {
+                .dangerous()
-                certs, mut errors, ..
+                .with_custom_certificate_verifier(Arc::new(Verifier::new()));
            } = rustls_native_certs::load_native_certs();
            if let Some(err) = errors.pop() {
                return Err(Error::Other(err.into()));
            }
            for cert in certs {
                roots.add(cert).map_err(|err| Error::Other(err.into()))?;
            }
            let builder = ClientConfig::builder().with_root_certificates(roots);
            let config = match identity {
                Some((certs, key)) => builder
                    .with_client_auth_cert(certs, key)