Skip to content

Commit

Permalink
Uniformize new_with_extra_roots
Browse files Browse the repository at this point in the history
  • Loading branch information
stormshield-gt committed Aug 29, 2024
1 parent 6084a81 commit b434366
Show file tree
Hide file tree
Showing 4 changed files with 26 additions and 16 deletions.
6 changes: 3 additions & 3 deletions rustls-platform-verifier/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -46,11 +46,11 @@ webpki = { package = "rustls-webpki", version = "0.102", default-features = fals
android_logger = { version = "0.13", optional = true } # Only used during testing.

[target.'cfg(target_arch = "wasm32")'.dependencies]
webpki-roots = "0.26"
webpki-root-certs = "0.26"

# BSD targets require webpki-roots for the real-world verification tests.
# BSD targets require webpki-roots-certs for the real-world verification tests.
[target.'cfg(target_os = "freebsd")'.dev-dependencies]
webpki-roots = "0.26"
webpki-root-certs = "0.26"

[target.'cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos"))'.dependencies]
core-foundation = "0.9"
Expand Down
5 changes: 3 additions & 2 deletions rustls-platform-verifier/src/tests/verification_mock/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,11 @@ pub(super) fn verification_without_mock_root() {
ensure_global_state();
// Since Rustls 0.22 constructing a webpki verifier (like the one backing Verifier on unix
// systems) without any roots produces `OtherError(NoRootAnchors)` - since our FreeBSD CI
// runner fails to find any roots with openssl-probe we need to provide webpki-roots here
// runner fails to find any roots with openssl-probe we need to provide webpki-root-certs here
// or the test will fail with the `OtherError` instead of the expected `CertificateError`.
#[cfg(target_os = "freebsd")]
let verifier = Verifier::new_with_extra_roots(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let verifier =
Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned());

#[cfg(not(target_os = "freebsd"))]
let verifier = Verifier::new();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -126,9 +126,10 @@ fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
);

// On BSD systems openssl-probe fails to find the system CA bundle,
// so we must provide extra roots from webpki-roots.
// so we must provide extra roots from webpki-root-cert.
#[cfg(target_os = "freebsd")]
let verifier = Verifier::new_with_extra_roots(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let verifier =
Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned());

#[cfg(not(target_os = "freebsd"))]
let verifier = Verifier::new();
Expand Down
26 changes: 17 additions & 9 deletions rustls-platform-verifier/src/verification/others.rs
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,17 @@ impl Verifier {
/// WebPKI, using root certificates provided by the platform and augmented by
/// the provided extra root certificates.
pub fn new_with_extra_roots(
roots: impl IntoIterator<Item = pki_types::TrustAnchor<'static>>,
roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
) -> Self {
Self {
inner: OnceCell::new(),
extra_roots: roots.into_iter().collect::<Vec<_>>().into(),
extra_roots: roots
.into_iter()
.flat_map(|root| {
webpki::anchor_from_trusted_cert(&root).map(|anchor| anchor.to_owned())
})
.collect::<Vec<_>>()
.into(),
#[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
test_only_root_ca_override: None,
crypto_provider: OnceCell::new(),
Expand Down Expand Up @@ -154,13 +160,15 @@ impl Verifier {

#[cfg(target_arch = "wasm32")]
{
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|root| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
root.subject,
root.spki,
root.name_constraints,
)
}));
root_store.add_trust_anchors(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().map(
|root| {
rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
root.subject,
root.spki,
root.name_constraints,
)
},
));
};

WebPkiServerVerifier::builder_with_provider(
Expand Down

0 comments on commit b434366

Please sign in to comment.