Description: use crate rustls-native-certs (not webpki-roots)
Author: Jonas Smedegaard <dr@jones.dk>
Author: Peter Michael Green <plugwash@debian.org>
Forwarded: not-needed
Last-Update: 2025-03-15
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/rustls/Cargo.toml
+++ b/rustls/Cargo.toml
@@ -34,7 +34,7 @@
 bencher = "0.1.5"
 env_logger = ">= 0.10, <= 0.11"
 log = "0.4.4"
-webpki-roots = "0.25.0"
+rustls-native-certs = "0.8"
 rustls-pemfile = "1.0.3"
 base64 = ">= 0.21, <= 0.22"
 
--- a/rustls/src/lib.rs
+++ b/rustls/src/lib.rs
@@ -109,17 +109,11 @@
 //!
 //! ```rust,no_run
 //! let mut root_store = rustls::RootCertStore::empty();
-//! root_store.add_trust_anchors(
-//!     webpki_roots::TLS_SERVER_ROOTS
-//!         .iter()
-//!         .map(|ta| {
-//!             rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-//!                 ta.subject,
-//!                 ta.spki,
-//!                 ta.name_constraints,
-//!             )
-//!         })
-//! );
+//! for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+//!     root_store
+//!         .add(&rustls::Certificate(cert.to_vec()))
+//!         .expect("could not add certificate");
+//! }
 //! ```
 //!
 //! Next, we make a `ClientConfig`.  You're likely to make one of these per process,
@@ -138,20 +132,13 @@
 //!
 //! ```rust
 //! # use rustls;
-//! # use webpki;
 //! # use std::sync::Arc;
 //! # let mut root_store = rustls::RootCertStore::empty();
-//! # root_store.add_trust_anchors(
-//! #  webpki_roots::TLS_SERVER_ROOTS
-//! #      .iter()
-//! #      .map(|ta| {
-//! #          rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
-//! #              ta.subject,
-//! #              ta.spki,
-//! #              ta.name_constraints,
-//! #          )
-//! #      })
-//! # );
+//! # for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+//! #     root_store
+//! #         .add(&rustls::Certificate(cert.to_vec()))
+//! #         .expect("could not add certificate");
+//! # }
 //! # let config = rustls::ClientConfig::builder()
 //! #     .with_safe_defaults()
 //! #     .with_root_certificates(root_store)
--- a/examples/src/bin/limitedclient.rs
+++ b/examples/src/bin/limitedclient.rs
@@ -6,21 +6,13 @@
 use std::io::{stdout, Read, Write};
 use std::net::TcpStream;
 
-use rustls::OwnedTrustAnchor;
-
 fn main() {
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(
-        webpki_roots::TLS_SERVER_ROOTS
-            .iter()
-            .map(|ta| {
-                OwnedTrustAnchor::from_subject_spki_name_constraints(
-                    ta.subject,
-                    ta.spki,
-                    ta.name_constraints,
-                )
-            }),
-    );
+    for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+        root_store
+            .add(&rustls::Certificate(cert.to_vec()))
+            .expect("could not add certificate");
+    }
 
     let config = rustls::ClientConfig::builder()
         .with_cipher_suites(&[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256])
--- a/examples/src/bin/simple_0rtt_client.rs
+++ b/examples/src/bin/simple_0rtt_client.rs
@@ -3,7 +3,7 @@
 use std::io::{BufRead, BufReader, Write};
 use std::net::TcpStream;
 
-use rustls::{OwnedTrustAnchor, RootCertStore};
+use rustls::RootCertStore;
 
 fn start_connection(config: &Arc<rustls::ClientConfig>, domain_name: &str) {
     let server_name = domain_name
@@ -58,17 +58,11 @@
     env_logger::init();
 
     let mut root_store = RootCertStore::empty();
-    root_store.add_trust_anchors(
-        webpki_roots::TLS_SERVER_ROOTS
-            .iter()
-            .map(|ta| {
-                OwnedTrustAnchor::from_subject_spki_name_constraints(
-                    ta.subject,
-                    ta.spki,
-                    ta.name_constraints,
-                )
-            }),
-    );
+    for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+        root_store
+            .add(&rustls::Certificate(cert.to_vec()))
+            .expect("could not add certificate");
+    }
 
     let mut config = rustls::ClientConfig::builder()
         .with_safe_defaults()
--- a/examples/src/bin/simpleclient.rs
+++ b/examples/src/bin/simpleclient.rs
@@ -12,21 +12,15 @@
 use std::io::{stdout, Read, Write};
 use std::net::TcpStream;
 
-use rustls::{OwnedTrustAnchor, RootCertStore};
+use rustls::RootCertStore;
 
 fn main() {
     let mut root_store = RootCertStore::empty();
-    root_store.add_trust_anchors(
-        webpki_roots::TLS_SERVER_ROOTS
-            .iter()
-            .map(|ta| {
-                OwnedTrustAnchor::from_subject_spki_name_constraints(
-                    ta.subject,
-                    ta.spki,
-                    ta.name_constraints,
-                )
-            }),
-    );
+    for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+        root_store
+            .add(&rustls::Certificate(cert.to_vec()))
+            .expect("could not add certificate");
+    }
     let config = rustls::ClientConfig::builder()
         .with_safe_defaults()
         .with_root_certificates(root_store)
--- a/rustls/src/verifybench.rs
+++ b/rustls/src/verifybench.rs
@@ -9,7 +9,7 @@
 use crate::key;
 use crate::verify;
 use crate::verify::ServerCertVerifier;
-use crate::{anchors, OwnedTrustAnchor};
+use crate::anchors;
 
 fn duration_nanos(d: Duration) -> u64 {
     ((d.as_secs() as f64) * 1e9 + (d.subsec_nanos() as f64)) as u64
@@ -185,17 +185,11 @@
 impl Context {
     fn new(name: &'static str, domain: &'static str, certs: &[&'static [u8]]) -> Self {
         let mut roots = anchors::RootCertStore::empty();
-        roots.add_trust_anchors(
-            webpki_roots::TLS_SERVER_ROOTS
-                .iter()
-                .map(|ta| {
-                    OwnedTrustAnchor::from_subject_spki_name_constraints(
-                        ta.subject,
-                        ta.spki,
-                        ta.name_constraints,
-                    )
-                }),
-        );
+        for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+            roots
+                .add(&crate::Certificate(cert.to_vec()))
+                .expect("could not add certificate");
+        }
         Self {
             name,
             domain,
--- a/examples/Cargo.toml
+++ b/examples/Cargo.toml
@@ -20,7 +20,7 @@
 sct = "0.7"
 serde = "1.0"
 serde_derive = "1.0"
-webpki-roots = "0.25"
+rustls-native-certs = "0.8"
 
 [dev-dependencies]
 regex = "1.0"
--- a/examples/src/bin/tlsclient-mio.rs
+++ b/examples/src/bin/tlsclient-mio.rs
@@ -14,7 +14,7 @@
 
 use docopt::Docopt;
 
-use rustls::{OwnedTrustAnchor, RootCertStore};
+use rustls::RootCertStore;
 
 const CLIENT: mio::Token = mio::Token(0);
 
@@ -378,17 +378,11 @@
         let mut reader = BufReader::new(certfile);
         root_store.add_parsable_certificates(&rustls_pemfile::certs(&mut reader).unwrap());
     } else {
-        root_store.add_trust_anchors(
-            webpki_roots::TLS_SERVER_ROOTS
-                .iter()
-                .map(|ta| {
-                    OwnedTrustAnchor::from_subject_spki_name_constraints(
-                        ta.subject,
-                        ta.spki,
-                        ta.name_constraints,
-                    )
-                }),
-        );
+        for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+            root_store
+                .add(&rustls::Certificate(cert.to_vec()))
+                .expect("could not add certificate");
+        }
     }
 
     let suites = if !args.flag_suite.is_empty() {