Description: use crate rustls-native-certs (not webpki-roots) Author: Jonas Smedegaard Last-Update: 2022-06-25 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/rustls/Cargo.toml +++ b/rustls/Cargo.toml @@ -34,7 +34,7 @@ [dev-dependencies] env_logger = "0.9.0" log = "0.4.4" -webpki-roots = "0.22.0" +rustls-native-certs = "0.6" criterion = "0.3.0" rustls-pemfile = "1.0.0" base64 = "0.13.0" --- a/rustls/src/lib.rs +++ b/rustls/src/lib.rs @@ -101,18 +101,11 @@ //! //! ```rust,no_run //! let mut root_store = rustls::RootCertStore::empty(); -//! root_store.add_server_trust_anchors( -//! webpki_roots::TLS_SERVER_ROOTS -//! .0 -//! .iter() -//! .map(|ta| { -//! rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( -//! ta.subject, -//! ta.spki, -//! ta.name_constraints, -//! ) -//! }) -//! ); +//! for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { +//! root_store +//! .add(&rustls::Certificate(cert.0)) +//! .unwrap(); +//! } //! ``` //! //! Next, we make a `ClientConfig`. You're likely to make one of these per process, @@ -131,22 +124,14 @@ //! //! ```rust //! # use rustls; -//! # use webpki; //! # use std::sync::Arc; //! # use std::convert::TryInto; //! # let mut root_store = rustls::RootCertStore::empty(); -//! # root_store.add_server_trust_anchors( -//! # webpki_roots::TLS_SERVER_ROOTS -//! # .0 -//! # .iter() -//! # .map(|ta| { -//! # rustls::OwnedTrustAnchor::from_subject_spki_name_constraints( -//! # ta.subject, -//! # ta.spki, -//! # ta.name_constraints, -//! # ) -//! # }) -//! # ); +//! # for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { +//! # root_store +//! # .add(&rustls::Certificate(cert.0)) +//! # .unwrap(); +//! # } //! # let config = rustls::ClientConfig::builder() //! # .with_safe_defaults() //! # .with_root_certificates(root_store) --- a/rustls/examples/internal/trytls_shim.rs +++ b/rustls/examples/internal/trytls_shim.rs @@ -4,7 +4,7 @@ // See: https://github.com/HowNetWorks/trytls-rustls-stub // -use rustls::{ClientConfig, ClientConnection, Error, OwnedTrustAnchor, RootCertStore}; +use rustls::{ClientConfig, ClientConnection, Error, RootCertStore}; use std::convert::TryInto; use std::env; use std::error::Error as StdError; @@ -23,18 +23,11 @@ let mut root_store = RootCertStore::empty(); match args.len() { 3 => { - root_store.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + root_store + .add(&rustls::Certificate(cert.0)) + .unwrap(); + } } 4 => { let f = File::open(&args[3])?; --- a/examples/src/bin/limitedclient.rs +++ b/examples/src/bin/limitedclient.rs @@ -7,22 +7,13 @@ use std::io::{stdout, Read, Write}; use std::net::TcpStream; -use rustls::OwnedTrustAnchor; - fn main() { let mut root_store = rustls::RootCertStore::empty(); - root_store.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + root_store + .add(&rustls::Certificate(cert.0)) + .unwrap(); + } let config = rustls::ClientConfig::builder() .with_cipher_suites(&[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]) --- a/examples/src/bin/simple_0rtt_client.rs +++ b/examples/src/bin/simple_0rtt_client.rs @@ -4,7 +4,7 @@ use std::io::{stdout, Read, Write}; use std::net::TcpStream; -use rustls::{OwnedTrustAnchor, RootCertStore}; +use rustls::RootCertStore; fn start_connection(config: &Arc, domain_name: &str) { let server_name = domain_name @@ -55,18 +55,11 @@ env_logger::init(); let mut root_store = RootCertStore::empty(); - root_store.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + root_store + .add(&rustls::Certificate(cert.0)) + .unwrap(); + } let mut config = rustls::ClientConfig::builder() .with_safe_defaults() --- a/examples/src/bin/simpleclient.rs +++ b/examples/src/bin/simpleclient.rs @@ -13,22 +13,15 @@ use std::io::{stdout, Read, Write}; use std::net::TcpStream; -use rustls::{OwnedTrustAnchor, RootCertStore}; +use rustls::RootCertStore; fn main() { let mut root_store = RootCertStore::empty(); - root_store.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + root_store + .add(&rustls::Certificate(cert.0)) + .unwrap(); + } let config = rustls::ClientConfig::builder() .with_safe_defaults() .with_root_certificates(root_store) --- a/rustls/src/verifybench.rs +++ b/rustls/src/verifybench.rs @@ -10,9 +10,9 @@ use crate::key; use crate::verify; use crate::verify::ServerCertVerifier; -use crate::{anchors, OwnedTrustAnchor}; +use crate::anchors; -use webpki_roots; +use rustls_native_certs; fn duration_nanos(d: Duration) -> u64 { ((d.as_secs() as f64) * 1e9 + (d.subsec_nanos() as f64)) as u64 @@ -188,18 +188,11 @@ impl Context { fn new(name: &'static str, domain: &'static str, certs: &[&'static [u8]]) -> Self { let mut roots = anchors::RootCertStore::empty(); - roots.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + roots + .add(&crate::Certificate(cert.0)) + .unwrap(); + } Self { name, domain, --- a/examples/Cargo.toml +++ b/examples/Cargo.toml @@ -24,7 +24,7 @@ sct = "0.7" serde = "1.0" serde_derive = "1.0" -webpki-roots = "0.22" +rustls-native-certs = "0.6" [dev-dependencies] regex = "1.0" --- a/examples/src/bin/tlsclient-mio.rs +++ b/examples/src/bin/tlsclient-mio.rs @@ -16,7 +16,7 @@ use docopt::Docopt; -use rustls::{OwnedTrustAnchor, RootCertStore}; +use rustls::RootCertStore; const CLIENT: mio::Token = mio::Token(0); @@ -475,18 +475,11 @@ let mut reader = BufReader::new(certfile); root_store.add_parsable_certificates(&rustls_pemfile::certs(&mut reader).unwrap()); } else { - root_store.add_server_trust_anchors( - webpki_roots::TLS_SERVER_ROOTS - .0 - .iter() - .map(|ta| { - OwnedTrustAnchor::from_subject_spki_name_constraints( - ta.subject, - ta.spki, - ta.name_constraints, - ) - }), - ); + for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") { + root_store + .add(&rustls::Certificate(cert.0)) + .unwrap(); + } } let suites = if !args.flag_suite.is_empty() {