1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Description: use older branch of crate rustls-native-certs
This essentially reverts upstream git commit 579c9c6.
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2025-02-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/rustls-platform-verifier/Cargo.toml
+++ b/rustls-platform-verifier/Cargo.toml
@@ -25,7 +25,8 @@
log = { version = "0.4" }
base64 = { version = "0.22", optional = true } # Only used when the `cert-logging` feature is enabled.
once_cell = "1.9"
-rustls-native-certs = "0.8"
+rustls-native-certs = "0.6"
+rustls-pki-types = "1"
webpki = { package = "rustls-webpki", version = "0.103", default-features = false }
[dev-dependencies]
--- a/rustls-platform-verifier/src/verification/others.rs
+++ b/rustls-platform-verifier/src/verification/others.rs
@@ -10,6 +10,16 @@
use std::fmt::Debug;
use std::sync::{Arc, Mutex};
+#[cfg(all(
+ unix,
+ not(target_os = "android"),
+ not(target_vendor = "apple"),
+ not(target_arch = "wasm32"),
+))]
+use rustls_native_certs::load_native_certs;
+use rustls::pki_types::CertificateDer;
+use std::convert::TryFrom;
+
/// A TLS certificate verifier that uses the system's root store and WebPKI.
#[derive(Debug)]
pub struct Verifier {
@@ -127,27 +137,41 @@
not(target_vendor = "apple"),
not(target_arch = "wasm32"),
))]
- {
- let result = rustls_native_certs::load_native_certs();
- let (added, ignored) = root_store.add_parsable_certificates(result.certs);
- if ignored != 0 {
- log::warn!("Some CA root certificates were ignored due to errors");
- }
+ match load_native_certs() {
+ Ok(certs) => {
+ let cert_der: Vec<CertificateDer<'_>> = certs
+ .iter()
+ .map(|cert| {
+ CertificateDer::try_from(cert.0.as_slice())
+ .expect("Failed to convert to CertificateDer")
+ })
+ .collect();
+ let (added, ignored) = root_store.add_parsable_certificates(cert_der);
- for error in result.errors {
- log::warn!("Error loading CA root certificate: {error}");
- }
+ if ignored != 0 {
+ log::warn!("Some CA root certificates were ignored due to errors");
+ }
- // Don't return an error if this fails when other roots have already been loaded via
- // `new_with_extra_roots`. It leads to extra failure cases where connections would otherwise still work.
- if root_store.is_empty() {
- return Err(rustls::Error::General(
- "No CA certificates were loaded from the system".to_owned(),
- ));
- } else {
- log::debug!("Loaded {added} CA certificates from the system");
+ if root_store.is_empty() {
+ log::error!("No CA certificates were loaded from the system");
+ } else {
+ log::debug!("Loaded {added} CA certificates from the system");
+ }
}
- }
+ Err(err) => {
+ // This only contains a path to a system directory:
+ // https://github.com/rustls/rustls-native-certs/blob/bc13b9a6bfc2e1eec881597055ca49accddd972a/src/lib.rs#L91-L94
+ const MSG: &str = "failed to load system root certificates: ";
+
+ // Don't return an error if this fails when other roots have already been loaded via
+ // `new_with_extra_roots`. It leads to extra failure cases where connections would otherwise still work.
+ if root_store.is_empty() {
+ return Err(rustls::Error::General(format!("{MSG}{err}")));
+ } else {
+ log::error!("{MSG}{err}");
+ }
+ }
+ };
#[cfg(target_arch = "wasm32")]
{
|
