Description: use crate rustls-native-certs (not webpki-roots)
Author: Jonas Smedegaard <dr@jones.dk>
Forwarded: not-needed
Last-Update: 2023-08-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -58,7 +58,7 @@
 env_logger = "0.11"
 hashbrown = { version = "0.15", default-features = false, features = ["default-hasher", "inline-more"] }
 hex = "0.4"
-hickory-resolver = { version = "0.25", features = ["https-aws-lc-rs", "webpki-roots"] }
+hickory-resolver = { version = "0.25", features = ["https-aws-lc-rs", "rustls-platform-verifier"] }
 hmac = "0.12"
 hpke-rs = "0.3"
 hpke-rs-crypto = "0.3"
@@ -92,7 +92,7 @@
 tikv-jemallocator = "0.6"
 tokio = { version = "1.34", features = ["io-util", "macros", "net", "rt"] }
 webpki = { package = "rustls-webpki", version = "0.103.5", features = ["alloc"], default-features = false }
-webpki-roots = "1"
+rustls-native-certs = "0.8"
 x25519-dalek = "2"
 x509-parser = ">= 0.17, <= 0.18"
 zeroize = "1.8"
--- a/examples/Cargo.toml
+++ b/examples/Cargo.toml
@@ -16,4 +16,4 @@
 rustls = { path = "../rustls", features = ["logging"] }
 serde = { workspace = true }
 tokio = { workspace = true }
-webpki-roots = { workspace = true }
+rustls-native-certs = { workspace = true }
--- a/examples/src/bin/ech-client.rs
+++ b/examples/src/bin/ech-client.rs
@@ -48,6 +48,7 @@
 use rustls::crypto::hpke::Hpke;
 use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, EchConfigListBytes, ServerName};
+use rustls_native_certs::load_native_certs;
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn Error>> {
@@ -109,7 +110,12 @@
             root_store
         }
         None => RootCertStore {
-            roots: webpki_roots::TLS_SERVER_ROOTS.into(),
+            let mut root_store = rustls::RootCertStore::empty();
+            for cert in load_native_certs().expect("could not load platform certs") {
+                root_store.add(cert)
+                    .expect("could not add certificate");
+            };
+            root_store
         },
     };
 
--- a/examples/src/bin/limitedclient.rs
+++ b/examples/src/bin/limitedclient.rs
@@ -7,13 +7,14 @@
 use std::sync::Arc;
 
 use rustls::crypto::{CryptoProvider, aws_lc_rs as provider};
+use rustls_native_certs::load_native_certs;
 
 fn main() {
-    let root_store = rustls::RootCertStore::from_iter(
-        webpki_roots::TLS_SERVER_ROOTS
-            .iter()
-            .cloned(),
-    );
+    let mut root_store = rustls::RootCertStore::empty();
+    for cert in load_native_certs().expect("could not load platform certs") {
+        root_store.add(cert)
+            .expect("could not add certificate");
+    };
 
     let config = rustls::ClientConfig::builder_with_provider(
         CryptoProvider {
--- a/examples/src/bin/simple_0rtt_client.rs
+++ b/examples/src/bin/simple_0rtt_client.rs
@@ -22,6 +22,7 @@
 use rustls::RootCertStore;
 use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, ServerName};
+use rustls_native_certs::load_native_certs;
 
 fn start_connection(config: &Arc<rustls::ClientConfig>, domain_name: &str, port: u16) {
     let server_name = ServerName::try_from(domain_name)
@@ -92,11 +93,10 @@
                 .map(|result| result.unwrap()),
         );
     } else {
-        root_store.extend(
-            webpki_roots::TLS_SERVER_ROOTS
-                .iter()
-                .cloned(),
-        )
+        for cert in load_native_certs().expect("could not load platform certs") {
+            root_store.add(cert)
+                .expect("could not add certificate");
+        };
     }
 
     let mut config = rustls::ClientConfig::builder()
--- a/examples/src/bin/simpleclient.rs
+++ b/examples/src/bin/simpleclient.rs
@@ -13,10 +13,13 @@
 use std::sync::Arc;
 
 use rustls::RootCertStore;
+use rustls_native_certs::load_native_certs;
 
 fn main() {
-    let root_store = RootCertStore {
-        roots: webpki_roots::TLS_SERVER_ROOTS.into(),
+    let mut root_store = RootCertStore::empty();
+    for cert in load_native_certs().expect("could not load platform certs") {
+        root_store.add(cert)
+            .expect("could not add certificate");
     };
     let mut config = rustls::ClientConfig::builder()
         .with_root_certificates(root_store)
--- a/examples/src/bin/tlsclient-mio.rs
+++ b/examples/src/bin/tlsclient-mio.rs
@@ -30,6 +30,7 @@
 use rustls::crypto::{CryptoProvider, SupportedKxGroup, aws_lc_rs as provider};
 use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
+use rustls_native_certs::load_native_certs;
 
 const CLIENT: mio::Token = mio::Token(0);
 
@@ -207,7 +208,7 @@
 /// basic HTTP GET request for /.
 ///
 /// If --cafile is not supplied, a built-in set of CA certificates
-/// are used from the webpki-roots crate.
+/// are used from the rustls-native-certs crate.
 #[derive(Debug, Parser)]
 struct Args {
     /// Connect to this port
@@ -416,11 +417,10 @@
                 .map(|result| result.unwrap()),
         );
     } else {
-        root_store.extend(
-            webpki_roots::TLS_SERVER_ROOTS
-                .iter()
-                .cloned(),
-        );
+        for cert in load_native_certs().expect("could not load platform certs") {
+            root_store.add(cert)
+                .expect("could not add certificate");
+        };
     }
 
     let suites = if !args.suite.is_empty() {
--- a/examples/src/bin/unbuffered-async-client.rs
+++ b/examples/src/bin/unbuffered-async-client.rs
@@ -12,13 +12,16 @@
 };
 use rustls::version::TLS13;
 use rustls::{ClientConfig, RootCertStore};
+use rustls_native_certs::load_native_certs;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> Result<(), Box<dyn Error>> {
-    let root_store = RootCertStore {
-        roots: webpki_roots::TLS_SERVER_ROOTS.into(),
+    let mut root_store = RootCertStore::empty();
+    for cert in load_native_certs().expect("could not load platform certs") {
+        root_store.add(cert)
+            .expect("could not add certificate");
     };
 
     let config = ClientConfig::builder_with_protocol_versions(&[&TLS13])
--- a/examples/src/bin/unbuffered-client.rs
+++ b/examples/src/bin/unbuffered-client.rs
@@ -13,10 +13,13 @@
 };
 use rustls::version::TLS13;
 use rustls::{ClientConfig, RootCertStore};
+use rustls_native_certs::load_native_certs;
 
 fn main() -> Result<(), Box<dyn Error>> {
-    let root_store = RootCertStore {
-        roots: webpki_roots::TLS_SERVER_ROOTS.into(),
+    let mut root_store = RootCertStore::empty();
+    for cert in load_native_certs().expect("could not load platform certs") {
+        root_store.add(cert)
+            .expect("could not add certificate");
     };
 
     let mut config = ClientConfig::builder_with_protocol_versions(&[&TLS13])
--- a/provider-example/Cargo.toml
+++ b/provider-example/Cargo.toml
@@ -26,7 +26,7 @@
 [dev-dependencies]
 env_logger = { workspace = true }
 rcgen = { workspace = true }
-webpki-roots = { workspace = true }
+rustls-native-certs = { workspace = true }
 
 [features]
 default = ["std"]
--- a/provider-example/examples/client.rs
+++ b/provider-example/examples/client.rs
@@ -2,14 +2,16 @@
 use std::net::TcpStream;
 use std::sync::Arc;
 
+use rustls_native_certs::load_native_certs;
+
 fn main() {
     env_logger::init();
 
-    let root_store = rustls::RootCertStore::from_iter(
-        webpki_roots::TLS_SERVER_ROOTS
-            .iter()
-            .cloned(),
-    );
+    let mut root_store = rustls::RootCertStore::empty();
+    for cert in load_native_certs().expect("could not load platform certs") {
+        root_store.add(cert)
+            .expect("could not add certificate");
+    };
 
     let config =
         rustls::ClientConfig::builder_with_provider(rustls_provider_example::provider().into())
--- a/rustls/Cargo.toml
+++ b/rustls/Cargo.toml
@@ -57,11 +57,11 @@
 macro_rules_attribute = { workspace = true }
 num-bigint = { workspace = true }
 rcgen = { workspace = true }
+rustls-native-certs = { workspace = true }
 rustls-test = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 time = { workspace = true }
-webpki-roots = { workspace = true }
 x509-parser = { workspace = true }
 
 [[bench]]
--- a/rustls/src/lib.rs
+++ b/rustls/src/lib.rs
@@ -173,14 +173,15 @@
 //! ```rust
 //! # #[cfg(feature = "aws_lc_rs")] {
 //! # use rustls;
+//! # use rustls_native_certs;
 //! # use webpki;
 //! # use std::sync::Arc;
 //! # rustls::crypto::aws_lc_rs::default_provider().install_default();
-//! # let root_store = rustls::RootCertStore::from_iter(
-//! #  webpki_roots::TLS_SERVER_ROOTS
-//! #      .iter()
-//! #      .cloned(),
-//! # );
+//! # let mut root_store = rustls::RootCertStore::empty();
+//! # for cert in load_native_certs().expect("could not load platform certs") {
+//! #     root_store.add(cert)
+//! #         .expect("could not add certificate");
+//! # };
 //! # let config = rustls::ClientConfig::builder()
 //! #     .with_root_certificates(root_store)
 //! #     .with_no_client_auth();
--- a/rustls/src/verifybench.rs
+++ b/rustls/src/verifybench.rs
@@ -23,7 +23,7 @@
 use std::prelude::v1::*;
 
 use pki_types::{CertificateDer, ServerName, UnixTime};
-use webpki_roots;
+use rustls_native_certs::load_native_certs;
 
 use crate::crypto::CryptoProvider;
 use crate::verify::ServerCertVerifier;
@@ -207,11 +207,10 @@
 impl Context {
     fn new(provider: CryptoProvider, domain: &'static str, certs: &[&'static [u8]]) -> Self {
         let mut roots = RootCertStore::empty();
-        roots.extend(
-            webpki_roots::TLS_SERVER_ROOTS
-                .iter()
-                .cloned(),
-        );
+        for cert in load_native_certs().expect("could not load platform certs") {
+            roots.add(cert)
+                .expect("could not add certificate");
+        };
         Self {
             server_name: domain.try_into().unwrap(),
             chain: certs