diff --git a/rustls-platform-verifier/Cargo.toml b/rustls-platform-verifier/Cargo.toml index 1f7c3b79..cdffcdfa 100644 --- a/rustls-platform-verifier/Cargo.toml +++ b/rustls-platform-verifier/Cargo.toml @@ -29,7 +29,7 @@ cert-logging = ["base64"] docsrs = ["jni", "once_cell"] [dependencies] -rustls = { version = "0.23", default-features = false, features = ["std", "ring"] } +rustls = { version = "0.23", default-features = false, features = ["std"] } log = { version = "0.4" } base64 = { version = "0.21", optional = true } # Only used when the `cert-logging` feature is enabled. jni = { version = "0.19", default-features = false, optional = true } # Only used during doc generation @@ -64,6 +64,9 @@ security-framework-sys = { version = "2.4", features = ["OSX_10_14"] } [target.'cfg(windows)'.dependencies] winapi = { version = "0.3", features = ["wincrypt", "winerror"] } +[dev-dependencies] +rustls = { version = "0.23", default-features = false, features = ["ring"] } + [package.metadata.docs.rs] rustdoc-args = ["--cfg", "docsrs"] features = ["dbg", "docsrs"] diff --git a/rustls-platform-verifier/src/tests/mod.rs b/rustls-platform-verifier/src/tests/mod.rs index 5370f251..63e64902 100644 --- a/rustls-platform-verifier/src/tests/mod.rs +++ b/rustls-platform-verifier/src/tests/mod.rs @@ -61,3 +61,10 @@ pub(crate) fn verification_time() -> pki_types::UnixTime { // Monday, March 11, 2024 8:30:25 PM UTC pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_710_189_025)) } + +fn ensure_global_state() { + #[cfg(test)] + { + _ = rustls::crypto::ring::default_provider().install_default(); + } +} diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs index 29b1d31d..11c33c90 100644 --- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs @@ -16,7 +16,7 @@ #![cfg(all(any(windows, unix, target_os = "android"), not(target_os = "ios")))] use super::TestCase; -use crate::tests::{assert_cert_error_eq, verification_time}; +use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time}; use crate::verification::{EkuError, Verifier}; use rustls::client::danger::ServerCertVerifier; use rustls::pki_types; @@ -79,6 +79,7 @@ const LOCALHOST_IPV6: &str = "::1"; #[cfg(any(test, feature = "ffi-testing"))] #[cfg_attr(feature = "ffi-testing", allow(dead_code))] pub(super) fn verification_without_mock_root() { + ensure_global_state(); // Since Rustls 0.22 constructing a webpki verifier (like the one backing Verifier on unix // systems) without any roots produces `OtherError(NoRootAnchors)` - since our FreeBSD CI // runner fails to find any roots with openssl-probe we need to provide webpki-roots here @@ -283,6 +284,7 @@ mock_root_test_cases! { } fn test_with_mock_root(test_case: &TestCase) { + ensure_global_state(); log::info!("verifying {:?}", test_case.expected_result); let verifier = Verifier::new_with_fake_root(ROOT1); // TODO: time diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs index 47323284..5c07c09f 100644 --- a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs +++ b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs @@ -35,7 +35,7 @@ //! Thus we don't expect these tests to be flaky w.r.t. that, except for //! potentially poor performance. use super::TestCase; -use crate::tests::{assert_cert_error_eq, verification_time}; +use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time}; use crate::Verifier; use rustls::client::danger::ServerCertVerifier; use rustls::pki_types; @@ -118,6 +118,7 @@ macro_rules! no_error { } fn real_world_test(test_case: &TestCase) { + ensure_global_state(); log::info!( "verifying ref ID {:?} expected {:?}", test_case.reference_id, diff --git a/rustls-platform-verifier/src/verification/android.rs b/rustls-platform-verifier/src/verification/android.rs index b9eed6b3..8a8ce49c 100644 --- a/rustls-platform-verifier/src/verification/android.rs +++ b/rustls-platform-verifier/src/verification/android.rs @@ -1,3 +1,5 @@ +use std::sync::Arc; + use jni::{ objects::{JObject, JValue}, strings::JavaStr, @@ -44,7 +46,7 @@ pub struct Verifier { /// Testing only: The root CA certificate to trust. #[cfg(any(test, feature = "ffi-testing"))] test_only_root_ca_override: Option>, - default_provider: CryptoProvider, + default_provider: Arc, } impl Default for Verifier { @@ -73,7 +75,9 @@ impl Verifier { Self { #[cfg(any(test, feature = "ffi-testing"))] test_only_root_ca_override: None, - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } } @@ -82,7 +86,9 @@ impl Verifier { pub(crate) fn new_with_fake_root(root: &[u8]) -> Self { Self { test_only_root_ca_override: Some(root.into()), - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } } diff --git a/rustls-platform-verifier/src/verification/apple.rs b/rustls-platform-verifier/src/verification/apple.rs index d9f7293e..0cd5bb7b 100644 --- a/rustls-platform-verifier/src/verification/apple.rs +++ b/rustls-platform-verifier/src/verification/apple.rs @@ -1,3 +1,5 @@ +use std::sync::Arc; + use super::log_server_cert; use crate::verification::invalid_certificate; use core_foundation::date::CFDate; @@ -43,7 +45,7 @@ pub struct Verifier { /// Testing only: The root CA certificate to trust. #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))] test_only_root_ca_override: Option>, - default_provider: CryptoProvider, + default_provider: Arc, } impl Verifier { @@ -53,7 +55,9 @@ impl Verifier { Self { #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))] test_only_root_ca_override: None, - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } } @@ -62,7 +66,9 @@ impl Verifier { pub(crate) fn new_with_fake_root(root: &[u8]) -> Self { Self { test_only_root_ca_override: Some(root.into()), - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } } diff --git a/rustls-platform-verifier/src/verification/windows.rs b/rustls-platform-verifier/src/verification/windows.rs index da98e57b..0c406199 100644 --- a/rustls-platform-verifier/src/verification/windows.rs +++ b/rustls-platform-verifier/src/verification/windows.rs @@ -55,6 +55,7 @@ use std::{ convert::TryInto, mem::{self, MaybeUninit}, ptr::{self, NonNull}, + sync::Arc, }; use crate::verification::invalid_certificate; @@ -419,7 +420,7 @@ pub struct Verifier { /// Testing only: The root CA certificate to trust. #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))] test_only_root_ca_override: Option>, - default_provider: CryptoProvider, + default_provider: Arc, } impl Verifier { @@ -429,7 +430,9 @@ impl Verifier { Self { #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))] test_only_root_ca_override: None, - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } } @@ -438,7 +441,9 @@ impl Verifier { pub(crate) fn new_with_fake_root(root: &[u8]) -> Self { Self { test_only_root_ca_override: Some(root.into()), - default_provider: rustls::crypto::ring::default_provider(), + default_provider: rustls::crypto::CryptoProvider::get_default() + .expect("rustls default CryptoProvider not set") + .clone(), } }