Cargo: update to rustls 0.22, associated updates

For the time being, this branch continues to unconditionally use *ring* as the crypto provider. Follow-up work to expose this as a choice (e.g allowing aws-lc-rs as a provider) may be interesting. Deps: * updated rustls 0.21 -> 0.22 * added pki-types 1.0 Linux deps: * rustls-native-certs 0.6 -> 0.7 * webpki 0.101 -> 0.102 Android deps: * webpki 0.101 -> 0.102 WASM32 deps: * webpki-roots 0.25 -> 0.26 Summary of breaking change updates: * `ServerName`, `Certificate`, and `OwnedTrustAnchor` types are now sourced from `pki_types`, with an associated generic lifetime. The `OwnedTrustAnchor` type is now just `TrustAnchor`. * The 'dangerous' rustls crate feature was removed, and associated items moved into new locations with the import path emphasizing danger. * "Other error" types changed to use a specific `rustls::OtherError` inner variant. * `SystemTime` for verifiers replaced with `pki_types::UnixTime`. * Default fns on `ServerCertVerifier` trait were removed, must be reconstituted with `rustls::verify_tls12_signature`, `rustls::verify_tls13_signature` and `WebPkiSupportedAlgorithms.supported_schemes` using a `CryptoProvider`. * `ServerName` now supports a `to_str` operation, avoiding the need to `match` and handle unsupported name types. * `WebPkiVerifier` was renamed to `WebPkiServerVerifier`, handled as an `Arc` and constructed with a builder.
rustls · Dec 5, 2023 · 62c9ae3 · 62c9ae3
1 parent e419417
commit 62c9ae3
Show file tree

Hide file tree

Showing 11 changed files with 397 additions and 218 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -37,26 +37,27 @@ cert-logging = ["base64"]
 docsrs = ["jni", "once_cell"]
 
 [dependencies]
-rustls = { version = "0.21", features = ["dangerous_configuration", "tls12", "logging"] }
+rustls = { version = "0.22", features = ["tls12", "logging"] }
+pki-types = { package = "rustls-pki-types", version = "1" }
 log = { version = "0.4" }
 base64 = { version = "0.21", optional = true } # Only used when the `cert-logging` feature is enabled.
 jni = { version = "0.19", default-features = false, optional = true } # Only used during doc generation
 once_cell = { version = "1.9", optional = true } # Only used during doc generation.
 
 [target.'cfg(target_os = "linux")'.dependencies]
-rustls-native-certs = "0.6"
+rustls-native-certs = "0.7"
 once_cell = "1.9"
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 
 [target.'cfg(target_os = "android")'.dependencies]
 jni = { version = "0.19", default-features = false }
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 once_cell = "1.9"
 android_logger = { version = "0.13", optional = true } # Only used during testing.
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 once_cell = "1.9"
-webpki-roots = "0.25"
+webpki-roots = "0.26"
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 core-foundation = "0.9"

diff --git a/src/lib.rs b/src/lib.rs
@@ -49,26 +49,26 @@ pub use tests::ffi::*;
 ///
 /// If you require more control over the rustls `ClientConfig`, you can
 /// instantiate a [Verifier] with [Verifier::default] and then use it
-/// with [rustls::ConfigBuilder::with_custom_certificate_verifier].
+/// with [rustls::ConfigBuilder::dangerous::with_custom_certificate_verifier].
 ///
 /// Refer to the crate level documentation to see what platforms
 /// are currently supported.
 pub fn tls_config() -> ClientConfig {
-    rustls::ClientConfig::builder()
-        .with_safe_defaults()
+    ClientConfig::builder()
+        .dangerous()
         .with_custom_certificate_verifier(verifier_for_testing())
         .with_no_client_auth()
 }
 
 /// Exposed for test usage. Don't use this, use [tls_config] instead.
 ///
 /// This verifier must be exactly equivalent to the verifier used in the `ClientConfig` returned by [tls_config].
-pub(crate) fn verifier_for_testing() -> Arc<dyn rustls::client::ServerCertVerifier> {
+pub(crate) fn verifier_for_testing() -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new())
 }
 
 /// Exposed for debugging customer certificate issues. Don't use this, use [tls_config] instead.
 #[cfg(feature = "dbg")]
-pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::ServerCertVerifier> {
+pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }
diff --git a/src/tests/mod.rs b/src/tests/mod.rs
@@ -39,6 +39,7 @@ pub fn assert_cert_error_eq<E: StdError + PartialEq + 'static>(
     if let Err(InvalidCertificate(CertificateError::Other(err))) = &expected {
         let expected_err = expected_err.expect("error not provided for `Other` case handling");
         let err: &E = err
+            .0
             .downcast_ref()
             .expect("incorrect `Other` inner error kind");
         assert_eq!(err, expected_err);