From a76a4104caf22422d0c36241c056e9a9bd568d6a Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Mon, 2 Dec 2024 11:24:54 +0100 Subject: [PATCH] Upgrade to rustls-native-certs 0.8 --- Cargo.lock | 45 +++---------------- rustls-platform-verifier/Cargo.toml | 2 +- .../src/verification/others.rs | 43 +++++++----------- 3 files changed, 24 insertions(+), 66 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e2070ba..30bcc81 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -78,16 +78,6 @@ dependencies = [ "memchr", ] -[[package]] -name = "core-foundation" -version = "0.9.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" -dependencies = [ - "core-foundation-sys", - "libc", -] - [[package]] name = "core-foundation" version = "0.10.0" @@ -261,24 +251,14 @@ dependencies = [ [[package]] name = "rustls-native-certs" -version = "0.7.3" +version = "0.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5" +checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3" dependencies = [ "openssl-probe", - "rustls-pemfile", "rustls-pki-types", "schannel", - "security-framework 2.11.1", -] - -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", + "security-framework", ] [[package]] @@ -293,7 +273,7 @@ version = "0.5.0" dependencies = [ "android_logger", "base64", - "core-foundation 0.10.0", + "core-foundation", "core-foundation-sys", "jni", "log", @@ -303,7 +283,7 @@ dependencies = [ "rustls-native-certs", "rustls-platform-verifier-android", "rustls-webpki", - "security-framework 3.0.1", + "security-framework", "security-framework-sys", "webpki-root-certs", "windows-sys 0.52.0", @@ -342,19 +322,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "security-framework" -version = "2.11.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" -dependencies = [ - "bitflags", - "core-foundation 0.9.4", - "core-foundation-sys", - "libc", - "security-framework-sys", -] - [[package]] name = "security-framework" version = "3.0.1" @@ -362,7 +329,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1415a607e92bec364ea2cf9264646dcce0f91e6d65281bd6f2819cca3bf39c8" dependencies = [ "bitflags", - "core-foundation 0.10.0", + "core-foundation", "core-foundation-sys", "libc", "security-framework-sys", diff --git a/rustls-platform-verifier/Cargo.toml b/rustls-platform-verifier/Cargo.toml index fa49429..61b5db6 100644 --- a/rustls-platform-verifier/Cargo.toml +++ b/rustls-platform-verifier/Cargo.toml @@ -37,7 +37,7 @@ once_cell = "1.9" paste = { version = "1.0", default-features = false, optional = true } # Only used when `ffi-testing` feature is enabled [target.'cfg(all(unix, not(target_os = "android"), not(target_vendor = "apple"), not(target_arch = "wasm32")))'.dependencies] -rustls-native-certs = "0.7" +rustls-native-certs = "0.8" webpki = { package = "rustls-webpki", version = "0.102", default-features = false } [target.'cfg(target_os = "android")'.dependencies] diff --git a/rustls-platform-verifier/src/verification/others.rs b/rustls-platform-verifier/src/verification/others.rs index a7f4c23..9613b1d 100644 --- a/rustls-platform-verifier/src/verification/others.rs +++ b/rustls-platform-verifier/src/verification/others.rs @@ -127,34 +127,25 @@ impl Verifier { not(target_vendor = "apple"), not(target_arch = "wasm32"), ))] - match rustls_native_certs::load_native_certs() { - Ok(certs) => { - let (added, ignored) = root_store.add_parsable_certificates(certs); + let result = rustls_native_certs::load_native_certs(); + let (_, ignored) = root_store.add_parsable_certificates(result.certs); + if ignored != 0 { + log::warn!("Some CA root certificates were ignored due to errors"); + } - if ignored != 0 { - log::warn!("Some CA root certificates were ignored due to errors"); - } + for error in result.errors { + log::warn!("Error loading CA root certificate: {error}"); + } - if root_store.is_empty() { - log::error!("No CA certificates were loaded from the system"); - } else { - log::debug!("Loaded {added} CA certificates from the system"); - } - } - Err(err) => { - // This only contains a path to a system directory: - // https://github.com/rustls/rustls-native-certs/blob/bc13b9a6bfc2e1eec881597055ca49accddd972a/src/lib.rs#L91-L94 - const MSG: &str = "failed to load system root certificates: "; - - // Don't return an error if this fails when other roots have already been loaded via - // `new_with_extra_roots`. It leads to extra failure cases where connections would otherwise still work. - if root_store.is_empty() { - return Err(rustls::Error::General(format!("{MSG}{err}"))); - } else { - log::error!("{MSG}{err}"); - } - } - }; + // Don't return an error if this fails when other roots have already been loaded via + // `new_with_extra_roots`. It leads to extra failure cases where connections would otherwise still work. + if root_store.is_empty() { + return Err(rustls::Error::General( + "No CA certificates were loaded from the system".to_owned(), + )); + } else { + log::debug!("Loaded {added} CA certificates from the system"); + } #[cfg(target_arch = "wasm32")] {