Skip to content

Commit

Permalink
Add support for rustls-platform-verifier
Browse files Browse the repository at this point in the history
  • Loading branch information
djc committed May 14, 2024
1 parent 3da5283 commit afb4788
Show file tree
Hide file tree
Showing 11 changed files with 39 additions and 12 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,8 @@ jobs:
features: "--no-default-features"
- name: "feat.: rustls-tls"
features: "--no-default-features --features rustls-tls"
- name: "feat.: rustls-tls-platform-verifier"
features: "--no-default-features --features rustls-tls-platform-verifier"
- name: "feat.: rustls-tls-manual-roots"
features: "--no-default-features --features rustls-tls-manual-roots"
- name: "feat.: rustls-tls-native-roots"
Expand Down
2 changes: 2 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ native-tls-vendored = ["native-tls", "native-tls-crate?/vendored"]

rustls-tls = ["rustls-tls-webpki-roots"]
rustls-tls-manual-roots = ["__rustls"]
rustls-tls-platform-verifier = ["dep:rustls-platform-verifier", "__rustls"]
rustls-tls-webpki-roots = ["dep:webpki-roots", "__rustls"]
rustls-tls-native-roots = ["dep:rustls-native-certs", "__rustls"]

Expand Down Expand Up @@ -140,6 +141,7 @@ rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true }
tokio-rustls = { version = "0.25", optional = true }
webpki-roots = { version = "0.26.0", optional = true }
rustls-native-certs = { version = "0.7", optional = true }
rustls-platform-verifier = { version = "0.2", optional = true }

## cookies
cookie_crate = { version = "0.18.0", package = "cookie", optional = true }
Expand Down
18 changes: 15 additions & 3 deletions src/async_impl/client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -565,10 +565,21 @@ impl ClientBuilder {
return Err(crate::error::builder("empty supported tls versions"));
}

#[cfg(feature = "rustls-tls-platform-verifier")]
let verifier = Arc::new(rustls_platform_verifier::Verifier::new());
#[cfg(not(feature = "rustls-tls-platform-verifier"))]
let verifier =
rustls::client::WebPkiServerVerifier::builder(Arc::new(root_cert_store))
.build()
.map_err(|_| {
crate::error::builder("no trust anchors have been provided")
})?;

// Build TLS config
let config_builder =
rustls::ClientConfig::builder_with_protocol_versions(&versions)
.with_root_certificates(root_cert_store);
.dangerous()
.with_custom_certificate_verifier(verifier);

// Finalize TLS config
let mut tls = if let Some(id) = config.identity {
Expand Down Expand Up @@ -1304,7 +1315,7 @@ impl ClientBuilder {
///
/// # Example
///
/// ```
/// ```no_run
/// use std::net::IpAddr;
/// let local_addr = IpAddr::from([12, 4, 1, 8]);
/// let client = reqwest::Client::builder()
Expand All @@ -1323,7 +1334,7 @@ impl ClientBuilder {
///
/// # Example
///
/// ```
/// ```no_run
/// let interface = "lo";
/// let client = reqwest::Client::builder()
/// .interface(interface)
Expand Down Expand Up @@ -2745,6 +2756,7 @@ fn add_cookie_header(headers: &mut HeaderMap, cookie_store: &dyn cookie::CookieS
}
}

#[cfg(not(feature = "rustls-tls-manual-roots"))] // Building a client fails without roots
#[cfg(test)]
mod tests {
#[tokio::test]
Expand Down
1 change: 1 addition & 0 deletions src/async_impl/request.rs
Original file line number Diff line number Diff line change
Expand Up @@ -647,6 +647,7 @@ impl TryFrom<Request> for HttpRequest<Body> {
}
}

#[cfg(not(feature = "rustls-tls-manual-roots"))] // Building a client fails without roots
#[cfg(test)]
mod tests {
use super::{Client, HttpRequest, Request, RequestBuilder, Version};
Expand Down
2 changes: 2 additions & 0 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,8 @@
//! while using root certificates from the `webpki-roots` crate.
//! - **rustls-tls-native-roots**: Enables TLS functionality provided by `rustls`,
//! while using root certificates from the `rustls-native-certs` crate.
//! - **rustls-tls-platform-verifier**: Enables TLS functionality provided by `rustls`,
//! while using the platform's native certificate verifier.
//! - **blocking**: Provides the [blocking][] client API.
//! - **charset** *(enabled by default)*: Improved support for decoding text.
//! - **cookies**: Provides cookie session support.
Expand Down
16 changes: 12 additions & 4 deletions tests/badssl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ async fn test_rustls_badssl_modern() {
assert!(text.contains("<title>mozilla-modern.badssl.com</title>"));
}

#[cfg(feature = "__tls")]
#[cfg(all(feature = "__tls", not(feature = "rustls-tls-manual-roots")))]
#[tokio::test]
async fn test_badssl_self_signed() {
let text = reqwest::Client::builder()
Expand All @@ -59,14 +59,22 @@ async fn test_badssl_self_signed() {
assert!(text.contains("<title>self-signed.badssl.com</title>"));
}

#[cfg(feature = "__tls")]
// For the platform verifier, there is no concept of available roots
#[cfg(all(feature = "__tls", not(feature = "rustls-tls-platform-verifier")))]
#[tokio::test]
async fn test_badssl_no_built_in_roots() {
let result = reqwest::Client::builder()
.tls_built_in_root_certs(false)
.no_proxy()
.build()
.unwrap()
.build();

// Some configurations will fail to build a client without roots
let client = match result {
Ok(client) => client,
Err(_) => return,
};

let result = client
.get("https://mozilla-modern.badssl.com/")
.send()
.await;
Expand Down
2 changes: 1 addition & 1 deletion tests/client.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#![cfg(not(target_arch = "wasm32"))]
#![cfg(not(any(target_arch = "wasm32", feature = "rustls-tls-manual-roots")))]
mod support;

use support::server;
Expand Down
2 changes: 1 addition & 1 deletion tests/proxy.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#![cfg(not(target_arch = "wasm32"))]
#![cfg(not(any(target_arch = "wasm32", feature = "rustls-tls-manual-roots")))]
mod support;
use support::server;

Expand Down
2 changes: 1 addition & 1 deletion tests/redirect.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#![cfg(not(target_arch = "wasm32"))]
#![cfg(not(any(target_arch = "wasm32", feature = "rustls-tls-manual-roots")))]
mod support;
use http_body_util::BodyExt;
use reqwest::Body;
Expand Down
2 changes: 1 addition & 1 deletion tests/timeouts.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#![cfg(not(target_arch = "wasm32"))]
#![cfg(not(any(target_arch = "wasm32", feature = "rustls-tls-manual-roots")))]
mod support;
use support::server;

Expand Down
2 changes: 1 addition & 1 deletion tests/upgrade.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#![cfg(not(target_arch = "wasm32"))]
#![cfg(not(any(target_arch = "wasm32", feature = "rustls-tls-manual-roots")))]
mod support;
use support::server;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
Expand Down

0 comments on commit afb4788

Please sign in to comment.