From 015a6cd11509cddeebb1374a918d94fc2d800ece Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 30 Aug 2024 11:06:17 +0200 Subject: [PATCH 1/6] Move features before dependencies --- Cargo.toml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index b0b6557e..03ed37a3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,6 +10,18 @@ homepage = "https://github.com/rustls/hyper-rustls" repository = "https://github.com/rustls/hyper-rustls" documentation = "https://docs.rs/hyper-rustls/" +[features] +default = ["native-tokio", "http1", "tls12", "logging", "aws-lc-rs"] +aws-lc-rs = ["rustls/aws_lc_rs"] +http1 = ["hyper-util/http1"] +http2 = ["hyper-util/http2"] +webpki-tokio = ["webpki-roots"] +native-tokio = ["rustls-native-certs"] +ring = ["rustls/ring"] +tls12 = ["tokio-rustls/tls12", "rustls/tls12"] +logging = ["log", "tokio-rustls/logging", "rustls/logging"] +fips = ["aws-lc-rs", "rustls/fips"] + [dependencies] http = "1" hyper = { version = "1", default-features = false } @@ -32,18 +44,6 @@ rustls = { version = "0.23", default-features = false, features = ["tls12"] } rustls-pemfile = "2" tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] } -[features] -default = ["native-tokio", "http1", "tls12", "logging", "aws-lc-rs"] -aws-lc-rs = ["rustls/aws_lc_rs"] -http1 = ["hyper-util/http1"] -http2 = ["hyper-util/http2"] -webpki-tokio = ["webpki-roots"] -native-tokio = ["rustls-native-certs"] -ring = ["rustls/ring"] -tls12 = ["tokio-rustls/tls12", "rustls/tls12"] -logging = ["log", "tokio-rustls/logging", "rustls/logging"] -fips = ["aws-lc-rs", "rustls/fips"] - [[example]] name = "client" path = "examples/client.rs" From ab0c89c2a8c77ada570625290e67ebb374f972d4 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Mon, 2 Sep 2024 13:25:33 +0200 Subject: [PATCH 2/6] Alphabetically sort features --- Cargo.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 03ed37a3..ab6974e5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,14 +13,14 @@ documentation = "https://docs.rs/hyper-rustls/" [features] default = ["native-tokio", "http1", "tls12", "logging", "aws-lc-rs"] aws-lc-rs = ["rustls/aws_lc_rs"] +fips = ["aws-lc-rs", "rustls/fips"] http1 = ["hyper-util/http1"] http2 = ["hyper-util/http2"] -webpki-tokio = ["webpki-roots"] +logging = ["log", "tokio-rustls/logging", "rustls/logging"] native-tokio = ["rustls-native-certs"] ring = ["rustls/ring"] tls12 = ["tokio-rustls/tls12", "rustls/tls12"] -logging = ["log", "tokio-rustls/logging", "rustls/logging"] -fips = ["aws-lc-rs", "rustls/fips"] +webpki-tokio = ["webpki-roots"] [dependencies] http = "1" From 11774c3fdbfda4904e99fbafe48b440dff01df0c Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 30 Aug 2024 11:02:23 +0200 Subject: [PATCH 3/6] Upgrade to rustls-native-certs 0.8 --- Cargo.toml | 2 +- src/config.rs | 18 ++++++++++++++++-- src/lib.rs | 6 ++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index ab6974e5..a009bbf6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ hyper = { version = "1", default-features = false } hyper-util = { version = "0.1", default-features = false, features = ["client-legacy", "tokio"] } log = { version = "0.4.4", optional = true } pki-types = { package = "rustls-pki-types", version = "1" } -rustls-native-certs = { version = "0.7", optional = true } +rustls-native-certs = { version = "0.8", optional = true } rustls-platform-verifier = { version = "0.3", optional = true } rustls = { version = "0.23", default-features = false } tokio = "1.0" diff --git a/src/config.rs b/src/config.rs index 2af49c76..5010caef 100644 --- a/src/config.rs +++ b/src/config.rs @@ -8,6 +8,8 @@ use std::sync::Arc; ))] use rustls::client::WantsClientCert; use rustls::{ClientConfig, ConfigBuilder, WantsVerifier}; +#[cfg(feature = "rustls-native-certs")] +use rustls_native_certs::CertificateResult; /// Methods for configuring roots /// @@ -52,8 +54,19 @@ impl ConfigBuilderExt for ConfigBuilder { let mut valid_count = 0; let mut invalid_count = 0; - for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") - { + let CertificateResult { certs, errors, .. } = rustls_native_certs::load_native_certs(); + if !errors.is_empty() { + crate::log::warn!("native root CA certificate loading errors: {errors:?}"); + } + + if certs.is_empty() { + return Err(std::io::Error::new( + std::io::ErrorKind::NotFound, + format!("no native root CA certificates found (errors: {errors:?})"), + )); + } + + for cert in certs { match roots.add(cert) { Ok(_) => valid_count += 1, Err(err) => { @@ -62,6 +75,7 @@ impl ConfigBuilderExt for ConfigBuilder { } } } + crate::log::debug!( "with_native_roots processed {} valid and {} invalid certs", valid_count, diff --git a/src/lib.rs b/src/lib.rs index 1920e78f..89e355ae 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -43,6 +43,8 @@ mod stream; mod log { #[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] pub(crate) use log::debug; + #[cfg(feature = "rustls-native-certs")] + pub(crate) use log::warn; } #[cfg(not(feature = "logging"))] @@ -51,6 +53,10 @@ mod log { macro_rules! debug ( ($($tt:tt)*) => {{}} ); #[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))] pub(crate) use debug; + #[cfg(feature = "rustls-native-certs")] + macro_rules! warn_ ( ($($tt:tt)*) => {{}} ); + #[cfg(feature = "rustls-native-certs")] + pub(crate) use warn_ as warn; } pub use crate::config::ConfigBuilderExt; From 95c91113d1c41b6bd2f40f8b0b24f1ca15f5e273 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 30 Aug 2024 11:03:59 +0200 Subject: [PATCH 4/6] Avoid io::Result type alias --- src/config.rs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/config.rs b/src/config.rs index 5010caef..735cad77 100644 --- a/src/config.rs +++ b/src/config.rs @@ -30,7 +30,9 @@ pub trait ConfigBuilderExt { /// This will return an error if no valid certs were found. In that case, /// it's recommended to use `with_webpki_roots`. #[cfg(feature = "rustls-native-certs")] - fn with_native_roots(self) -> std::io::Result>; + fn with_native_roots( + self, + ) -> Result, std::io::Error>; /// This configures the webpki roots, which are Mozilla's set of /// trusted roots as packaged by webpki-roots. @@ -49,7 +51,9 @@ impl ConfigBuilderExt for ConfigBuilder { #[cfg(feature = "rustls-native-certs")] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] - fn with_native_roots(self) -> std::io::Result> { + fn with_native_roots( + self, + ) -> Result, std::io::Error> { let mut roots = rustls::RootCertStore::empty(); let mut valid_count = 0; let mut invalid_count = 0; From cf0e97d3e491dd1431cf85e083610705c10df51b Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 30 Aug 2024 11:05:40 +0200 Subject: [PATCH 5/6] Import std::io directly --- src/config.rs | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/src/config.rs b/src/config.rs index 735cad77..13de77d9 100644 --- a/src/config.rs +++ b/src/config.rs @@ -1,3 +1,5 @@ +#[cfg(feature = "rustls-native-certs")] +use std::io; #[cfg(feature = "rustls-platform-verifier")] use std::sync::Arc; @@ -30,9 +32,7 @@ pub trait ConfigBuilderExt { /// This will return an error if no valid certs were found. In that case, /// it's recommended to use `with_webpki_roots`. #[cfg(feature = "rustls-native-certs")] - fn with_native_roots( - self, - ) -> Result, std::io::Error>; + fn with_native_roots(self) -> Result, io::Error>; /// This configures the webpki roots, which are Mozilla's set of /// trusted roots as packaged by webpki-roots. @@ -51,9 +51,7 @@ impl ConfigBuilderExt for ConfigBuilder { #[cfg(feature = "rustls-native-certs")] #[cfg_attr(not(feature = "logging"), allow(unused_variables))] - fn with_native_roots( - self, - ) -> Result, std::io::Error> { + fn with_native_roots(self) -> Result, io::Error> { let mut roots = rustls::RootCertStore::empty(); let mut valid_count = 0; let mut invalid_count = 0; @@ -64,8 +62,8 @@ impl ConfigBuilderExt for ConfigBuilder { } if certs.is_empty() { - return Err(std::io::Error::new( - std::io::ErrorKind::NotFound, + return Err(io::Error::new( + io::ErrorKind::NotFound, format!("no native root CA certificates found (errors: {errors:?})"), )); } @@ -87,8 +85,8 @@ impl ConfigBuilderExt for ConfigBuilder { ); if roots.is_empty() { crate::log::debug!("no valid native root CA certificates found"); - Err(std::io::Error::new( - std::io::ErrorKind::NotFound, + Err(io::Error::new( + io::ErrorKind::NotFound, format!("no valid native root CA certificates found ({invalid_count} invalid)"), ))? } From 2e253317923e08010d041ce463b57f2a095c4754 Mon Sep 17 00:00:00 2001 From: Dirkjan Ochtman Date: Fri, 30 Aug 2024 11:07:10 +0200 Subject: [PATCH 6/6] Bump version to 0.27.3 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index a009bbf6..a2557324 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "hyper-rustls" -version = "0.27.2" +version = "0.27.3" edition = "2021" rust-version = "1.70" license = "Apache-2.0 OR ISC OR MIT"