feat(tls): add crate feature for rustls native root certs

actix-tls/Cargo.toml

@@ -47,10 +47,14 @@ openssl = ["tls-openssl", "tokio-openssl"]
 rustls = ["rustls-0_20"]
 
 # use rustls v0.20 impls
-rustls-0_20 = ["tokio-rustls-023", "webpki-roots-022"]
+rustls-0_20 = ["rustls-0_20-webpki-roots"]
+rustls-0_20-webpki-roots = ["tokio-rustls-023", "webpki-roots-022"]
+rustls-0_20-native-roots = ["tokio-rustls-023", "dep:rustls-native-certs"]
 
 # use rustls v0.21 impls
-rustls-0_21 = ["tokio-rustls-024", "webpki-roots-025"]
+rustls-0_21 = ["rustls-0_21-webpki-roots"]
+rustls-0_21-webpki-roots = ["tokio-rustls-024", "webpki-roots-025"]
+rustls-0_21-native-roots = ["tokio-rustls-024", "dep:rustls-native-certs"]
 
 # use native-tls impls
 native-tls = ["tokio-native-tls"]
@@ -87,6 +91,9 @@ rustls-webpki-0101 = { package = "rustls-webpki", version = "0.101.4" }
 tokio-rustls-024 = { package = "tokio-rustls", version = "0.24", optional = true }
 webpki-roots-025 = { package = "webpki-roots", version = "0.25", optional = true }
 
+# native root certificates for both rustls impls
+rustls-native-certs = { version = "0.6", optional = true }
+
 # native-tls
 tokio-native-tls = { version = "0.3", optional = true }
 

actix-tls/src/connect/mod.rs

@@ -27,14 +27,23 @@ mod uri;
 #[cfg(feature = "openssl")]
 pub mod openssl;
 
-#[cfg(feature = "rustls-0_20")]
+#[cfg(any(
+    feature = "rustls-0_20-webpki-roots",
+    feature = "rustls-0_20-native-roots",
+))]
 pub mod rustls_0_20;
 
 #[doc(hidden)]
-#[cfg(feature = "rustls-0_20")]
+#[cfg(any(
+    feature = "rustls-0_20-webpki-roots",
+    feature = "rustls-0_20-native-roots",
+))]
 pub use rustls_0_20 as rustls;
 
-#[cfg(feature = "rustls-0_21")]
+#[cfg(any(
+    feature = "rustls-0_21-webpki-roots",
+    feature = "rustls-0_21-native-roots",
+))]
 pub mod rustls_0_21;
 
 #[cfg(feature = "native-tls")]

actix-tls/src/connect/rustls_0_20.rs

@@ -25,15 +25,34 @@ use tokio_rustls_023 as tokio_rustls;
 use crate::connect::{Connection, Host};
 
 pub mod reexports {
-    //! Re-exports from `rustls` and `webpki_roots` that are useful for connectors.
+    //! Re-exports from the `rustls` v0.20 ecosystem that are useful for connectors.
 
     pub use tokio_rustls_023::{client::TlsStream as AsyncTlsStream, rustls::ClientConfig};
+    #[cfg(feature = "rustls-0_20-webpki-roots")]
     pub use webpki_roots_022::TLS_SERVER_ROOTS;
 }
 
+/// Returns root certificates via `rustls-native-certs` crate as a rustls certificate store.
+///
+/// See [`rustls_native_certs::load_native_certs()`] for more info on behavior and errors.
+#[cfg(feature = "rustls-0_20-native-roots")]
+pub fn native_roots_cert_store() -> io::Result<RootCertStore> {
+    let mut root_certs = RootCertStore::empty();
+
+    for cert in rustls_native_certs::load_native_certs()? {
+        root_certs
+            .add(&tokio_rustls_023::rustls::Certificate(cert.0))
+            .unwrap();
+    }
+
+    Ok(root_certs)
+}
+
 /// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
+#[cfg(feature = "rustls-0_20-webpki-roots")]
 pub fn webpki_roots_cert_store() -> RootCertStore {
     let mut root_certs = RootCertStore::empty();
+
     for cert in webpki_roots_022::TLS_SERVER_ROOTS.0 {
         let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
             cert.subject,
@@ -43,6 +62,7 @@ pub fn webpki_roots_cert_store() -> RootCertStore {
         let certs = vec![cert].into_iter();
         root_certs.add_server_trust_anchors(certs);
     }
+
     root_certs
 }
 

actix-tls/src/connect/rustls_0_21.rs

@@ -25,15 +25,34 @@ use tokio_rustls_024 as tokio_rustls;
 use crate::connect::{Connection, Host};
 
 pub mod reexports {
-    //! Re-exports from `rustls` and `webpki_roots` that are useful for connectors.
+    //! Re-exports from the `rustls` v0.21 ecosystem that are useful for connectors.
 
     pub use tokio_rustls_024::{client::TlsStream as AsyncTlsStream, rustls::ClientConfig};
+    #[cfg(feature = "rustls-0_21-webpki-roots")]
     pub use webpki_roots_025::TLS_SERVER_ROOTS;
 }
 
+/// Returns root certificates via `rustls-native-certs` crate as a rustls certificate store.
+///
+/// See [`rustls_native_certs::load_native_certs()`] for more info on behavior and errors.
+#[cfg(feature = "rustls-0_21-native-roots")]
+pub fn native_roots_cert_store() -> io::Result<RootCertStore> {
+    let mut root_certs = RootCertStore::empty();
+
+    for cert in rustls_native_certs::load_native_certs()? {
+        root_certs
+            .add(&tokio_rustls_024::rustls::Certificate(cert.0))
+            .unwrap();
+    }
+
+    Ok(root_certs)
+}
+
 /// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
+#[cfg(feature = "rustls-0_21-webpki-roots")]
 pub fn webpki_roots_cert_store() -> RootCertStore {
     let mut root_certs = RootCertStore::empty();
+
     for cert in webpki_roots_025::TLS_SERVER_ROOTS {
         let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
             cert.subject,
@@ -43,6 +62,7 @@ pub fn webpki_roots_cert_store() -> RootCertStore {
         let certs = vec![cert].into_iter();
         root_certs.add_trust_anchors(certs);
     }
+
     root_certs
 }
 

justfile

@@ -7,8 +7,8 @@ doc:
 
 # Document crates in workspace and watch for changes.
 doc-watch:
-    RUSTDOCFLAGS="--cfg=docsrs" cargo +nightly doc --no-deps --workspace --features=rustls,openssl --open
-    cargo watch -- RUSTDOCFLAGS="--cfg=docsrs" cargo +nightly doc --no-deps --workspace --features=rustls,openssl
+    RUSTDOCFLAGS="--cfg=docsrs"                cargo +nightly doc --no-deps --workspace --features=rustls-0_20,rustls-0_21,rustls-0_20-native-roots,rustls-0_21-native-roots,openssl --open
+    cargo watch -- RUSTDOCFLAGS="--cfg=docsrs" cargo +nightly doc --no-deps --workspace --features=rustls-0_20,rustls-0_21,rustls-0_20-native-roots,rustls-0_21-native-roots,openssl
 
 # Check for unintentional external type exposure on all crates in workspace.
 check-external-types-all toolchain="+nightly":