Switch webpki to rustls-native-certs

Signed-off-by: Tomasz Pietrek <tomasz@nats.io>
nats-io · Jul 8, 2022 · ceb3edc · ceb3edc
1 parent 7ecfe6b
commit ceb3edc
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 11 deletions.
diff --git a/async-nats/Cargo.toml b/async-nats/Cargo.toml
@@ -30,10 +30,10 @@ itoa = "1"
 url = "2"
 tokio-rustls = "0.23"
 rustls-pemfile = "0.3.0"
-webpki-roots = "0.22"
 nuid = "0.3.2"
 serde_nanos = "0.1.1"
 time = { version = "0.3.6", features = ["parsing", "formatting", "serde", "serde-well-known"] }
+rustls-native-certs = "0.6.2"
 
 [dev-dependencies]
 criterion =  { version = "0.3", features = ["async_tokio"]}

diff --git a/async-nats/src/tls.rs b/async-nats/src/tls.rs
@@ -16,7 +16,7 @@ use std::fs::File;
 use std::io::{self, BufReader, ErrorKind};
 use std::path::PathBuf;
 use tokio_rustls::rustls::{self, Certificate, OwnedTrustAnchor, PrivateKey};
-use tokio_rustls::webpki;
+use tokio_rustls::webpki::TrustAnchor;
 
 /// Loads client certificates from a `.pem` file.
 /// If the pem file is found, but does not contain any certificates, it will return
@@ -71,14 +71,16 @@ pub(crate) struct TlsOptions {
 
 pub(crate) async fn config_tls(options: &TlsOptions) -> io::Result<rustls::ClientConfig> {
     let mut root_store = rustls::RootCertStore::empty();
-    // adds Mozilla root certs
-    root_store.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs") {
+        root_store
+            .add(&rustls::Certificate(cert.0))
+            .map_err(|err| {
+                io::Error::new(
+                    ErrorKind::Other,
+                    format!("failed to read root certificates: {}", err),
+                )
+            })?;
+    }
 
     // use provided ClientConfig or built it from options.
     let tls_config = {
@@ -90,7 +92,7 @@ pub(crate) async fn config_tls(options: &TlsOptions) -> io::Result<rustls::Clien
                 let mut pem = BufReader::new(File::open(cafile)?);
                 let certs = rustls_pemfile::certs(&mut pem)?;
                 let trust_anchors = certs.iter().map(|cert| {
-                    let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..])
+                    let ta = TrustAnchor::try_from_cert_der(&cert[..])
                         .map_err(|err| {
                             io::Error::new(
                                 ErrorKind::InvalidInput,