feat(tls): add crate feature for rustls native root certs (#506)

2025-06-28 13:20:37 +02:00 · 2023-12-06 01:39:13 +00:00
parent 1945fa0675
commit 9edc0b393a
7 changed files with 88 additions and 27 deletions
--- a/actix-tls/src/connect/mod.rs
+++ b/actix-tls/src/connect/mod.rs
@ -27,14 +27,23 @@ mod uri;
 #[cfg(feature = "openssl")]
 pub mod openssl;

-#[cfg(feature = "rustls-0_20")]
+#[cfg(any(
+    feature = "rustls-0_20-webpki-roots",
+    feature = "rustls-0_20-native-roots",
+))]
 pub mod rustls_0_20;

 #[doc(hidden)]
-#[cfg(feature = "rustls-0_20")]
+#[cfg(any(
+    feature = "rustls-0_20-webpki-roots",
+    feature = "rustls-0_20-native-roots",
+))]
 pub use rustls_0_20 as rustls;

-#[cfg(feature = "rustls-0_21")]
+#[cfg(any(
+    feature = "rustls-0_21-webpki-roots",
+    feature = "rustls-0_21-native-roots",
+))]
 pub mod rustls_0_21;

 #[cfg(feature = "native-tls")]
--- a/actix-tls/src/connect/rustls_0_20.rs
+++ b/actix-tls/src/connect/rustls_0_20.rs
@ -17,7 +17,7 @@ use actix_utils::future::{ok, Ready};
 use futures_core::ready;
 use tokio_rustls::{
    client::TlsStream as AsyncTlsStream,
-    rustls::{client::ServerName, ClientConfig, OwnedTrustAnchor, RootCertStore},
+    rustls::{client::ServerName, ClientConfig, RootCertStore},
    Connect as RustlsConnect, TlsConnector as RustlsTlsConnector,
 };
 use tokio_rustls_023 as tokio_rustls;
@ -25,17 +25,38 @@ use tokio_rustls_023 as tokio_rustls;
 use crate::connect::{Connection, Host};

 pub mod reexports {
-    //! Re-exports from `rustls` and `webpki_roots` that are useful for connectors.
+    //! Re-exports from the `rustls` v0.20 ecosystem that are useful for connectors.

    pub use tokio_rustls_023::{client::TlsStream as AsyncTlsStream, rustls::ClientConfig};
+    #[cfg(feature = "rustls-0_20-webpki-roots")]
    pub use webpki_roots_022::TLS_SERVER_ROOTS;
 }

-/// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
-pub fn webpki_roots_cert_store() -> RootCertStore {
+/// Returns root certificates via `rustls-native-certs` crate as a rustls certificate store.
+///
+/// See [`rustls_native_certs::load_native_certs()`] for more info on behavior and errors.
+#[cfg(feature = "rustls-0_20-native-roots")]
+pub fn native_roots_cert_store() -> io::Result<RootCertStore> {
    let mut root_certs = RootCertStore::empty();
+
+    for cert in rustls_native_certs::load_native_certs()? {
+        root_certs
+            .add(&tokio_rustls_023::rustls::Certificate(cert.0))
+            .unwrap();
+    }
+
+    Ok(root_certs)
+}
+
+/// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
+#[cfg(feature = "rustls-0_20-webpki-roots")]
+pub fn webpki_roots_cert_store() -> RootCertStore {
+    use tokio_rustls_023::rustls;
+
+    let mut root_certs = RootCertStore::empty();
+
    for cert in webpki_roots_022::TLS_SERVER_ROOTS.0 {
-        let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
+        let cert = rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
            cert.subject,
            cert.spki,
            cert.name_constraints,
@ -43,6 +64,7 @@ pub fn webpki_roots_cert_store() -> RootCertStore {
        let certs = vec![cert].into_iter();
        root_certs.add_server_trust_anchors(certs);
    }
+
    root_certs
 }

--- a/actix-tls/src/connect/rustls_0_21.rs
+++ b/actix-tls/src/connect/rustls_0_21.rs
@ -17,7 +17,7 @@ use actix_utils::future::{ok, Ready};
 use futures_core::ready;
 use tokio_rustls::{
    client::TlsStream as AsyncTlsStream,
-    rustls::{client::ServerName, ClientConfig, OwnedTrustAnchor, RootCertStore},
+    rustls::{client::ServerName, ClientConfig, RootCertStore},
    Connect as RustlsConnect, TlsConnector as RustlsTlsConnector,
 };
 use tokio_rustls_024 as tokio_rustls;
@ -25,17 +25,38 @@ use tokio_rustls_024 as tokio_rustls;
 use crate::connect::{Connection, Host};

 pub mod reexports {
-    //! Re-exports from `rustls` and `webpki_roots` that are useful for connectors.
+    //! Re-exports from the `rustls` v0.21 ecosystem that are useful for connectors.

    pub use tokio_rustls_024::{client::TlsStream as AsyncTlsStream, rustls::ClientConfig};
+    #[cfg(feature = "rustls-0_21-webpki-roots")]
    pub use webpki_roots_025::TLS_SERVER_ROOTS;
 }

-/// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
-pub fn webpki_roots_cert_store() -> RootCertStore {
+/// Returns root certificates via `rustls-native-certs` crate as a rustls certificate store.
+///
+/// See [`rustls_native_certs::load_native_certs()`] for more info on behavior and errors.
+#[cfg(feature = "rustls-0_21-native-roots")]
+pub fn native_roots_cert_store() -> io::Result<RootCertStore> {
    let mut root_certs = RootCertStore::empty();
+
+    for cert in rustls_native_certs::load_native_certs()? {
+        root_certs
+            .add(&tokio_rustls_024::rustls::Certificate(cert.0))
+            .unwrap();
+    }
+
+    Ok(root_certs)
+}
+
+/// Returns standard root certificates from `webpki-roots` crate as a rustls certificate store.
+#[cfg(feature = "rustls-0_21-webpki-roots")]
+pub fn webpki_roots_cert_store() -> RootCertStore {
+    use tokio_rustls_024::rustls;
+
+    let mut root_certs = RootCertStore::empty();
+
    for cert in webpki_roots_025::TLS_SERVER_ROOTS {
-        let cert = OwnedTrustAnchor::from_subject_spki_name_constraints(
+        let cert = rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
            cert.subject,
            cert.spki,
            cert.name_constraints,
@ -43,6 +64,7 @@ pub fn webpki_roots_cert_store() -> RootCertStore {
        let certs = vec![cert].into_iter();
        root_certs.add_trust_anchors(certs);
    }
+
    root_certs
 }