feat(ddcommon): Replace rustls-native-certs by rustls-platform-verifier

VianneyRuhlmann · VianneyRuhlmann · commit 978894ada085 · 2025-04-22T15:07:25.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/ddcommon/Cargo.toml b/ddcommon/Cargo.toml
@@ -36,7 +36,7 @@ regex = "1.5"
 rmp = "0.8.14"
 rmp-serde = "1.3.0"
 rustls = { version = "0.23", default-features = false, optional = true }
-rustls-native-certs = { version = "0.8.1", optional = true }
+rustls-platform-verifier = { version = "0.5", optional = true }
 tokio = { version = "1.23", features = ["rt", "macros"] }
 tokio-rustls = { version = "0.26", default-features = false, optional = true }
 serde = { version = "1.0", features = ["derive"] }
@@ -71,7 +71,7 @@ maplit = "1.0"
 
 [features]
 default = ["https"]
-https = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-native-certs"]
+https = ["tokio-rustls", "rustls", "hyper-rustls", "rustls-platform-verifier"]
 use_webpki_roots = ["hyper-rustls/webpki-roots"]
 # Enable this feature to enable stubbing of cgroup
 # php directly import this crate and uses functions gated by this feature for their test
diff --git a/ddcommon/src/connector/mod.rs b/ddcommon/src/connector/mod.rs
@@ -128,42 +128,18 @@ mod https {
     pub(super) fn build_https_connector() -> anyhow::Result<
         hyper_rustls::HttpsConnector<hyper_util::client::legacy::connect::HttpConnector>,
     > {
+        use rustls_platform_verifier::BuilderVerifierExt;
         ensure_crypto_provider_initialized(); // One-time initialization of a crypto provider if needed
 
-        let certs = load_root_certs()?;
         let client_config = ClientConfig::builder()
-            .with_root_certificates(certs)
+            .with_platform_verifier()
             .with_no_client_auth();
         Ok(hyper_rustls::HttpsConnectorBuilder::new()
             .with_tls_config(client_config)
             .https_or_http()
             .enable_http1()
             .build())
     }
-
-    #[cfg(not(feature = "use_webpki_roots"))]
-    fn load_root_certs() -> anyhow::Result<rustls::RootCertStore> {
-        use super::errors;
-
-        let mut roots = rustls::RootCertStore::empty();
-
-        let cert_result = rustls_native_certs::load_native_certs();
-        if cert_result.certs.is_empty() {
-            if let Some(err) = cert_result.errors.into_iter().next() {
-                return Err(err.into());
-            }
-        }
-        // TODO(paullgdfc): log errors even if there are valid certs, instead of ignoring them
-
-        for cert in cert_result.certs {
-            //TODO: log when invalid cert is loaded
-            roots.add(cert).ok();
-        }
-        if roots.is_empty() {
-            return Err(errors::Error::NoValidCertifacteRootsFound.into());
-        }
-        Ok(roots)
-    }
 }
 
 impl tower_service::Service<hyper::Uri> for Connector {
