add support for local trust store for rustls

Signed-off-by: Maxime “pep” Buquet <pep@bouah.net>

tokio-xmpp/Cargo.toml

@@ -19,6 +19,7 @@ tokio = { version = "1", features = ["net", "rt", "rt-multi-thread", "macros"] }
 tokio-stream = { version = "0.1", features = [] }
 tokio-util = { version = "0.7", features = ["codec"] }
 webpki-roots = { version = "0.26", optional = true }
+rustls-native-certs = { version = "0.7", optional = true }
 rxml = { version = "0.12.0", features = ["compact_str"] }
 rand = "0.8"
 syntect = { version = "5", optional = true }
@@ -40,9 +41,11 @@ env_logger = { version = "0.11", default-features = false, features = ["auto-col
 tokio-xmpp = { path = ".", features = ["insecure-tcp"]}
 
 [features]
-default = ["starttls-rust"]
+default = ["starttls-rust", "rustls-native-certs"]
 starttls = ["dns"]
-tls-rust = ["tokio-rustls", "webpki-roots"]
+tls-rust = ["tokio-rustls"]
+tls-rust-native-certs = ["tls-rust", "rustls-native-certs"]
+tls-rust-webpki-roots = ["tls-rust", "webpki-roots"]
 tls-native = ["tokio-native-tls", "native-tls"]
 starttls-native = ["starttls", "tls-native"]
 starttls-rust = ["starttls", "tls-rust"]

tokio-xmpp/src/connect/starttls.rs

@@ -120,9 +120,15 @@ async fn get_tls_stream<S: AsyncRead + AsyncWrite + Unpin>(
     let domain = xmpp_stream.jid.domain().to_string();
     let domain = ServerName::try_from(domain).map_err(|e| StartTlsError::DnsNameError(e))?;
     let stream = xmpp_stream.into_inner();
-    let root_store = RootCertStore {
-        roots: webpki_roots::TLS_SERVER_ROOTS.into(),
-    };
+    let mut root_store = RootCertStore::empty();
+    #[cfg(feature = "webpki-roots")]
+    {
+        root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+    }
+    #[cfg(feature = "rustls-native-certs")]
+    {
+        root_store.add_parsable_certificates(rustls_native_certs::load_native_certs()?);
+    }
     let config = ClientConfig::builder()
         .with_root_certificates(root_store)
         .with_no_client_auth();