From 274baaef9afb2c35f043dae0eaef4c2eecaa1b0f Mon Sep 17 00:00:00 2001 From: schnell Date: Thu, 22 Aug 2024 12:24:58 +0200 Subject: [PATCH] add support for local trust store for rustls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Maxime “pep” Buquet --- tokio-xmpp/Cargo.toml | 7 +++++-- tokio-xmpp/src/connect/starttls.rs | 12 +++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/tokio-xmpp/Cargo.toml b/tokio-xmpp/Cargo.toml index bfe46656..095ac749 100644 --- a/tokio-xmpp/Cargo.toml +++ b/tokio-xmpp/Cargo.toml @@ -19,6 +19,7 @@ tokio = { version = "1", features = ["net", "rt", "rt-multi-thread", "macros"] } tokio-stream = { version = "0.1", features = [] } tokio-util = { version = "0.7", features = ["codec"] } webpki-roots = { version = "0.26", optional = true } +rustls-native-certs = { version = "0.7", optional = true } rxml = { version = "0.12.0", features = ["compact_str"] } rand = "0.8" syntect = { version = "5", optional = true } @@ -40,9 +41,11 @@ env_logger = { version = "0.11", default-features = false, features = ["auto-col tokio-xmpp = { path = ".", features = ["insecure-tcp"]} [features] -default = ["starttls-rust"] +default = ["starttls-rust", "rustls-native-certs"] starttls = ["dns"] -tls-rust = ["tokio-rustls", "webpki-roots"] +tls-rust = ["tokio-rustls"] +tls-rust-native-certs = ["tls-rust", "rustls-native-certs"] +tls-rust-webpki-roots = ["tls-rust", "webpki-roots"] tls-native = ["tokio-native-tls", "native-tls"] starttls-native = ["starttls", "tls-native"] starttls-rust = ["starttls", "tls-rust"] diff --git a/tokio-xmpp/src/connect/starttls.rs b/tokio-xmpp/src/connect/starttls.rs index 23821f8e..5d8550a7 100644 --- a/tokio-xmpp/src/connect/starttls.rs +++ b/tokio-xmpp/src/connect/starttls.rs @@ -120,9 +120,15 @@ async fn get_tls_stream( let domain = xmpp_stream.jid.domain().to_string(); let domain = ServerName::try_from(domain).map_err(|e| StartTlsError::DnsNameError(e))?; let stream = xmpp_stream.into_inner(); - let root_store = RootCertStore { - roots: webpki_roots::TLS_SERVER_ROOTS.into(), - }; + let mut root_store = RootCertStore::empty(); + #[cfg(feature = "webpki-roots")] + { + root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); + } + #[cfg(feature = "rustls-native-certs")] + { + root_store.add_parsable_certificates(rustls_native_certs::load_native_certs()?); + } let config = ClientConfig::builder() .with_root_certificates(root_store) .with_no_client_auth();