Upgrade to rustls-native-certs 0.8

djc · djc · commit a7cb726c9a3a · 2024-08-30T11:02:23.000+02:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ hyper = { version = "1", default-features = false }
 hyper-util = { version = "0.1", default-features = false, features = ["client-legacy", "tokio"] }
 log = { version = "0.4.4", optional = true }
 pki-types = { package = "rustls-pki-types", version = "1" }
-rustls-native-certs = { version = "0.7", optional = true }
+rustls-native-certs = { version = "0.8", optional = true }
 rustls-platform-verifier = { version = "0.3", optional = true }
 rustls = { version = "0.23", default-features = false }
 tokio = "1.0"
diff --git a/src/config.rs b/src/config.rs
@@ -8,6 +8,8 @@ use std::sync::Arc;
 ))]
 use rustls::client::WantsClientCert;
 use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
+#[cfg(feature = "rustls-native-certs")]
+use rustls_native_certs::CertificateResult;
 
 /// Methods for configuring roots
 ///
@@ -52,8 +54,19 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
         let mut valid_count = 0;
         let mut invalid_count = 0;
 
-        for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
-        {
+        let CertificateResult { certs, errors, .. } = rustls_native_certs::load_native_certs();
+        if !errors.is_empty() {
+            crate::log::warn!("native root CA certificate loading errors: {errors:?}");
+        }
+
+        if certs.is_empty() {
+            return Err(std::io::Error::new(
+                std::io::ErrorKind::NotFound,
+                "no native root CA certificates found (errors: {errors})",
+            ));
+        }
+
+        for cert in certs {
             match roots.add(cert) {
                 Ok(_) => valid_count += 1,
                 Err(err) => {
@@ -62,6 +75,7 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
                 }
             }
         }
+
         crate::log::debug!(
             "with_native_roots processed {} valid and {} invalid certs",
             valid_count,
diff --git a/src/lib.rs b/src/lib.rs
@@ -43,6 +43,8 @@ mod stream;
 mod log {
     #[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
     pub(crate) use log::debug;
+    #[cfg(any(feature = "rustls-native-certs"))]
+    pub(crate) use log::warn;
 }
 
 #[cfg(not(feature = "logging"))]
@@ -51,6 +53,10 @@ mod log {
     macro_rules! debug    ( ($($tt:tt)*) => {{}} );
     #[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
     pub(crate) use debug;
+    #[cfg(any(feature = "rustls-native-certs"))]
+    macro_rules! warn    ( ($($tt:tt)*) => {{}} );
+    #[cfg(any(feature = "rustls-native-certs"))]
+    pub(crate) use warn;
 }
 
 pub use crate::config::ConfigBuilderExt;
