From 36cc3f54d814949dbc4ead7470b71776c08e9329 Mon Sep 17 00:00:00 2001
From: stormshield-gt <143998166+stormshield-gt@users.noreply.github.com.>
Date: Sat, 24 Aug 2024 12:26:03 +0200
Subject: [PATCH] Uniformize new_with_extra_roots

---
 rustls-platform-verifier/Cargo.toml            |  6 +++---
 .../src/tests/verification_mock/mod.rs         |  5 +++--
 .../src/tests/verification_real_world/mod.rs   |  5 +++--
 .../src/verification/others.rs                 | 18 +++++++++++-------
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/rustls-platform-verifier/Cargo.toml b/rustls-platform-verifier/Cargo.toml
index e91e5b7..0e63ac2 100644
--- a/rustls-platform-verifier/Cargo.toml
+++ b/rustls-platform-verifier/Cargo.toml
@@ -46,12 +46,12 @@ webpki = { package = "rustls-webpki", version = "0.102", default-features = fals
 android_logger = { version = "0.13", optional = true } # Only used during testing.
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
-webpki-roots = "0.26"
 webpki = { package = "rustls-webpki", version = "0.102", default-features = false }
+webpki-root-certs = "0.26"
 
-# BSD targets require webpki-roots for the real-world verification tests.
+# BSD targets require webpki-roots-certs for the real-world verification tests.
 [target.'cfg(target_os = "freebsd")'.dev-dependencies]
-webpki-roots = "0.26"
+webpki-root-certs = "0.26"
 
 [target.'cfg(any(target_os = "macos", target_os = "ios", target_os = "tvos"))'.dependencies]
 core-foundation = "0.9"
diff --git a/rustls-platform-verifier/src/tests/verification_mock/mod.rs b/rustls-platform-verifier/src/tests/verification_mock/mod.rs
index 8d48744..87d0294 100644
--- a/rustls-platform-verifier/src/tests/verification_mock/mod.rs
+++ b/rustls-platform-verifier/src/tests/verification_mock/mod.rs
@@ -86,10 +86,11 @@ pub(super) fn verification_without_mock_root() {
     ensure_global_state();
     // Since Rustls 0.22 constructing a webpki verifier (like the one backing Verifier on unix
     // systems) without any roots produces `OtherError(NoRootAnchors)` - since our FreeBSD CI
-    // runner fails to find any roots with openssl-probe we need to provide webpki-roots here
+    // runner fails to find any roots with openssl-probe we need to provide webpki-root-certs here
     // or the test will fail with the `OtherError` instead of the expected `CertificateError`.
     #[cfg(target_os = "freebsd")]
-    let verifier = Verifier::new_with_extra_roots(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+    let verifier =
+        Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned());
 
     #[cfg(not(target_os = "freebsd"))]
     let verifier = Verifier::new();
diff --git a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
index 7d94120..cc111b8 100644
--- a/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
+++ b/rustls-platform-verifier/src/tests/verification_real_world/mod.rs
@@ -126,9 +126,10 @@ fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
     );
 
     // On BSD systems openssl-probe fails to find the system CA bundle,
-    // so we must provide extra roots from webpki-roots.
+    // so we must provide extra roots from webpki-root-cert.
     #[cfg(target_os = "freebsd")]
-    let verifier = Verifier::new_with_extra_roots(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+    let verifier =
+        Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned());
 
     #[cfg(not(target_os = "freebsd"))]
     let verifier = Verifier::new();
diff --git a/rustls-platform-verifier/src/verification/others.rs b/rustls-platform-verifier/src/verification/others.rs
index 670be4e..a145031 100644
--- a/rustls-platform-verifier/src/verification/others.rs
+++ b/rustls-platform-verifier/src/verification/others.rs
@@ -53,12 +53,16 @@ impl Verifier {
     /// Creates a new verifier whose certificate validation is provided by
     /// WebPKI, using root certificates provided by the platform and augmented by
     /// the provided extra root certificates.
-    pub fn new_with_extra_roots(
-        roots: impl IntoIterator<Item = pki_types::TrustAnchor<'static>>,
-    ) -> Self {
+    pub fn new_with_extra_roots(roots: Vec<pki_types::CertificateDer<'static>>) -> Self {
         Self {
             inner: OnceCell::new(),
-            extra_roots: roots.into_iter().collect::<Vec<_>>().into(),
+            extra_roots: roots
+                .into_iter()
+                .flat_map(|root| {
+                    webpki::anchor_from_trusted_cert(&root).map(|anchor| anchor.to_owned())
+                })
+                .collect::<Vec<_>>()
+                .into(),
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
             crypto_provider: OnceCell::new(),
@@ -154,9 +158,9 @@ impl Verifier {
 
         #[cfg(target_arch = "wasm32")]
         {
-            root_store
-                .roots
-                .extend_from_slice(webpki_roots::TLS_SERVER_ROOTS);
+            root_store.add_parsable_certificates(
+                webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned(),
+            );
         };
 
         WebPkiServerVerifier::builder_with_provider(