feat: add Verifier::set_provider and Verifier::with_provider

Author: jbr

rustls-platform-verifier/src/verification/android.rs

@@ -47,7 +47,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Default for Verifier {
@@ -71,13 +71,16 @@ impl Drop for Verifier {
 
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// Android certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Android certificate facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -86,12 +89,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")

rustls-platform-verifier/src/verification/apple.rs

@@ -46,18 +46,21 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Verifier {
-    /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// macOS certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Creates a new instance of a TLS certificate verifier that utilizes the macOS certificate
+    /// facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -66,12 +69,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")

rustls-platform-verifier/src/verification/mod.rs

@@ -77,3 +77,30 @@ fn invalid_certificate(reason: impl Into<String>) -> rustls::Error {
 /// - id-kp-serverAuth
 // TODO: Chromium also allows for `OID_ANY_EKU` on Android.
 pub const ALLOWED_EKUS: &[&str] = &["1.3.6.1.5.5.7.3.1"];
+
+#[cfg(any(target_os = "macos", target_os = "ios", target_os = "android", windows))]
+
+impl Verifier {
+    /// Chainable setter to configure the [`CryptoProvider`][rustls::crypto::CryptoProvider] for this `Verifier`.
+    ///
+    /// This will be used instead of the rustls processs-default `CryptoProvider`, even if one has
+    /// been installed.
+    pub fn with_provider(
+        mut self,
+        crypto_provider: std::sync::Arc<rustls::crypto::CryptoProvider>,
+    ) -> Self {
+        self.set_provider(crypto_provider);
+        self
+    }
+
+    /// Configures the [`CryptoProvider`][rustls::crypto::CryptoProvider] for this `Verifier`.
+    ///
+    /// This will be used instead of the rustls processs-default `CryptoProvider`, even if one has
+    /// been installed.
+    pub fn set_provider(
+        &mut self,
+        crypto_provider: std::sync::Arc<rustls::crypto::CryptoProvider>,
+    ) {
+        self.crypto_provider = crypto_provider.into();
+    }
+}

rustls-platform-verifier/src/verification/windows.rs

@@ -421,18 +421,21 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<Vec<u8>>,
-    default_provider: OnceCell<Arc<CryptoProvider>>,
+    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
 }
 
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the
-    /// Windows certificate facilities. The rustls default [`CryptoProvider`]
-    /// must be set before the verifier can be used.
+    /// Windows certificate facilities.
+    ///
+    /// A [`CryptoProvider`] must be set with
+    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
+    /// [`CryptoProvider::install_default`] before the verifier can be used.
     pub fn new() -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
@@ -441,12 +444,12 @@ impl Verifier {
     pub(crate) fn new_with_fake_root(root: &[u8]) -> Self {
         Self {
             test_only_root_ca_override: Some(root.into()),
-            default_provider: OnceCell::new(),
+            crypto_provider: OnceCell::new(),
         }
     }
 
     fn get_provider(&self) -> &CryptoProvider {
-        self.default_provider
+        self.crypto_provider
             .get_or_init(|| {
                 rustls::crypto::CryptoProvider::get_default()
                     .expect("rustls default CryptoProvider not set")