Add new with extra roots on macos/ios #133
Conversation
|
As a Git nit, would you mind adding me as a
I planned on working on overhauling the Android verifier this week since it has a lot of outstanding problems as-is, including not supporting this pattern very cleanly. Maybe we could split the Windows and Android work? |
That sounds like a good idea to me 👍 |
Sure ! For what it's worth, I've already done it but it seems the change has been reverted, most likely because of a rebase
All right, I will look into the windows implementation then. Maybe I will just do a rebase over #131 to start cleanly. |
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
1c21fed to
5d19173
Compare
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
5d19173 to
223bbe7
Compare
|
I've rebased on top of #131 and tried to implement the
Sadly, it keeps considering the custom CA as untrusted. I've tried to tweak the flags and various parameters, and add debug traces but without success. Anyone has any idea or how we can solve this ? On GitHub there are very few usages of |
I think it would be better to land the MacOS code and handle Windows as a follow-up, especially if there are implementation issues to sort out. The MacOS code seemed ready mod any review comments from a 2nd reviewer. WDYT? |
|
Yes sure, I will split the Windows work on an other PR |
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
2 times, most recently
from
6b1ec76 to
b5a5b4f
Compare
stormshield-gt
changed the title
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
b5a5b4f to
3e738cf
Compare
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
bf6a2ba to
621969b
Compare
| @@ -54,11 +54,17 @@ impl Verifier { | |||
| /// WebPKI, using root certificates provided by the platform and augmented by | |||
| /// the provided extra root certificates. | |||
| pub fn new_with_extra_roots( | |||
| roots: impl IntoIterator<Item = pki_types::TrustAnchor<'static>>, | |||
| roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>, | |||
There was a problem hiding this comment.
Does anyone have thoughts on the future possibility of having a RootLike trait in pki-types that could be used here instead? That way we could abstract over the difference between webpki_root_certs for native platforms and webpki_roots in the other cases and save on binary size, parsing time, etc.
Parsing seems like it would need to handle an error, but core::convert::Infallible might let the compiler optimize that out entirely.
There was a problem hiding this comment.
I think the tricky part here would be that the conversion from CertificateDer to TrustAnchor is a non-trivial amount of DER parsing that currently lives in webpki. So far, pki-types contains very little logic, and my intuition is that it might be better to keep it that way?
Maybe it could be an enum RootRepresentation that lives in rustls?
There was a problem hiding this comment.
That seems like a reasonable middleground. With that this could be a bit cleaner and push the bulkiness of roots further away from this crate (and probably others)
There was a problem hiding this comment.
I think I would prefer to allow composition of verifiers at the rustls level, rather than relax the type safety of TrustAnchor.
But, then, I think that's because I'm not 100% sold on the value of giving extra roots to the platform verifier (I previously thought it was a method for affixing the behaviour for testing purposes, but I guess not?)
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
2 times, most recently
from
d690b3a to
4256a4e
Compare
| /// | ||
| /// See [Verifier::new] for the external requirements the verifier needs. | ||
| pub fn new_with_extra_roots( | ||
| roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>, |
There was a problem hiding this comment.
Sorry, one more nit: I think we should just take Vec here as the argument? We're going to store a Vec internally anyway, and IMO it's slightly better to allow the caller to provide that for the case where they already have a Vec allocated for some reason.
(Should then do the same thing for the Unix platform in the later commit.)
There was a problem hiding this comment.
I see your point, I've updated the code
There was a problem hiding this comment.
Hmm, I failed to consider that on Unix we have to iterate anyway to map from CertificateDer to TrustAnchor, so I guess the optimal scenario for macOS/iOS is different from the Unices? Not sure what the best choice here is. Going to merge this now -- thanks for all the work, I am happy to do a follow-up here to change it back it to iterators if people think that would be better.
Co-authored-by: ComplexSpaces <[email protected]>
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
4256a4e to
fb85563
Compare
The `new_with_extra_roots` function for other platforms now take a `CertificateDer` instead of a `TrustAnchor` which is a breaking change
stormshield-gt
force-pushed
the
add_new_with_extra_roots_on_other_platforms
branch
from
fb85563 to
094341e
Compare
| @@ -54,11 +54,17 @@ impl Verifier { | |||
| /// WebPKI, using root certificates provided by the platform and augmented by | |||
| /// the provided extra root certificates. | |||
| pub fn new_with_extra_roots( | |||
| roots: impl IntoIterator<Item = pki_types::TrustAnchor<'static>>, | |||
| roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>, | |||
There was a problem hiding this comment.
I think I would prefer to allow composition of verifiers at the rustls level, rather than relax the type safety of TrustAnchor.
But, then, I think that's because I'm not 100% sold on the value of giving extra roots to the platform verifier (I previously thought it was a method for affixing the behaviour for testing purposes, but I guess not?)
Add support of extra roots for the moment on macos and ios. I plan to add windows and android but I believe this is already ready for initial feedback.
The work is mostly based on @complexspaces branch https://github.com/rustls/rustls-platform-verifier/tree/shared/extra-roots-additions.
I've changed the signature of new_with_extra_roots (breaking) to be uniform on all platforms.
Partially fix #58