Skip to content

Commit b4c491a

Browse files
seanmonstarseanmonstar
authored
feat: allow fine-grained root certs for rustls (#2232)
1 parent cf4295d commit b4c491a

File tree

2 files changed

+68
-2
lines changed

2 files changed

+68
-2
lines changed

src/async_impl/client.rs

Lines changed: 50 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,10 @@ struct Config {
113113
root_certs: Vec<Certificate>,
114114
#[cfg(feature = "__tls")]
115115
tls_built_in_root_certs: bool,
116+
#[cfg(feature = "rustls-tls-webpki-roots")]
117+
tls_built_in_certs_webpki: bool,
118+
#[cfg(feature = "rustls-tls-native-roots")]
119+
tls_built_in_certs_native: bool,
116120
#[cfg(feature = "__tls")]
117121
min_tls_version: Option<tls::Version>,
118122
#[cfg(feature = "__tls")]
@@ -205,6 +209,10 @@ impl ClientBuilder {
205209
root_certs: Vec::new(),
206210
#[cfg(feature = "__tls")]
207211
tls_built_in_root_certs: true,
212+
#[cfg(feature = "rustls-tls-webpki-roots")]
213+
tls_built_in_certs_webpki: true,
214+
#[cfg(feature = "rustls-tls-native-roots")]
215+
tls_built_in_certs_native: true,
208216
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
209217
identity: None,
210218
#[cfg(feature = "__tls")]
@@ -499,12 +507,12 @@ impl ClientBuilder {
499507
}
500508

501509
#[cfg(feature = "rustls-tls-webpki-roots")]
502-
if config.tls_built_in_root_certs {
510+
if config.tls_built_in_certs_webpki {
503511
root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
504512
}
505513

506514
#[cfg(feature = "rustls-tls-native-roots")]
507-
if config.tls_built_in_root_certs {
515+
if config.tls_built_in_certs_native {
508516
let mut valid_count = 0;
509517
let mut invalid_count = 0;
510518
for cert in rustls_native_certs::load_native_certs()
@@ -1333,6 +1341,15 @@ impl ClientBuilder {
13331341
///
13341342
/// Defaults to `true` -- built-in system certs will be used.
13351343
///
1344+
/// # Bulk Option
1345+
///
1346+
/// If this value is `true`, _all_ enabled system certs configured with Cargo
1347+
/// features will be loaded.
1348+
///
1349+
/// You can set this to `false`, and enable only a specific source with
1350+
/// individual methods. Do that will prevent other sources from being loaded
1351+
/// even if their feature Cargo feature is enabled.
1352+
///
13361353
/// # Optional
13371354
///
13381355
/// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
@@ -1348,6 +1365,37 @@ impl ClientBuilder {
13481365
)]
13491366
pub fn tls_built_in_root_certs(mut self, tls_built_in_root_certs: bool) -> ClientBuilder {
13501367
self.config.tls_built_in_root_certs = tls_built_in_root_certs;
1368+
1369+
#[cfg(feature = "rustls-tls-webpki-roots")]
1370+
{
1371+
self.config.tls_built_in_certs_webpki = tls_built_in_root_certs;
1372+
}
1373+
1374+
#[cfg(feature = "rustls-tls-native-roots")]
1375+
{
1376+
self.config.tls_built_in_certs_native = tls_built_in_root_certs;
1377+
}
1378+
1379+
self
1380+
}
1381+
1382+
/// Sets whether to load webpki root certs with rustls.
1383+
///
1384+
/// If the feature is enabled, this value is `true` by default.
1385+
#[cfg(feature = "rustls-tls-webpki-roots")]
1386+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
1387+
pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
1388+
self.config.tls_built_in_certs_webpki = enabled;
1389+
self
1390+
}
1391+
1392+
/// Sets whether to load native root certs with rustls.
1393+
///
1394+
/// If the feature is enabled, this value is `true` by default.
1395+
#[cfg(feature = "rustls-tls-native-roots")]
1396+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
1397+
pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
1398+
self.config.tls_built_in_certs_native = enabled;
13511399
self
13521400
}
13531401

src/blocking/client.rs

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -615,6 +615,24 @@ impl ClientBuilder {
615615
self.with_inner(move |inner| inner.tls_built_in_root_certs(tls_built_in_root_certs))
616616
}
617617

618+
/// Sets whether to load webpki root certs with rustls.
619+
///
620+
/// If the feature is enabled, this value is `true` by default.
621+
#[cfg(feature = "rustls-tls-webpki-roots")]
622+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
623+
pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
624+
self.with_inner(move |inner| inner.tls_built_in_webpki_certs(enabled))
625+
}
626+
627+
/// Sets whether to load native root certs with rustls.
628+
///
629+
/// If the feature is enabled, this value is `true` by default.
630+
#[cfg(feature = "rustls-tls-native-roots")]
631+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
632+
pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
633+
self.with_inner(move |inner| inner.tls_built_in_native_certs(enabled))
634+
}
635+
618636
/// Sets the identity to be used for client certificate authentication.
619637
///
620638
/// # Optional

0 commit comments

Comments
 (0)