Skip to content

Commit d807069

Browse files
seanmonstarNutomic
seanmonstar
authored and
Nutomic
committed
feat: allow fine-grained root certs for rustls (seanmonstar#2232)
1 parent 16cf099 commit d807069

File tree

2 files changed

+68
-2
lines changed

2 files changed

+68
-2
lines changed

src/async_impl/client.rs

Lines changed: 50 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,10 @@ struct Config {
113113
root_certs: Vec<Certificate>,
114114
#[cfg(feature = "__tls")]
115115
tls_built_in_root_certs: bool,
116+
#[cfg(feature = "rustls-tls-webpki-roots")]
117+
tls_built_in_certs_webpki: bool,
118+
#[cfg(feature = "rustls-tls-native-roots")]
119+
tls_built_in_certs_native: bool,
116120
#[cfg(feature = "__tls")]
117121
min_tls_version: Option<tls::Version>,
118122
#[cfg(feature = "__tls")]
@@ -206,6 +210,10 @@ impl ClientBuilder {
206210
root_certs: Vec::new(),
207211
#[cfg(feature = "__tls")]
208212
tls_built_in_root_certs: true,
213+
#[cfg(feature = "rustls-tls-webpki-roots")]
214+
tls_built_in_certs_webpki: true,
215+
#[cfg(feature = "rustls-tls-native-roots")]
216+
tls_built_in_certs_native: true,
209217
#[cfg(any(feature = "native-tls", feature = "__rustls"))]
210218
identity: None,
211219
#[cfg(feature = "__tls")]
@@ -501,12 +509,12 @@ impl ClientBuilder {
501509
}
502510

503511
#[cfg(feature = "rustls-tls-webpki-roots")]
504-
if config.tls_built_in_root_certs {
512+
if config.tls_built_in_certs_webpki {
505513
root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
506514
}
507515

508516
#[cfg(feature = "rustls-tls-native-roots")]
509-
if config.tls_built_in_root_certs {
517+
if config.tls_built_in_certs_native {
510518
let mut valid_count = 0;
511519
let mut invalid_count = 0;
512520
for cert in rustls_native_certs::load_native_certs()
@@ -1343,6 +1351,15 @@ impl ClientBuilder {
13431351
///
13441352
/// Defaults to `true` -- built-in system certs will be used.
13451353
///
1354+
/// # Bulk Option
1355+
///
1356+
/// If this value is `true`, _all_ enabled system certs configured with Cargo
1357+
/// features will be loaded.
1358+
///
1359+
/// You can set this to `false`, and enable only a specific source with
1360+
/// individual methods. Do that will prevent other sources from being loaded
1361+
/// even if their feature Cargo feature is enabled.
1362+
///
13461363
/// # Optional
13471364
///
13481365
/// This requires the optional `default-tls`, `native-tls`, or `rustls-tls(-...)`
@@ -1358,6 +1375,37 @@ impl ClientBuilder {
13581375
)]
13591376
pub fn tls_built_in_root_certs(mut self, tls_built_in_root_certs: bool) -> ClientBuilder {
13601377
self.config.tls_built_in_root_certs = tls_built_in_root_certs;
1378+
1379+
#[cfg(feature = "rustls-tls-webpki-roots")]
1380+
{
1381+
self.config.tls_built_in_certs_webpki = tls_built_in_root_certs;
1382+
}
1383+
1384+
#[cfg(feature = "rustls-tls-native-roots")]
1385+
{
1386+
self.config.tls_built_in_certs_native = tls_built_in_root_certs;
1387+
}
1388+
1389+
self
1390+
}
1391+
1392+
/// Sets whether to load webpki root certs with rustls.
1393+
///
1394+
/// If the feature is enabled, this value is `true` by default.
1395+
#[cfg(feature = "rustls-tls-webpki-roots")]
1396+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
1397+
pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
1398+
self.config.tls_built_in_certs_webpki = enabled;
1399+
self
1400+
}
1401+
1402+
/// Sets whether to load native root certs with rustls.
1403+
///
1404+
/// If the feature is enabled, this value is `true` by default.
1405+
#[cfg(feature = "rustls-tls-native-roots")]
1406+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
1407+
pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
1408+
self.config.tls_built_in_certs_native = enabled;
13611409
self
13621410
}
13631411

src/blocking/client.rs

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -615,6 +615,24 @@ impl ClientBuilder {
615615
self.with_inner(move |inner| inner.tls_built_in_root_certs(tls_built_in_root_certs))
616616
}
617617

618+
/// Sets whether to load webpki root certs with rustls.
619+
///
620+
/// If the feature is enabled, this value is `true` by default.
621+
#[cfg(feature = "rustls-tls-webpki-roots")]
622+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-webpki-roots")))]
623+
pub fn tls_built_in_webpki_certs(mut self, enabled: bool) -> ClientBuilder {
624+
self.with_inner(move |inner| inner.tls_built_in_webpki_certs(enabled))
625+
}
626+
627+
/// Sets whether to load native root certs with rustls.
628+
///
629+
/// If the feature is enabled, this value is `true` by default.
630+
#[cfg(feature = "rustls-tls-native-roots")]
631+
#[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls-native-roots")))]
632+
pub fn tls_built_in_native_certs(mut self, enabled: bool) -> ClientBuilder {
633+
self.with_inner(move |inner| inner.tls_built_in_native_certs(enabled))
634+
}
635+
618636
/// Sets the identity to be used for client certificate authentication.
619637
///
620638
/// # Optional

0 commit comments

Comments
 (0)