Add built-in support for rustls-platform-verifier

Author: djc

Cargo.toml

@@ -17,6 +17,7 @@ hyper-util = { version = "0.1", default-features = false, features = ["client-le
 log = { version = "0.4.4", optional = true }
 pki-types = { package = "rustls-pki-types", version = "1" }
 rustls-native-certs = { version = "0.7", optional = true }
+rustls-platform-verifier = { version = "0.2", optional = true }
 rustls = { version = "0.22", default-features = false }
 tokio = "1.0"
 tokio-rustls = { version = "0.25", default-features = false }

src/config.rs

@@ -1,4 +1,11 @@
-#[cfg(any(feature = "rustls-native-certs", feature = "webpki-roots"))]
+#[cfg(feature = "rustls-platform-verifier")]
+use std::sync::Arc;
+
+#[cfg(any(
+    feature = "rustls-platform-verifier",
+    feature = "rustls-native-certs",
+    feature = "webpki-roots"
+))]
 use rustls::client::WantsClientCert;
 use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 
@@ -7,6 +14,14 @@ use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
 /// This adds methods (gated by crate features) for easily configuring
 /// TLS server roots a rustls ClientConfig will trust.
 pub trait ConfigBuilderExt {
+    /// Use the platform's native verifier to verify server certificates.
+    ///
+    /// See the documentation for [rustls-platform-verifier] for more details.
+    ///
+    /// [rustls-platform-verifier]: https://docs.rs/rustls-platform-verifier
+    #[cfg(feature = "rustls-platform-verifier")]
+    fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert>;
+
     /// This configures the platform's trusted certs, as implemented by
     /// rustls-native-certs
     ///
@@ -22,6 +37,14 @@ pub trait ConfigBuilderExt {
 }
 
 impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
+    #[cfg(feature = "rustls-platform-verifier")]
+    fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
+        self.dangerous()
+            .with_custom_certificate_verifier(Arc::new(
+                rustls_platform_verifier::Verifier::default(),
+            ))
+    }
+
     #[cfg(feature = "rustls-native-certs")]
     #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
     fn with_native_roots(self) -> std::io::Result<ConfigBuilder<ClientConfig, WantsClientCert>> {

src/connector/builder.rs

@@ -51,6 +51,18 @@ impl ConnectorBuilder<WantsTlsConfig> {
         ConnectorBuilder(WantsSchemes { tls_config: config })
     }
 
+    /// Use rustls' default crypto provider and other defaults, and the platform verifier
+    ///
+    /// See [`ConfigBuilderExt::with_platform_verifier()`].
+    #[cfg(all(feature = "ring", feature = "rustls-platform-verifier"))]
+    pub fn with_platform_verifier(self) -> ConnectorBuilder<WantsSchemes> {
+        self.with_tls_config(
+            ClientConfig::builder()
+                .with_platform_verifier()
+                .with_no_client_auth(),
+        )
+    }
+
     /// Shorthand for using rustls' default crypto provider and safe defaults, with
     /// native roots.
     ///