feat(tls): Add rustls-platform-verifier support

tottoto · tottoto · commit 100f8a14cd65 · 2024-10-05T17:30:21.000+09:00
diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
@@ -32,6 +32,7 @@ tls = ["dep:rustls-pemfile", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "toki
 tls-roots = ["tls-native-roots"] # Deprecated. Please use `tls-native-roots` instead.
 tls-native-roots = ["tls", "channel", "dep:rustls-native-certs"]
 tls-webpki-roots = ["tls", "channel", "dep:webpki-roots"]
+tls-platform-verifier = ["tls", "channel", "dep:rustls-platform-verifier"]
 router = ["dep:axum", "dep:tower", "tower?/util"]
 server = [
   "router",
@@ -90,6 +91,7 @@ axum = {version = "0.7", default-features = false, optional = true}
 # rustls
 rustls-pemfile = { version = "2.0", optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
+rustls-platform-verifier = { version = "0.3", optional = true }
 tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
 webpki-roots = { version = "0.26", optional = true }
 
diff --git a/tonic/src/lib.rs b/tonic/src/lib.rs
@@ -31,6 +31,9 @@
 //!   [`rustls-native-certs`] crate. Not enabled by default.
 //! - `tls-webpki-roots`: Add the standard trust roots from the [`webpki-roots`] crate to
 //!   `rustls`-based gRPC clients. Not enabled by default.
+//! - `tls-platform-verifier`: Uses the operating system’s certificate facilities to verify
+//!   the validity of TLS certificates using the [`rustls-platform-verifier`] crate. Not
+//!   enabled by default.
 //! - `prost`: Enables the [`prost`] based gRPC [`Codec`] implementation. Enabled by default.
 //! - `gzip`: Enables compressing requests, responses, and streams. Depends on [`flate2`].
 //!   Not enabled by default.
@@ -80,6 +83,7 @@
 //! [`transport`]: transport/index.html
 //! [`rustls-native-certs`]: https://docs.rs/rustls-native-certs
 //! [`webpki-roots`]: https://docs.rs/webpki-roots
+//! [`rustls-platform-verifier`]: https://docs.rs/rustls-platform-verifier
 //! [`flate2`]: https://docs.rs/flate2
 //! [`zstd`]: https://docs.rs/zstd
 
diff --git a/tonic/src/transport/channel/service/tls.rs b/tonic/src/transport/channel/service/tls.rs
@@ -58,7 +58,16 @@ impl TlsConnector {
             add_certs_from_pem(&mut Cursor::new(cert), &mut roots)?;
         }
 
+        #[cfg(feature = "tls-platform-verifier")]
+        let builder = builder
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(
+                rustls_platform_verifier::Verifier::new_with_extra_roots(roots.roots),
+            ));
+
+        #[cfg(not(feature = "tls-platform-verifier"))]
         let builder = builder.with_root_certificates(roots);
+
         let mut config = match identity {
             Some(identity) => {
                 let (client_cert, client_key) = load_identity(identity)?;
