refactor: move webpki into separate feature, reorder deps

2024-08-09 17:37:16 +04:00 · 2024-08-09 17:37:16 +04:00 · cc8a62c19e
commit cc8a62c19e
parent 6e4722d060
4 changed files with 48 additions and 43 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -12,15 +12,18 @@ categories = ["network-programming"]
 [dependencies]
 base16ct = "0.2.0"
 base64ct = "1.6.0"
-bytes = "1.7.1"
-dashmap = { version = "6.0.1", optional = true }
-mime = "0.3.17"
-num_enum = "0.7.3"
 sha2 = "0.10.8"
+
+num_enum = "0.7.3"
+bytes = "1.7.1"
+mime = "0.3.17"
+url = "2.5.2"
+
 tokio = { version = "1.39.2", features = ["io-util", "net"] }
 tokio-rustls = { version = "0.26.0", default-features = false, features = ["ring"] }
-url = "2.5.2"
-webpki-roots = "0.26.3"
+webpki-roots = { version = "0.26.3", optional = true }
+
+dashmap = { version = "6.0.1", optional = true }

 [[example]]
 name = "simple"
@ -35,4 +38,5 @@ required-features = ["file-sscv"]
 tokio = { version = "1.39.2", features = ["macros", "rt-multi-thread"] }

 [features]
+webpki = ["dep:webpki-roots"]
 file-sscv = ["dep:dashmap", "tokio/fs"]
--- a/src/certs/verifier.rs
+++ b/src/certs/verifier.rs
@ -24,15 +24,21 @@ impl ServerCertVerifier for CustomCertVerifier {
    fn verify_server_cert(
        &self,
        end_entity: &CertificateDer<'_>,
-        intermediates: &[CertificateDer<'_>],
+        _intermediates: &[CertificateDer<'_>],
        server_name: &ServerName<'_>,
-        ocsp_response: &[u8],
+        _ocsp_response: &[u8],
        now: UnixTime,
    ) -> Result<ServerCertVerified, rustls::Error> {
        // if webpki CA certs enabled
+        #[cfg(feature = "webpki")]
        if let Some(wv) = &self.webpki_verifier {
-            match wv.verify_server_cert(end_entity, intermediates, server_name, ocsp_response, now)
-            {
+            match wv.verify_server_cert(
+                end_entity,
+                _intermediates,
+                server_name,
+                _ocsp_response,
+                now,
+            ) {
                Ok(verified) => {
                    return Ok(verified);
                }
--- a/src/client/builder.rs
+++ b/src/client/builder.rs
@ -7,12 +7,10 @@ use crate::{
    Client,
 };

-use tokio_rustls::rustls::{
-    self,
-    client::{danger::ServerCertVerifier, WebPkiServerVerifier},
-    pki_types::TrustAnchor,
-    SupportedProtocolVersion,
-};
+use tokio_rustls::rustls::{self, client::danger::ServerCertVerifier, SupportedProtocolVersion};
+
+#[cfg(feature = "webpki")]
+use tokio_rustls::rustls::{client::WebPkiServerVerifier, pki_types::TrustAnchor};

 /// Builder for creating configured [`Client`] instance
 pub struct ClientBuilder {
@ -58,24 +56,32 @@ impl ClientBuilder {
        let tls_config = if let Some(cv) = self.custom_verifier {
            tls_config.dangerous().with_custom_certificate_verifier(cv)
        } else if let Some(ssv) = self.ss_verifier {
+            let webpki_verifier = {
+                #[cfg(feature = "webpki")]
+                if !self.root_certs.is_empty() {
+                    Some(
+                        WebPkiServerVerifier::builder_with_provider(
+                            Arc::new(self.root_certs),
+                            provider.clone(),
+                        )
+                        .build()
+                        // panics only if roots are empty (that is checked above)
+                        // or CRLs couldn't be parsed (we didn't provide any)
+                        .unwrap(),
+                    )
+                } else {
+                    None
+                }
+
+                #[cfg(not(feature = "webpki"))]
+                None
+            };
+
            tls_config
                .dangerous()
                .with_custom_certificate_verifier(Arc::new(CustomCertVerifier {
                    provider: provider.clone(),
-                    webpki_verifier: if !self.root_certs.is_empty() {
-                        Some(
-                            WebPkiServerVerifier::builder_with_provider(
-                                Arc::new(self.root_certs),
-                                provider,
-                            )
-                            .build()
-                            // panics only if roots are empty (that is checked above)
-                            // or CRLs couldn't be parsed (we didn't provide any)
-                            .unwrap(),
-                        )
-                    } else {
-                        None
-                    },
+                    webpki_verifier,
                    ss_allowed: true,
                    ss_verifier: ssv,
                }))
@ -102,6 +108,7 @@ impl ClientBuilder {
    /// Include webpki trust anchors.
    /// Not recommended (useless) as most Gemini capsules use self-signed
    /// TLS certs and properly configured TOFU policy is enough.
+    #[cfg(feature = "webpki")]
    pub fn with_webpki_roots(mut self) -> Self {
        self.root_certs
            .extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
@ -110,6 +117,7 @@ impl ClientBuilder {

    /// Include custom trust anchors.
    /// Not recommended (useless), see note for [`ClientBuilder::with_webpki_roots`].
+    #[cfg(feature = "webpki")]
    pub fn with_custom_roots(
        mut self,
        iter: impl IntoIterator<Item = TrustAnchor<'static>>,
--- a/src/client/mod.rs
+++ b/src/client/mod.rs
@ -25,19 +25,6 @@ pub struct Client {
    connector: TlsConnector,
 }

-impl Default for Client {
-    /// Create a Client with webpki_roots trust anchors and no client auth cert.
-    /// Will be possibly removed in next versions.
-    fn default() -> Self {
-        let roots =
-            rustls::RootCertStore::from_iter(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        let config = rustls::ClientConfig::builder()
-            .with_root_certificates(roots)
-            .with_no_client_auth();
-        Client::from(config)
-    }
-}
-
 impl From<rustls::ClientConfig> for Client {
    /// Create a Client from a Rustls config.
    #[inline]