From 629c6e73e954fc5ae9afabdc64a564956e9fcec6 Mon Sep 17 00:00:00 2001
From: Jun Kurihara <junkurihara@users.noreply.github.com>
Date: Tue, 3 Jun 2025 13:20:02 +0900
Subject: [PATCH] deps: rustls-platform-verifier-0.6, and refactor

---
 Cargo.lock               | 43 ++++++++++++++++++++++++++++++----------
 rpxy-acme/Cargo.toml     |  7 +++++--
 rpxy-acme/src/error.rs   |  3 +++
 rpxy-acme/src/manager.rs | 26 +++++++++++++++++++-----
 4 files changed, 61 insertions(+), 18 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index e4e705a..211a466 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -412,9 +412,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 
 [[package]]
 name = "cc"
-version = "1.2.24"
+version = "1.2.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16595d3be041c03b09d08d0858631facccee9221e579704070e6e9e4915d3bc7"
+checksum = "d0fc897dc1e865cc67c0e05a836d9d3f1df3cbe442aa4a9473b18e12624a4951"
 dependencies = [
  "jobserver",
  "libc",
@@ -1185,7 +1185,7 @@ dependencies = [
  "hyper-util",
  "rustls",
  "rustls-pki-types",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.5.3",
  "tokio",
  "tokio-rustls",
  "tower-service",
@@ -1854,9 +1854,9 @@ dependencies = [
 
 [[package]]
 name = "prettyplease"
-version = "0.2.32"
+version = "0.2.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "664ec5419c51e34154eec046ebcba56312d5a2fc3b09a06da188e1ad21afadf6"
+checksum = "9dee91521343f4c5c6a63edd65e54f31f5c92fe8978c40a4282f8372194c6a7d"
 dependencies = [
  "proc-macro2",
  "syn",
@@ -1913,7 +1913,7 @@ dependencies = [
  "rustc-hash 2.1.1",
  "rustls",
  "rustls-pki-types",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.5.3",
  "slab",
  "thiserror 2.0.12",
  "tinyvec",
@@ -2126,7 +2126,7 @@ dependencies = [
  "blocking",
  "rustls",
  "rustls-acme",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.6.0",
  "rustls-post-quantum",
  "thiserror 2.0.12",
  "tokio",
@@ -2345,6 +2345,27 @@ dependencies = [
  "windows-sys 0.59.0",
 ]
 
+[[package]]
+name = "rustls-platform-verifier"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eda84358ed17f1f354cf4b1909ad346e6c7bc2513e8c40eb08e0157aa13a9070"
+dependencies = [
+ "core-foundation 0.10.1",
+ "core-foundation-sys",
+ "jni",
+ "log",
+ "once_cell",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-platform-verifier-android",
+ "rustls-webpki",
+ "security-framework 3.2.0",
+ "security-framework-sys",
+ "webpki-root-certs 1.0.0",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "rustls-platform-verifier-android"
 version = "0.1.1"
@@ -2523,9 +2544,9 @@ dependencies = [
 
 [[package]]
 name = "s2n-tls"
-version = "0.3.20"
+version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5b886e605d71d8e78e37c7f6195887112f4c9d0a3269057f6447d3dae99908"
+checksum = "23c23a50f9733440df3a1e8c94d71026b02e5080395f080f4f66d1fecc2fca86"
 dependencies = [
  "errno",
  "hex",
@@ -2536,9 +2557,9 @@ dependencies = [
 
 [[package]]
 name = "s2n-tls-sys"
-version = "0.3.20"
+version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "753c5eb4a0632b275ee3c503b0a108b2430b429566c86501f311f67cf579b35f"
+checksum = "00d42ff433e7a1267cc7105ee1aa8f8785473cee48376ddbb13e2d9f23e2291d"
 dependencies = [
  "aws-lc-rs",
  "cc",
diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml
index 837d010..cae1048 100644
--- a/rpxy-acme/Cargo.toml
+++ b/rpxy-acme/Cargo.toml
@@ -28,11 +28,14 @@ rustls = { version = "0.23.27", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
-rustls-platform-verifier = { version = "0.5.3" }
+rustls-platform-verifier = { version = "0.6.0" }
 rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
   "aws-lc-rs",
 ] }
 rustls-post-quantum = { version = "0.2.2", optional = true }
-tokio = { version = "1.45.1", default-features = false }
+tokio = { version = "1.45.1", default-features = false, features = [
+  "rt",
+  "macros",
+] }
 tokio-util = { version = "0.7.15", default-features = false }
 tokio-stream = { version = "0.1.17", default-features = false }
diff --git a/rpxy-acme/src/error.rs b/rpxy-acme/src/error.rs
index 08133c5..cbf5e1d 100644
--- a/rpxy-acme/src/error.rs
+++ b/rpxy-acme/src/error.rs
@@ -12,4 +12,7 @@ pub enum RpxyAcmeError {
   /// IO error
   #[error("IO error: {0}")]
   Io(#[from] std::io::Error),
+  /// TLS client configuration error
+  #[error("TLS client configuration error: {0}")]
+  TlsClientConfig(String),
 }
diff --git a/rpxy-acme/src/manager.rs b/rpxy-acme/src/manager.rs
index 73b786d..8380140 100644
--- a/rpxy-acme/src/manager.rs
+++ b/rpxy-acme/src/manager.rs
@@ -79,11 +79,7 @@ impl AcmeManager {
     &self,
     cancel_token: tokio_util::sync::CancellationToken,
   ) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
-    let rustls_client_config = rustls::ClientConfig::builder()
-      .dangerous() // The `Verifier` we're using is actually safe
-      .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
-      .with_no_client_auth();
-    let rustls_client_config = Arc::new(rustls_client_config);
+    let rustls_client_config = Self::create_tls_client_config().expect("Failed to create TLS client configuration for ACME");
 
     let mut server_configs_for_challenge: HashMap<String, Arc<ServerConfig>> = HashMap::default();
     let join_handles = self
@@ -127,6 +123,26 @@ impl AcmeManager {
 
     (join_handles, server_configs_for_challenge)
   }
+
+  /// Creates a TLS client configuration with platform certificate verification.
+  ///
+  /// This configuration uses the system's certificate store for verification,
+  /// which is appropriate for ACME certificate validation.
+  fn create_tls_client_config() -> Result<Arc<rustls::ClientConfig>, RpxyAcmeError> {
+    let crypto_provider = rustls::crypto::CryptoProvider::get_default().ok_or(RpxyAcmeError::TlsClientConfig(
+      "No default crypto provider available".to_string(),
+    ))?;
+
+    let verifier = rustls_platform_verifier::Verifier::new(crypto_provider.clone())
+      .map_err(|e| RpxyAcmeError::TlsClientConfig(format!("Failed to create certificate verifier: {}", e)))?;
+
+    let client_config = rustls::ClientConfig::builder()
+      .dangerous() // Safe: using platform certificate verifier
+      .with_custom_certificate_verifier(Arc::new(verifier))
+      .with_no_client_auth();
+
+    Ok(Arc::new(client_config))
+  }
 }
 
 #[cfg(test)]