deps: rustls-platform-verifier-0.6, and refactor

2025-06-03 13:20:02 +09:00 · 2025-06-03 13:20:02 +09:00 · 629c6e73e9
commit 629c6e73e9
parent 5d38f8dd3f
4 changed files with 61 additions and 18 deletions
--- a/rpxy-acme/Cargo.toml
+++ b/rpxy-acme/Cargo.toml
@ -28,11 +28,14 @@ rustls = { version = "0.23.27", default-features = false, features = [
  "std",
  "aws_lc_rs",
 ] }
-rustls-platform-verifier = { version = "0.5.3" }
+rustls-platform-verifier = { version = "0.6.0" }
 rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
  "aws-lc-rs",
 ] }
 rustls-post-quantum = { version = "0.2.2", optional = true }
-tokio = { version = "1.45.1", default-features = false }
+tokio = { version = "1.45.1", default-features = false, features = [
+  "rt",
+  "macros",
+] }
 tokio-util = { version = "0.7.15", default-features = false }
 tokio-stream = { version = "0.1.17", default-features = false }
--- a/rpxy-acme/src/error.rs
+++ b/rpxy-acme/src/error.rs
@ -12,4 +12,7 @@ pub enum RpxyAcmeError {
  /// IO error
  #[error("IO error: {0}")]
  Io(#[from] std::io::Error),
+  /// TLS client configuration error
+  #[error("TLS client configuration error: {0}")]
+  TlsClientConfig(String),
 }
--- a/rpxy-acme/src/manager.rs
+++ b/rpxy-acme/src/manager.rs
@ -79,11 +79,7 @@ impl AcmeManager {
    &self,
    cancel_token: tokio_util::sync::CancellationToken,
  ) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
-    let rustls_client_config = rustls::ClientConfig::builder()
-      .dangerous() // The `Verifier` we're using is actually safe
-      .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
-      .with_no_client_auth();
-    let rustls_client_config = Arc::new(rustls_client_config);
+    let rustls_client_config = Self::create_tls_client_config().expect("Failed to create TLS client configuration for ACME");

    let mut server_configs_for_challenge: HashMap<String, Arc<ServerConfig>> = HashMap::default();
    let join_handles = self
@ -127,6 +123,26 @@ impl AcmeManager {

    (join_handles, server_configs_for_challenge)
  }
+
+  /// Creates a TLS client configuration with platform certificate verification.
+  ///
+  /// This configuration uses the system's certificate store for verification,
+  /// which is appropriate for ACME certificate validation.
+  fn create_tls_client_config() -> Result<Arc<rustls::ClientConfig>, RpxyAcmeError> {
+    let crypto_provider = rustls::crypto::CryptoProvider::get_default().ok_or(RpxyAcmeError::TlsClientConfig(
+      "No default crypto provider available".to_string(),
+    ))?;
+
+    let verifier = rustls_platform_verifier::Verifier::new(crypto_provider.clone())
+      .map_err(|e| RpxyAcmeError::TlsClientConfig(format!("Failed to create certificate verifier: {}", e)))?;
+
+    let client_config = rustls::ClientConfig::builder()
+      .dangerous() // Safe: using platform certificate verifier
+      .with_custom_certificate_verifier(Arc::new(verifier))
+      .with_no_client_auth();
+
+    Ok(Arc::new(client_config))
+  }
 }

 #[cfg(test)]