deps: rustls-platform-verifier-0.6, and refactor

2025-06-03 13:20:02 +09:00 · 2025-06-03 13:20:02 +09:00 · 629c6e73e9
commit 629c6e73e9
parent 5d38f8dd3f
4 changed files with 61 additions and 18 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -412,9 +412,9 @@ checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a"
 [[package]]
 name = "cc"
-version = "1.2.24"
+version = "1.2.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "16595d3be041c03b09d08d0858631facccee9221e579704070e6e9e4915d3bc7"
+checksum = "d0fc897dc1e865cc67c0e05a836d9d3f1df3cbe442aa4a9473b18e12624a4951"
 dependencies = [
 "jobserver",
 "libc",
@ -1185,7 +1185,7 @@ dependencies = [
 "hyper-util",
 "rustls",
 "rustls-pki-types",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.5.3",
 "tokio",
 "tokio-rustls",
 "tower-service",
@ -1854,9 +1854,9 @@ dependencies = [
 [[package]]
 name = "prettyplease"
-version = "0.2.32"
+version = "0.2.33"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "664ec5419c51e34154eec046ebcba56312d5a2fc3b09a06da188e1ad21afadf6"
+checksum = "9dee91521343f4c5c6a63edd65e54f31f5c92fe8978c40a4282f8372194c6a7d"
 dependencies = [
 "proc-macro2",
 "syn",
@ -1913,7 +1913,7 @@ dependencies = [
 "rustc-hash 2.1.1",
 "rustls",
 "rustls-pki-types",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.5.3",
 "slab",
 "thiserror 2.0.12",
 "tinyvec",
@ -2126,7 +2126,7 @@ dependencies = [
 "blocking",
 "rustls",
 "rustls-acme",
- "rustls-platform-verifier",
+ "rustls-platform-verifier 0.6.0",
 "rustls-post-quantum",
 "thiserror 2.0.12",
 "tokio",
@ -2345,6 +2345,27 @@ dependencies = [
 "windows-sys 0.59.0",
 ]
 [[package]]
 name = "rustls-platform-verifier"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eda84358ed17f1f354cf4b1909ad346e6c7bc2513e8c40eb08e0157aa13a9070"
 dependencies = [
 "core-foundation 0.10.1",
 "core-foundation-sys",
 "jni",
 "log",
 "once_cell",
 "rustls",
 "rustls-native-certs",
 "rustls-platform-verifier-android",
 "rustls-webpki",
 "security-framework 3.2.0",
 "security-framework-sys",
 "webpki-root-certs 1.0.0",
 "windows-sys 0.59.0",
 ]
 [[package]]
 name = "rustls-platform-verifier-android"
 version = "0.1.1"
@ -2523,9 +2544,9 @@ dependencies = [
 [[package]]
 name = "s2n-tls"
-version = "0.3.20"
+version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5b886e605d71d8e78e37c7f6195887112f4c9d0a3269057f6447d3dae99908"
+checksum = "23c23a50f9733440df3a1e8c94d71026b02e5080395f080f4f66d1fecc2fca86"
 dependencies = [
 "errno",
 "hex",
@ -2536,9 +2557,9 @@ dependencies = [
 [[package]]
 name = "s2n-tls-sys"
-version = "0.3.20"
+version = "0.3.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "753c5eb4a0632b275ee3c503b0a108b2430b429566c86501f311f67cf579b35f"
+checksum = "00d42ff433e7a1267cc7105ee1aa8f8785473cee48376ddbb13e2d9f23e2291d"
 dependencies = [
 "aws-lc-rs",
 "cc",
--- a/rpxy-acme/Cargo.toml
+++ b/rpxy-acme/Cargo.toml
@ -28,11 +28,14 @@ rustls = { version = "0.23.27", default-features = false, features = [
  "std",
  "aws_lc_rs",
 ] }
-rustls-platform-verifier = { version = "0.5.3" }
+rustls-platform-verifier = { version = "0.6.0" }
 rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
  "aws-lc-rs",
 ] }
 rustls-post-quantum = { version = "0.2.2", optional = true }
-tokio = { version = "1.45.1", default-features = false }
+tokio = { version = "1.45.1", default-features = false, features = [
  "rt",
  "macros",
 ] }
 tokio-util = { version = "0.7.15", default-features = false }
 tokio-stream = { version = "0.1.17", default-features = false }
--- a/rpxy-acme/src/error.rs
+++ b/rpxy-acme/src/error.rs
@ -12,4 +12,7 @@ pub enum RpxyAcmeError {
  /// IO error
  #[error("IO error: {0}")]
  Io(#[from] std::io::Error),
  /// TLS client configuration error
  #[error("TLS client configuration error: {0}")]
  TlsClientConfig(String),
 }
--- a/rpxy-acme/src/manager.rs
+++ b/rpxy-acme/src/manager.rs
@ -79,11 +79,7 @@ impl AcmeManager {
    &self,
    cancel_token: tokio_util::sync::CancellationToken,
  ) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
-    let rustls_client_config = rustls::ClientConfig::builder()
+    let rustls_client_config = Self::create_tls_client_config().expect("Failed to create TLS client configuration for ACME");
      .dangerous() // The `Verifier` we're using is actually safe
      .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
      .with_no_client_auth();
    let rustls_client_config = Arc::new(rustls_client_config);
    let mut server_configs_for_challenge: HashMap<String, Arc<ServerConfig>> = HashMap::default();
    let join_handles = self
@ -127,6 +123,26 @@ impl AcmeManager {
    (join_handles, server_configs_for_challenge)
  }
  /// Creates a TLS client configuration with platform certificate verification.
  ///
  /// This configuration uses the system's certificate store for verification,
  /// which is appropriate for ACME certificate validation.
  fn create_tls_client_config() -> Result<Arc<rustls::ClientConfig>, RpxyAcmeError> {
    let crypto_provider = rustls::crypto::CryptoProvider::get_default().ok_or(RpxyAcmeError::TlsClientConfig(
      "No default crypto provider available".to_string(),
    ))?;
    let verifier = rustls_platform_verifier::Verifier::new(crypto_provider.clone())
      .map_err(|e| RpxyAcmeError::TlsClientConfig(format!("Failed to create certificate verifier: {}", e)))?;
    let client_config = rustls::ClientConfig::builder()
      .dangerous() // Safe: using platform certificate verifier
      .with_custom_certificate_verifier(Arc::new(verifier))
      .with_no_client_auth();
    Ok(Arc::new(client_config))
  }
 }
 #[cfg(test)]