[PM-4269] Use rustls on non-wasm platforms (#374)

## Type of change
```
- [ ] Bug fix
- [x] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective
Updated reqwest to use rustls on all platforms. We're also using
rustls-platform-verifier where possible to load the CA certificates from
the operating system store instead of including them in the binary.

Note that WASM doesn't need a TLS stack as reqwest just uses the
browser's `fetch`

| | TLS Stack | CA Validator | Accepts self signed in OS root store |

|---------|-----------|--------------------------|--------------------------------------|
| Windows | RusTLS | ustls-platform-verifier | Yes |
| Linux | RusTLS | rustls-platform-verifier (Native+WebPKI) | Yes |
| Mac | RusTLS | rustls-platform-verifier (Native) | Yes |
| Android | RusTLS | WebPKI | No |
| iOS | RusTLS | rustls-platform-verifier (Native) | Yes |
| WASM | fetch | fetch | Maybe, use browser config |

about.toml

@@ -8,4 +8,9 @@ accepted = [
     "MPL-2.0",
     "LGPL-3.0",
     "Unicode-DFS-2016",
+    "OpenSSL",
 ]
+
+# Ring has all the licenses combined into a single file, which causes cargo about to 
+# be confused about it. Thankfully it includes a workaround for this that we can enable.
+workarounds = ["ring"]

crates/bitwarden-api-api/Cargo.toml

@@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] }
 [dependencies.reqwest]
 version = ">=0.11.18, <0.12"
 features = ["json", "multipart"]
+default-features = false
 
 [dev-dependencies]

crates/bitwarden-api-identity/Cargo.toml

@@ -22,5 +22,6 @@ uuid = { version = ">=1.3.3, <2", features = ["serde"] }
 [dependencies.reqwest]
 version = ">=0.11.18, <0.12"
 features = ["json", "multipart"]
+default-features = false
 
 [dev-dependencies]

crates/bitwarden-uniffi/Cargo.toml

@@ -25,6 +25,3 @@ bitwarden = { path = "../bitwarden", features = ["mobile", "internal"] }
 
 [build-dependencies]
 uniffi = { version = "=0.25.2", features = ["build"] }
-
-[target.'cfg(any(target_os = "android", target_os = "ios"))'.dependencies]
-openssl = { version = "0.10", features = ["vendored"] }

crates/bitwarden/CHANGELOG.md

@@ -7,6 +7,10 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Changed
+
+- Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`.
+
 ## [0.4.0] - 2023-12-21
 
 ### Added

crates/bitwarden/Cargo.toml

@@ -46,7 +46,9 @@ num-bigint = ">=0.4, <0.5"
 num-traits = ">=0.2.15, <0.3"
 pbkdf2 = { version = ">=0.12.1, <0.13", default-features = false }
 rand = ">=0.8.5, <0.9"
-reqwest = { version = ">=0.11, <0.12", features = ["json"] }
+reqwest = { version = ">=0.11, <0.12", features = [
+    "json",
+], default-features = false }
 rsa = ">=0.9.2, <0.10"
 schemars = { version = ">=0.8.9, <0.9", features = ["uuid1", "chrono"] }
 serde = { version = ">=1.0, <2.0", features = ["derive"] }
@@ -60,6 +62,23 @@ thiserror = ">=1.0.40, <2.0"
 uniffi = { version = "=0.25.2", optional = true, features = ["tokio"] }
 uuid = { version = ">=1.3.3, <2.0", features = ["serde"] }
 
+[target.'cfg(all(not(target_os = "android"), not(target_arch="wasm32")))'.dependencies]
+# By default, we use rustls as the TLS stack and rust-platform-verifier to support user-installed root certificates
+# There are a few exceptions to this:
+# - WASM doesn't require a TLS stack, as it just uses the browsers/node fetch
+# - Android uses webpki-roots for the moment
+reqwest = { version = "*", features = [
+    "rustls-tls-manual-roots",
+], default-features = false }
+rustls-platform-verifier = "0.1.0"
+
+[target.'cfg(target_os = "android")'.dependencies]
+# On android, the use of rustls-platform-verifier is more complicated and going through some changes at the moment, so we fall back to using webpki-roots
+# This means that for the moment android won't support self-signed certificates, even if they are included in the OS trust store
+reqwest = { version = "*", features = [
+    "rustls-tls-webpki-roots",
+], default-features = false }
+
 [dev-dependencies]
 rand_chacha = "0.3.1"
 tokio = { version = "1.35.1", features = ["rt", "macros"] }

crates/bitwarden/src/client/client.rs

@@ -88,10 +88,16 @@ impl Client {
 
         let headers = header::HeaderMap::new();
 
-        let client = reqwest::Client::builder()
-            .default_headers(headers)
-            .build()
-            .unwrap();
+        #[allow(unused_mut)]
+        let mut client_builder = reqwest::Client::builder().default_headers(headers);
+
+        #[cfg(all(not(target_os = "android"), not(target_arch = "wasm32")))]
+        {
+            client_builder =
+                client_builder.use_preconfigured_tls(rustls_platform_verifier::tls_config());
+        }
+
+        let client = client_builder.build().unwrap();
 
         let identity = bitwarden_api_identity::apis::configuration::Configuration {
             base_path: settings.identity_url,

crates/bws/CHANGELOG.md

@@ -7,6 +7,10 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+### Changed
+
+- Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`.
+
 ## [0.4.0] - 2023-12-21
 
 ### Added

crates/bws/Cargo.toml

@@ -44,6 +44,3 @@ bitwarden = { path = "../bitwarden", version = "0.4.0", features = ["secrets"] }
 
 [dev-dependencies]
 tempfile = "3.9.0"
-
-[target.'cfg(target_os = "linux")'.dependencies]
-openssl = { version = "0.10", features = ["vendored"] }

support/openapi-template/Cargo.mustache

@@ -27,6 +27,7 @@ reqwest = "~0.9"
 [dependencies.reqwest]
 version = "^0.11"
 features = ["json", "multipart"]
+default-features = false
 {{/supportAsync}}
 {{/reqwest}}
 {{#withAWSV4Signature}}