feat(transport): Add a tls-webpki-roots feature to add trust roots fr…

…om webpki-roots (#660)
hyperium · May 24, 2021 · 32173dc · 32173dc
1 parent 4d2667d
commit 32173dc
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
@@ -35,7 +35,9 @@ transport = [
     "tokio/time",
 ]
 tls = ["transport", "tokio-rustls"]
-tls-roots = ["tls", "rustls-native-certs"]
+tls-roots-common = ["tls"]
+tls-roots = ["tls-roots-common", "rustls-native-certs"]
+tls-webpki-roots = ["tls-roots-common", "webpki-roots"]
 prost = ["prost1", "prost-derive"]
 
 # [[bench]]
@@ -76,6 +78,7 @@ tracing-futures = { version = "0.2", optional = true }
 # rustls
 tokio-rustls = { version = "0.22", optional = true }
 rustls-native-certs = { version = "0.5", optional = true }
+webpki-roots = { version = "0.21.1", optional = true }
 
 [dev-dependencies]
 tokio = { version = "1.0", features = ["rt", "macros"] }

diff --git a/tonic/src/lib.rs b/tonic/src/lib.rs
@@ -25,6 +25,8 @@
 //! - `tls-roots`: Adds system trust roots to `rustls`-based gRPC clients using the
 //! `rustls-native-certs` crate. Not enabled by default. `tls` must be enabled to use
 //! `tls-roots`.
+//! - `tls-webpki-roots`: Add the standard trust roots from the `webpki-roots` crate to
+//! `rustls`-based gRPC clients. Not enabled by default.
 //! - `prost`: Enables the [`prost`] based gRPC [`Codec`] implementation.
 //!
 //! # Structure

diff --git a/tonic/src/transport/service/connector.rs b/tonic/src/transport/service/connector.rs
@@ -37,7 +37,7 @@ impl<C> Connector<C> {
         Self { inner, tls }
     }
 
-    #[cfg(feature = "tls-roots")]
+    #[cfg(feature = "tls-roots-common")]
     fn tls_or_default(&self, scheme: Option<&str>, host: Option<&str>) -> Option<TlsConnector> {
         use tokio_rustls::webpki::DNSNameRef;
 
@@ -74,10 +74,10 @@ where
     }
 
     fn call(&mut self, uri: Uri) -> Self::Future {
-        #[cfg(all(feature = "tls", not(feature = "tls-roots")))]
+        #[cfg(all(feature = "tls", not(feature = "tls-roots-common")))]
         let tls = self.tls.clone();
 
-        #[cfg(feature = "tls-roots")]
+        #[cfg(feature = "tls-roots-common")]
         let tls = self.tls_or_default(uri.scheme_str(), uri.host());
 
         let connect = self.inner.make_connection(uri);

diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
@@ -64,6 +64,13 @@ impl TlsConnector {
             };
         }
 
+        #[cfg(feature = "tls-webpki-roots")]
+        {
+            config
+                .root_store
+                .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+        }
+
         if let Some(cert) = ca_cert {
             let mut buf = std::io::Cursor::new(&cert.pem[..]);
             config.root_store.add_pem_file(&mut buf).unwrap();