download: statically bundle relevant trust anchors

Author: djc

Cargo.lock

@@ -140,6 +140,9 @@ http-body-util = "0.1.0"
 hyper = { version = "1.0", default-features = false, features = ["server", "http1"] }
 hyper-util = { version = "0.1.1", features = ["tokio"] }
 proptest = "1.1.0"
+rustls-webpki = { version = "0.103.3" }
+tokio-rustls = "0.26.4"
+webpki-root-certs = "1"
 
 [build-dependencies]
 platforms = "3.4"

Cargo.toml

@@ -546,12 +546,14 @@ mod reqwest_be {
     use std::sync::{Arc, OnceLock};
     use std::time::Duration;
 
+    #[cfg(feature = "reqwest-rustls-tls")]
+    use crate::anchors::RUSTUP_TRUST_ANCHORS;
     use anyhow::{Context, anyhow};
     use reqwest::{Client, ClientBuilder, Proxy, Response, header};
     #[cfg(feature = "reqwest-rustls-tls")]
     use rustls::crypto::aws_lc_rs;
     #[cfg(feature = "reqwest-rustls-tls")]
-    use rustls_platform_verifier::BuilderVerifierExt;
+    use rustls_platform_verifier::Verifier;
     use tokio_stream::StreamExt;
     use url::Url;
 
@@ -607,14 +609,19 @@ mod reqwest_be {
             return Ok(client);
         }
 
+        let provider = Arc::new(aws_lc_rs::default_provider());
+        let verifier =
+            Verifier::new_with_extra_roots(RUSTUP_TRUST_ANCHORS.iter().cloned(), provider.clone())
+                .map_err(|err| {
+                    DownloadError::Message(format!("failed to initialize platform verifier: {err}"))
+                })?;
+
         let mut tls_config =
-            rustls::ClientConfig::builder_with_provider(Arc::new(aws_lc_rs::default_provider()))
+            rustls::ClientConfig::builder_with_provider(provider)
                 .with_safe_default_protocol_versions()
                 .unwrap()
-                .with_platform_verifier()
-                .map_err(|err| {
-                    DownloadError::Message(format!("failed to initialize platform verifier: {err}"))
-                })?
+                .dangerous() // We're using a rustls verifier, so it's okay
+                .with_custom_certificate_verifier(Arc::new(verifier))
                 .with_no_client_auth();
         tls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
 

src/download/mod.rs

@@ -85,6 +85,8 @@ mod settings;
 pub mod test;
 mod toolchain;
 pub mod utils;
+#[cfg(feature = "reqwest-rustls-tls")]
+mod anchors;
 
 #[cfg(test)]
 mod tests {

src/lib.rs

@@ -10,3 +10,4 @@ mod cli_v1;
 mod cli_v2;
 mod dist_install;
 mod known_triples;
+mod static_roots;

tests/suite/mod.rs

@@ -0,0 +1,167 @@
+//! Connects to a known set of `HOSTS`, captures the root certificates for the
+//! certificate chain presented, and writes them to `src/anchors.rs` in a way
+//! that is easy to consume for use as `extra_roots` in rustls-platform-verifier.
+
+use std::{
+    fs, process::Command, sync::{Arc, Mutex}
+};
+
+use rustls::{
+    DigitallySignedStruct, Error, RootCertStore, SignatureScheme,
+    client::{
+        WebPkiServerVerifier,
+        danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+    },
+    crypto::{CryptoProvider, aws_lc_rs},
+    pki_types::{CertificateDer, ServerName, TrustAnchor, UnixTime},
+};
+use tempfile::NamedTempFile;
+use tokio::net::TcpStream;
+use tokio_rustls::TlsConnector;
+use webpki::{EndEntityCert, anchor_from_trusted_cert};
+use webpki_root_certs::TLS_SERVER_ROOT_CERTS;
+
+#[tokio::test]
+async fn store_static_roots() {
+    let provider = Arc::new(aws_lc_rs::default_provider());
+    let mut root_store = RootCertStore::empty();
+    let mut roots = Vec::with_capacity(TLS_SERVER_ROOT_CERTS.len());
+    for cert_der in TLS_SERVER_ROOT_CERTS {
+        let ta = anchor_from_trusted_cert(cert_der).unwrap();
+        roots.push((cert_der, ta.clone()));
+        root_store.roots.push(ta);
+    }
+
+    let root_store = Arc::new(root_store);
+    let inner = WebPkiServerVerifier::builder_with_provider(root_store.clone(), provider.clone())
+        .build()
+        .unwrap();
+
+    let verifier = Arc::new(TrackRootVerifier {
+        root: Mutex::default(),
+        roots: root_store,
+        inner,
+        provider: provider.clone(),
+    });
+
+    let config = Arc::new(
+        rustls::ClientConfig::builder_with_provider(provider)
+            .with_safe_default_protocol_versions()
+            .unwrap()
+            .dangerous()
+            .with_custom_certificate_verifier(verifier.clone())
+            .with_no_client_auth(),
+    );
+
+    let mut code = "// @generated by tests/static_roots.rs\n".to_string();
+    code.push_str("use rustls::pki_types::CertificateDer;\n\n");
+    code.push_str("pub(crate) const RUSTUP_TRUST_ANCHORS: &[CertificateDer<'static>] = &[\n");
+    let connector = TlsConnector::from(config);
+    for &host in HOSTS {
+        connector
+            .connect(
+                ServerName::try_from(host).unwrap(),
+                TcpStream::connect((host, 443)).await.unwrap(),
+            )
+            .await
+            .unwrap();
+
+        let root = verifier.root.lock().unwrap().take().unwrap();
+        let root_cert = roots
+            .iter()
+            .find_map(|(cert_der, ta)| match ta == &root {
+                true => Some(cert_der),
+                false => None,
+            })
+            .unwrap();
+
+        code.push_str(&format!("    CertificateDer::from_slice(&{:?}),\n", root_cert.as_ref()));
+    }
+    code.push_str("];\n");
+
+    let tmp = NamedTempFile::new().unwrap();
+    fs::write(&tmp, &code).unwrap();
+    Command::new("rustfmt").arg(tmp.path()).status().unwrap();
+    let new = fs::read_to_string(&tmp).unwrap();
+
+    let old = fs::read_to_string(PATH).unwrap();
+    if old != new {
+        fs::rename(tmp.path(), PATH).unwrap();
+        panic!("anchors.rs is outdated; updated it");
+    }
+}
+
+const PATH: &str = "src/anchors.rs";
+
+#[derive(Debug)]
+struct TrackRootVerifier {
+    root: Mutex<Option<TrustAnchor<'static>>>,
+    inner: Arc<WebPkiServerVerifier>,
+    roots: Arc<RootCertStore>,
+    provider: Arc<CryptoProvider>,
+}
+
+impl ServerCertVerifier for TrackRootVerifier {
+    fn verify_server_cert(
+        &self,
+        end_entity: &CertificateDer<'_>,
+        intermediates: &[CertificateDer<'_>],
+        server_name: &ServerName<'_>,
+        ocsp_response: &[u8],
+        now: UnixTime,
+    ) -> Result<ServerCertVerified, Error> {
+        let verified = self.inner.verify_server_cert(
+            end_entity,
+            intermediates,
+            server_name,
+            ocsp_response,
+            now,
+        )?;
+
+        let cert = EndEntityCert::try_from(end_entity)
+            .map_err(|e| Error::General(format!("invalid end entity certificate: {e}")))?;
+
+        let path = cert
+            .verify_for_usage(
+                &self.provider.signature_verification_algorithms.all,
+                &self.roots.roots,
+                intermediates,
+                now,
+                webpki::KeyUsage::server_auth(),
+                None,
+                None,
+            )
+            .unwrap();
+
+        let mut root = self.root.lock().unwrap();
+        *root = Some(path.anchor().to_owned());
+        Ok(verified)
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        self.inner.verify_tls12_signature(message, cert, dss)
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, Error> {
+        self.inner.verify_tls13_signature(message, cert, dss)
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        self.inner.supported_verify_schemes()
+    }
+}
+
+const HOSTS: &[&str] = &[
+    "fastly-static.rust-lang.org",
+    "cloudfront-static.rust-lang.org",
+];