Cargo: update to rustls 0.22, associated updates

For the time being, this branch continues to unconditionally use *ring*
as the crypto provider. Follow-up work to expose this as a choice (e.g
allowing aws-lc-rs as a provider) may be interesting.

Deps:
* updated rustls 0.21 -> 0.22.1

Linux deps:
* rustls-native-certs 0.6 -> 0.7
* webpki 0.101 -> 0.102

Android deps:
* webpki 0.101 -> 0.102

WASM32 deps:
* webpki-roots 0.25 -> 0.26

Summary of breaking change updates:
* We use rustls 0.22.1 in specific to benefit from the `pki_types`
  re-export, removing the need to add that as our own dep with matching
  version.
* `ServerName`, `Certificate`, and `OwnedTrustAnchor` types are now
  sourced from `pki_types`, with an associated generic lifetime. The
  `OwnedTrustAnchor` type is now just `TrustAnchor`.
* The 'dangerous' rustls crate feature was removed, and associated items
  moved into new locations with the import path emphasizing danger.
* "Other error" types changed to use a specific `rustls::OtherError`
  inner variant.
* `SystemTime` for verifiers replaced with `pki_types::UnixTime`.
* Default fns on `ServerCertVerifier` trait were removed, must be
  reconstituted with `rustls::verify_tls12_signature`,
  `rustls::verify_tls13_signature` and
  `WebPkiSupportedAlgorithms.supported_schemes` using
  a `CryptoProvider`.
* `ServerName` now supports a `to_str` operation, avoiding the need to
  `match` and handle unsupported name types.
* `WebPkiVerifier` was renamed to `WebPkiServerVerifier`, handled as an
  `Arc` and constructed with a builder.

Author: cpu

Cargo.lock

@@ -37,26 +37,26 @@ cert-logging = ["base64"]
 docsrs = ["jni", "once_cell"]
 
 [dependencies]
-rustls = { version = "0.21", features = ["dangerous_configuration", "tls12", "logging"] }
+rustls = { version = "0.22.1", features = ["tls12", "logging"] }
 log = { version = "0.4" }
 base64 = { version = "0.21", optional = true } # Only used when the `cert-logging` feature is enabled.
 jni = { version = "0.19", default-features = false, optional = true } # Only used during doc generation
 once_cell = { version = "1.9", optional = true } # Only used during doc generation.
 
 [target.'cfg(target_os = "linux")'.dependencies]
-rustls-native-certs = "0.6"
+rustls-native-certs = "0.7"
 once_cell = "1.9"
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 
 [target.'cfg(target_os = "android")'.dependencies]
 jni = { version = "0.19", default-features = false }
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 once_cell = "1.9"
 android_logger = { version = "0.13", optional = true } # Only used during testing.
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 once_cell = "1.9"
-webpki-roots = "0.25"
+webpki-roots = "0.26"
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 core-foundation = "0.9"

Cargo.toml

@@ -52,26 +52,26 @@ pub use tests::ffi::*;
 ///
 /// If you require more control over the rustls `ClientConfig`, you can
 /// instantiate a [Verifier] with [Verifier::default] and then use it
-/// with [rustls::ConfigBuilder::with_custom_certificate_verifier].
+/// with [rustls::ConfigBuilder::dangerous::with_custom_certificate_verifier].
 ///
 /// Refer to the crate level documentation to see what platforms
 /// are currently supported.
 pub fn tls_config() -> ClientConfig {
-    rustls::ClientConfig::builder()
-        .with_safe_defaults()
+    ClientConfig::builder()
+        .dangerous()
         .with_custom_certificate_verifier(verifier_for_testing())
         .with_no_client_auth()
 }
 
 /// Exposed for test usage. Don't use this, use [tls_config] instead.
 ///
 /// This verifier must be exactly equivalent to the verifier used in the `ClientConfig` returned by [tls_config].
-pub(crate) fn verifier_for_testing() -> Arc<dyn rustls::client::ServerCertVerifier> {
+pub(crate) fn verifier_for_testing() -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new())
 }
 
 /// Exposed for debugging customer certificate issues. Don't use this, use [tls_config] instead.
 #[cfg(feature = "dbg")]
-pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::ServerCertVerifier> {
+pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }

src/lib.rs

@@ -39,6 +39,7 @@ pub fn assert_cert_error_eq<E: StdError + PartialEq + 'static>(
     if let Err(InvalidCertificate(CertificateError::Other(err))) = &expected {
         let expected_err = expected_err.expect("error not provided for `Other` case handling");
         let err: &E = err
+            .0
             .downcast_ref()
             .expect("incorrect `Other` inner error kind");
         assert_eq!(err, expected_err);