Cargo: update to rustls 0.22, associated updates

For the time being, this branch continues to unconditionally use *ring*
as the crypto provider. Follow-up work to expose this as a choice (e.g
allowing aws-lc-rs as a provider) may be interesting.

Deps:
* updated rustls 0.21 -> 0.22.1

Linux deps:
* rustls-native-certs 0.6 -> 0.7
* webpki 0.101 -> 0.102

Android deps:
* webpki 0.101 -> 0.102

WASM32 deps:
* webpki-roots 0.25 -> 0.26

Summary of breaking change updates:
* We use rustls 0.22.1 in specific to benefit from the `pki_types`
  re-export, removing the need to add that as our own dep with matching
  version.
* `ServerName`, `Certificate`, and `OwnedTrustAnchor` types are now
  sourced from `pki_types`, with an associated generic lifetime. The
  `OwnedTrustAnchor` type is now just `TrustAnchor`.
* The 'dangerous' rustls crate feature was removed, and associated items
  moved into new locations with the import path emphasizing danger.
* "Other error" types changed to use a specific `rustls::OtherError`
  inner variant.
* `SystemTime` for verifiers replaced with `pki_types::UnixTime`.
* Default fns on `ServerCertVerifier` trait were removed, must be
  reconstituted with `rustls::verify_tls12_signature`,
  `rustls::verify_tls13_signature` and
  `WebPkiSupportedAlgorithms.supported_schemes` using
  a `CryptoProvider`.
* `ServerName` now supports a `to_str` operation, avoiding the need to
  `match` and handle unsupported name types.
* `WebPkiVerifier` was renamed to `WebPkiServerVerifier`, handled as an
  `Arc` and constructed with a builder.

Author: cpu

Cargo.lock

@@ -29,31 +29,31 @@ cert-logging = ["base64"]
 docsrs = ["jni", "once_cell"]
 
 [dependencies]
-rustls = { version = "0.21", features = ["dangerous_configuration", "tls12", "logging"] }
+rustls = { version = "0.22.1", features = ["tls12", "logging"] }
 log = { version = "0.4" }
 base64 = { version = "0.21", optional = true } # Only used when the `cert-logging` feature is enabled.
 jni = { version = "0.19", default-features = false, optional = true } # Only used during doc generation
 once_cell = { version = "1.9", optional = true } # Only used during doc generation.
 
 [target.'cfg(all(unix, not(target_os = "android"), not(target_os = "macos"), not(target_os = "ios")))'.dependencies]
-rustls-native-certs = "0.6"
+rustls-native-certs = "0.7"
 once_cell = "1.9"
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 
 [target.'cfg(target_os = "android")'.dependencies]
 rustls-platform-verifier-android = { path = "../android-release-support", version = "0.1.0" }
 jni = { version = "0.19", default-features = false }
-webpki = { package = "rustls-webpki", version = "0.101", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.102", features = ["ring", "alloc", "std"] }
 once_cell = "1.9"
 android_logger = { version = "0.13", optional = true } # Only used during testing.
 
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 once_cell = "1.9"
-webpki-roots = "0.25"
+webpki-roots = "0.26"
 
 # BSD targets require webpki-roots for the real-world verification tests.
 [target.'cfg(target_os = "freebsd")'.dev-dependencies]
-webpki-roots = "0.25"
+webpki-roots = "0.26"
 
 [target.'cfg(any(target_os = "macos", target_os = "ios"))'.dependencies]
 core-foundation = "0.9"

rustls-platform-verifier/Cargo.toml

@@ -54,13 +54,13 @@ pub use tests::ffi::*;
 ///
 /// If you require more control over the rustls `ClientConfig`, you can
 /// instantiate a [Verifier] with [Verifier::default] and then use it
-/// with [rustls::ConfigBuilder::with_custom_certificate_verifier].
+/// with [rustls::ConfigBuilder::dangerous::with_custom_certificate_verifier].
 ///
 /// Refer to the crate level documentation to see what platforms
 /// are currently supported.
 pub fn tls_config() -> ClientConfig {
-    rustls::ClientConfig::builder()
-        .with_safe_defaults()
+    ClientConfig::builder()
+        .dangerous()
         .with_custom_certificate_verifier(Arc::new(Verifier::new()))
         .with_no_client_auth()
 }
@@ -69,6 +69,6 @@ pub fn tls_config() -> ClientConfig {
 ///
 /// This is not intended for production use, you should use [tls_config] instead.
 #[cfg(feature = "dbg")]
-pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::ServerCertVerifier> {
+pub fn verifier_for_dbg(root: &[u8]) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
     Arc::new(Verifier::new_with_fake_root(root))
 }

rustls-platform-verifier/src/lib.rs

@@ -2,13 +2,13 @@
 pub mod ffi;
 
 use std::error::Error as StdError;
-use std::time::{Duration, SystemTime};
+use std::time::Duration;
 
 mod verification_real_world;
 
 mod verification_mock;
 
-use rustls::{CertificateError, Error as TlsError, Error::InvalidCertificate};
+use rustls::{pki_types, CertificateError, Error as TlsError, Error::InvalidCertificate};
 
 struct TestCase<'a, E: StdError> {
     /// The name of the server we're connecting to.
@@ -21,7 +21,7 @@ struct TestCase<'a, E: StdError> {
     pub stapled_ocsp: Option<&'a [u8]>,
 
     /// The time to use as the current time for verification.
-    pub verification_time: SystemTime,
+    pub verification_time: pki_types::UnixTime,
 
     pub expected_result: Result<(), TlsError>,
 
@@ -43,6 +43,7 @@ pub fn assert_cert_error_eq<E: StdError + PartialEq + 'static>(
     if let Err(InvalidCertificate(CertificateError::Other(err))) = &expected {
         let expected_err = expected_err.expect("error not provided for `Other` case handling");
         let err: &E = err
+            .0
             .downcast_ref()
             .expect("incorrect `Other` inner error kind");
         assert_eq!(err, expected_err);
@@ -56,7 +57,7 @@ pub fn assert_cert_error_eq<E: StdError + PartialEq + 'static>(
 /// We fix the "now" value used for certificate validation to a fixed point in time at which
 /// we know the test certificates are valid. This must be updated if the mock certificates
 /// are regenerated.
-pub(crate) fn verification_time() -> SystemTime {
+pub(crate) fn verification_time() -> pki_types::UnixTime {
     // Wednesday, January 3, 2024 6:03:08 PM UTC
-    SystemTime::UNIX_EPOCH + Duration::from_secs(1_704_304_988)
+    pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_704_304_988))
 }