buraktabn
commented
2 years ago Any updates on this?
Open quininer opened 4 years ago
buraktabn
commented
2 years ago Any updates on this?
djc
commented
2 years ago Nope -- but if you're willing to contribute I'm happy to provide any guidance you need.
buraktabn
commented
2 years ago TBH, I was planning on it because of https://github.com/paritytech/subxt/issues/563. However, using webpki seems to work on Android.
cpu
commented
1 year ago Android and iOS are both supported by https://github.com/rustls/rustls-platform-verifier
Is there user demand for a native-certs solution or should we suggest users consider using the platform verifier instead? That crate isn't quite ready for primetime but I also suspect we can get it ready sooner than we could add support for those platforms here.
djc
commented
1 year ago iOS support might be as easy as enabling the security-framework path for ios in addition to macos, I think?
But in general, the rustls-platform-verifier is probably a better alternative for most use cases.
djc
commented
7 months ago rustls-platform-verifier has been released and is probably a better option in most cases.
stormshield-gt
commented
3 weeks ago reqwest already supports rustls-native-certs but not rustls-platform-verifier (https://github.com/seanmonstar/reqwest/pull/2286#discussion_r1609846678), blocked by https://github.com/rustls/rustls-platform-verifier/issues/58.
https://github.com/rustls/rustls-platform-verifier/issues/58 seems harder to resolve that this current issue, Am I right ?
Do you think it will be reasonable to works on this issue first, enabling the usage of reqwest with rustls on android with loading the cert store ? I mean if you are open to contribution.
I know right now it's possible to embed a store with rustls-webpki-roots but it does not fit our need.
djc
commented
3 weeks ago Happy to review a PR for this but want to caution that if this needs too much complexity we might want to avoid it in favor of improving the platform verifier crate instead.
If you want to contribute, maybe you can contribute there?
stormshield-gt
commented
3 weeks ago Yes, hopefully I have some bandwidth to contribute here. Do you have any guidance on how things should be done? Maybe we can talk about it on the rustls discord server if you want?
djc
commented
3 weeks ago @stormshield-gt happy to discuss on Discord.
ctz
commented
3 weeks ago I would suggest, first, that this issue is asking for almost entirely unrelated things.
iOS: AFAIK this is not possible -- the macOS APIs we use aren't available on iOS. But I'm not an iOS expert, and could well be wrong. The linked code in the OP is not doing the job that is required here; it is using the system verifier rather than extracting the trusted certs.
Android: ditto, the linked code above is not what is needed for this crate. However, I am pretty sure there will be a way via the android keystore service & AndroidCAStore; the question is really whether that can be reasonably accessed from pure rust, or whether it needs a java<->JNI<->rust bridge. If it requires a java component (with the build and packaging complexities), I think it probably doesn't have a good home in this crate (since it cannot conform to the unified API we want). I don't know the answers here, but the starting point would be to make (or find) a rust crate that allows keystore access.
djc
commented
3 weeks ago As soon as we get to that level of complexity, it seems like we'd almost certainly be better off relying on the context/build infra/testing we already have in place in the rustls-platform-verifier repo.
stormshield-gt
commented
3 weeks ago Thanks a lot for the guidance. By checking things by my side, I reached to the same conclusion. It seems like everybody agree that it would be better to look for supporting extra roots inside rustls-plaform-verifier to unlock the reqwest integration. I will put some effort in that direction.
ctz
commented
3 weeks ago On the android side I just came across this in golang: https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L26-L30
stormshield-gt
commented
3 weeks ago For IOS, they used to embed the cert store statically and then switch to using the platform verifier https://github.com/golang/go/commit/b74f2efc47bbfcc4aa301ebda1033948d8b6b63e. That seems to confirm there is no API for loading the store on this platform
cpu
commented
2 weeks ago On the android side I just came across this in golang: https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L26-L30
This seems like it could be reasonably adapted to this crate, but I echo @djc's concerns that when you start to consider test coverage for Android it would ratchet up the complexity of this repo's CI more than I think is deserved.
Given there's no good solution for iOS I suspect most users invested in a "native" experience that includes mobile platforms will want to use rustls-platform-verifier anyway since only supporting Android is probably of limited utility. I'm inclined to say we should call this a WONTFIX for this repo and continue to try and invest in the platform verifier crate. Thoughts?
djc
commented
2 weeks ago (There was some follow-up in https://github.com/rustls/rustls-platform-verifier/issues/58#issuecomment-2299022565.)
I think we can look at how chromium is implemented.
https://github.com/chromium/chromium/blob/master/net/cert/cert_verify_proc_android.cc https://github.com/chromium/chromium/blob/master/net/cert/cert_verify_proc_ios.cc