with_native_roots: Restore robustness to unparseable certs

rustls-native-certs used to filter out invalid certs on Unix, where
certs are parsed from PEM files.
rustls/rustls-native-certs#26 changed it
to passing them unparsed.  Now that hyper-rustls does the parsing,
keep being robust to invalid certs.  Implementation modified from
rustls::RootCertStore::add_parsable_certificates, which cannot be
used directly due to a newtype in rustls-native-certs.

Author: g2p

src/config.rs

@@ -23,11 +23,25 @@ impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
     #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
     fn with_native_roots(self) -> ClientConfig {
         let mut roots = rustls::RootCertStore::empty();
+        let mut valid_count = 0;
+        let mut invalid_count = 0;
+
         for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
         {
-            roots.add(&rustls::Certificate(cert.0)).unwrap();
+            let cert = rustls::Certificate(cert.0);
+            match roots.add(&cert) {
+                Ok(_) => valid_count += 1,
+                Err(err) => {
+                    log::trace!("invalid cert der {:?}", cert.0);
+                    log::debug!("certificate parsing failed: {:?}", err);
+                    invalid_count += 1
+                }
+            }
         }
-
+        log::debug!(
+            "with_native_roots processed {} valid and {} invalid certs",
+            valid_count, invalid_count
+        );
         assert!(!roots.is_empty(), "no CA certificates found");
 
         self.with_root_certificates(roots).with_no_client_auth()