Add HttpsConnectorBuilder

This gives more control over various rustls features,
as well as ensures that enabling connector features
like http1/http2 can only be done when the appropriate
crate features are enabled.

Author: g2p

Cargo.toml

@@ -11,34 +11,33 @@ repository = "https://github.com/ctz/hyper-rustls"
 
 [dependencies]
 log = "0.4.4"
-ct-logs = { version = "^0.9", optional = true }
-hyper = { version = "0.14", default-features = false, features = ["client", "http1"] }
+http = "0.2"
+hyper = { version = "0.14", default-features = false, features = ["client"] }
 rustls = "0.20"
-rustls-native-certs = { git = "https://github.com/djc/rustls-native-certs", branch = "no-rustls", optional = true }
-rustls-pemfile = { version = "0.2.1" }
+rustls-native-certs = { git = "https://github.com/rustls/rustls-native-certs", default-features = false, optional = true }
 tokio = "1.0"
-tokio-rustls = { version = "0.23", git = "https://github.com/tokio-rs/tls" }
-webpki = "0.22.0"
+tokio-rustls = "0.23"
 webpki-roots = { version = "0.22", optional = true }
 
 [dev-dependencies]
 async-stream = "0.3.0"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 hyper = { version = "0.14", features = ["full"] }
 futures-util = { version = "0.3.1", default-features = false }
+rustls-pemfile = { version = "0.2.1" }
 
 [features]
 default = ["native-tokio", "http1"]
 http1 = ["hyper/http1"]
 http2 = ["hyper/http2"]
 webpki-tokio = ["tokio-runtime", "webpki-roots"]
 native-tokio = ["tokio-runtime", "rustls-native-certs"]
-tokio-runtime =  ["hyper/runtime", "ct-logs"]
+tokio-runtime =  ["hyper/runtime"]
 
 [[example]]
 name = "client"
 path = "examples/client.rs"
-required-features = ["native-tokio", "tokio-runtime"]
+required-features = ["native-tokio", "http1"]
 
 [[example]]
 name = "server"
@@ -48,6 +47,3 @@ required-features = ["tokio-runtime"]
 [package.metadata.docs.rs]
 all-features = true
 rustdoc-args = ["--cfg", "docsrs"]
-
-[patch."crates-io"]
-rustls = { git = "https://github.com/ctz/rustls" }

examples/client.rs

@@ -3,6 +3,7 @@
 //! First parameter is the mandatory URL to GET.
 //! Second parameter is an optional path to CA store.
 use hyper::{body::to_bytes, client, Body, Uri};
+use hyper_rustls::ConfigBuilderExt;
 use rustls::RootCertStore;
 
 use std::str::FromStr;
@@ -42,28 +43,30 @@ async fn run_client() -> io::Result<()> {
         None => None,
     };
 
-    // Prepare the HTTPS connector.
-    let https = match ca {
+    // Prepare the TLS client config
+    let config = match ca {
         Some(ref mut rd) => {
-            // Build an HTTP connector which supports HTTPS too.
-            let mut http = client::HttpConnector::new();
-            http.enforce_http(false);
-            // Read trust roots
             let certs = rustls_pemfile::certs(rd)
                 .map_err(|_| error("failed to load custom CA store".into()))?;
             let mut roots = RootCertStore::empty();
             roots.add_parsable_certificates(&certs);
-            // Build a TLS client, using the custom CA store for lookups.
-            let tls = rustls::ClientConfig::builder()
+            // TLS client config using the custom CA store for lookups
+            rustls::ClientConfig::builder()
                 .with_safe_defaults()
                 .with_root_certificates(roots)
-                .with_no_client_auth();
-            // Join the above part into an HTTPS connector.
-            hyper_rustls::HttpsConnector::from((http, tls))
+                .with_no_client_auth()
         }
-        // Default HTTPS connector.
-        None => hyper_rustls::HttpsConnector::with_native_roots(),
+        // Default TLS client config with native roots
+        None => rustls::ClientConfig::builder()
+            .with_safe_defaults()
+            .with_native_roots(),
     };
+    // Prepare the HTTPS connector
+    let https = hyper_rustls::HttpsConnectorBuilder::new()
+        .with_tls_config(config)
+        .https_or_http()
+        .enable_http1()
+        .build();
 
     // Build the hyper client from the HTTPS connector.
     let client: client::Client<_, hyper::Body> = client::Client::builder().build(https);

src/config.rs

@@ -0,0 +1,49 @@
+use rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
+
+/// Methods for configuring roots
+///
+/// This adds methods (gated by crate features) for easily configuring
+/// TLS server roots a rustls ClientConfig will trust.
+pub trait ConfigBuilderExt {
+    /// This configures the platform's trusted certs, as implemented by
+    /// rustls-native-certs
+    #[cfg(feature = "rustls-native-certs")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
+    fn with_native_roots(self) -> ClientConfig;
+
+    /// This configures the webpki roots, which are Mozilla's set of
+    /// trusted roots as packaged by webpki-roots.
+    #[cfg(feature = "webpki-roots")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
+    fn with_webpki_roots(self) -> ClientConfig;
+}
+
+impl ConfigBuilderExt for ConfigBuilder<ClientConfig, WantsVerifier> {
+    #[cfg(feature = "rustls-native-certs")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
+    fn with_native_roots(self) -> ClientConfig {
+        let mut roots = rustls::RootCertStore::empty();
+        for cert in rustls_native_certs::load_native_certs().expect("could not load platform certs")
+        {
+            roots.add(&rustls::Certificate(cert.0)).unwrap();
+        }
+
+        assert!(!roots.is_empty(), "no CA certificates found");
+
+        self.with_root_certificates(roots).with_no_client_auth()
+    }
+
+    #[cfg(feature = "webpki-roots")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
+    fn with_webpki_roots(self) -> ClientConfig {
+        let mut roots = rustls::RootCertStore::empty();
+        roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+            rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                ta.subject,
+                ta.spki,
+                ta.name_constraints,
+            )
+        }));
+        self.with_root_certificates(roots).with_no_client_auth()
+    }
+}

src/connector.rs

@@ -1,94 +1,26 @@
+use std::convert::TryFrom;
 use std::future::Future;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::task::{Context, Poll};
 use std::{fmt, io};
-use std::convert::TryFrom;
 
-#[cfg(feature = "tokio-runtime")]
-use hyper::client::connect::HttpConnector;
 use hyper::{client::connect::Connection, service::Service, Uri};
-use rustls::{ClientConfig, RootCertStore};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::TlsConnector;
 
 use crate::stream::MaybeHttpsStream;
 
+pub mod builder;
+
 type BoxError = Box<dyn std::error::Error + Send + Sync>;
 
 /// A Connector for the `https` scheme.
 #[derive(Clone)]
 pub struct HttpsConnector<T> {
     force_https: bool,
     http: T,
-    tls_config: Arc<ClientConfig>,
-}
-
-#[cfg(all(
-    any(feature = "rustls-native-certs", feature = "webpki-roots"),
-    feature = "tokio-runtime"
-))]
-impl HttpsConnector<HttpConnector> {
-    /// Construct a new `HttpsConnector` using the OS root store
-    #[cfg(feature = "rustls-native-certs")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
-    pub fn with_native_roots() -> Self {
-        let certs = match rustls_native_certs::load_native_certs() {
-            Ok(certs) => certs,
-            Err(err) => Err(err).expect("cannot access native cert store"),
-        };
-
-        if certs.is_empty() {
-            panic!("no CA certificates found");
-        }
-
-        let mut roots = RootCertStore::empty();
-        for cert in certs {
-            roots.add_parsable_certificates(&[cert.0]);
-        }
-
-        Self::build(roots)
-    }
-
-    /// Construct a new `HttpsConnector` using the `webpki_roots`
-    #[cfg(feature = "webpki-roots")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
-    pub fn with_webpki_roots() -> Self {
-        let mut roots = rustls::RootCertStore::empty();
-        roots.add_server_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0);
-        Self::build(roots)
-    }
-
-    /// Force the use of HTTPS when connecting.
-    ///
-    /// If a URL is not `https` when connecting, an error is returned. Disabled by default.
-    pub fn https_only(&mut self, enable: bool) {
-        self.force_https = enable;
-    }
-
-    fn build(mut config: ClientConfig) -> Self {
-        let mut http = HttpConnector::new();
-        http.enforce_http(false);
-
-        config.alpn_protocols.clear();
-        #[cfg(feature = "http2")]
-        {
-            config.alpn_protocols.push(b"h2".to_vec());
-        }
-
-        #[cfg(feature = "http1")]
-        {
-            config.alpn_protocols.push(b"http/1.1".to_vec());
-        }
-
-        //let mut config = ClientConfig::builder()
-        //    .with_safe_defaults()
-        //    .with_root_certificates(roots)
-        //    //.with_certificate_transparency_logs(ct_logs::LOGS, XXX)
-        //    .with_no_client_auth();
-
-        (http, config).into()
-    }
+    tls_config: Arc<rustls::ClientConfig>,
 }
 
 impl<T> fmt::Debug for HttpsConnector<T> {
@@ -101,7 +33,7 @@ impl<T> fmt::Debug for HttpsConnector<T> {
 
 impl<H, C> From<(H, C)> for HttpsConnector<H>
 where
-    C: Into<Arc<ClientConfig>>,
+    C: Into<Arc<rustls::ClientConfig>>,
 {
     fn from((http, cfg): (H, C)) -> Self {
         HttpsConnector {
@@ -135,38 +67,43 @@ where
     }
 
     fn call(&mut self, dst: Uri) -> Self::Future {
-        let is_https = dst.scheme_str() == Some("https");
-
-        if !is_https && self.force_https {
-            // Early abort if HTTPS is forced but can't be used
-            let err = io::Error::new(io::ErrorKind::Other, "https required but URI was not https");
-            Box::pin(async move { Err(err.into()) })
-        } else if !is_https {
-            let connecting_future = self.http.call(dst);
-
-            let f = async move {
-                let tcp = connecting_future.await.map_err(Into::into)?;
-
-                Ok(MaybeHttpsStream::Http(tcp))
-            };
-            Box::pin(f)
+        // dst.scheme() would need to derive Eq to be matchable;
+        // use an if cascade instead
+        if let Some(sch) = dst.scheme() {
+            if sch == &http::uri::Scheme::HTTP && !self.force_https {
+                let connecting_future = self.http.call(dst);
+
+                let f = async move {
+                    let tcp = connecting_future.await.map_err(Into::into)?;
+
+                    Ok(MaybeHttpsStream::Http(tcp))
+                };
+                Box::pin(f)
+            } else if sch == &http::uri::Scheme::HTTPS {
+                let cfg = self.tls_config.clone();
+                let hostname = dst.host().unwrap_or_default().to_string();
+                let connecting_future = self.http.call(dst);
+
+                let f = async move {
+                    let tcp = connecting_future.await.map_err(Into::into)?;
+                    let connector = TlsConnector::from(cfg);
+                    let dnsname = rustls::ServerName::try_from(hostname.as_str())
+                        .map_err(|_| io::Error::new(io::ErrorKind::Other, "invalid dnsname"))?;
+                    let tls = connector
+                        .connect(dnsname, tcp)
+                        .await
+                        .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
+                    Ok(MaybeHttpsStream::Https(tls))
+                };
+                Box::pin(f)
+            } else {
+                let err =
+                    io::Error::new(io::ErrorKind::Other, format!("Unsupported scheme {}", sch));
+                Box::pin(async move { Err(err.into()) })
+            }
         } else {
-            let cfg = self.tls_config.clone();
-            let hostname = dst.host().unwrap_or_default().to_string();
-            let connecting_future = self.http.call(dst);
-
-            let f = async move {
-                let tcp = connecting_future.await.map_err(Into::into)?;
-                let connector = TlsConnector::from(cfg);
-                let dnsname = rustls::ServerName::try_from(hostname.as_str())
-                    .map_err(|_| io::Error::new(io::ErrorKind::Other, "invalid dnsname"))?;
-                let tls = connector
-                    .connect(dnsname, tcp)
-                    .await
-                    .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
-                Ok(MaybeHttpsStream::Https(tls))
-            };
-            Box::pin(f)
+            let err = io::Error::new(io::ErrorKind::Other, "Missing scheme");
+            Box::pin(async move { Err(err.into()) })
         }
     }
 }