fix(sui-http): use explicit rustls::CryptoProvider (#25106) (#25147)

If multiple crypto-provider related features are enabled on `rustls`, it
will panic because it doesn't know how to pick a default one. We should
not rely on the default, choosing instead fo pick an explicit provider.

CI

---

Check each box that your changes affect. If none of the boxes relate to
your changes, release notes aren't required.

For each box you select, include information after the relevant heading
that describes the impact of your changes that a user might notice and
any actions they must take to implement updates.

- [ ] Protocol:
- [ ] Nodes (Validators and Full nodes):
- [ ] gRPC:
- [ ] JSON-RPC:
- [ ] GraphQL:
- [ ] CLI:
- [ ] Rust SDK:
- [ ] Indexing Framework:

## Description 

Describe the changes or additions included in this PR.

## Test plan 

How did you test the new or updated feature?

---

## Release notes

Check each box that your changes affect. If none of the boxes relate to
your changes, release notes aren't required.

For each box you select, include information after the relevant heading
that describes the impact of your changes that a user might notice and
any actions they must take to implement updates.

- [ ] Protocol: 
- [ ] Nodes (Validators and Full nodes): 
- [ ] gRPC:
- [ ] JSON-RPC: 
- [ ] GraphQL: 
- [ ] CLI: 
- [ ] Rust SDK:
- [ ] Indexing Framework:

Author: joyqvq

crates/sui-http/src/lib.rs

@@ -72,9 +72,12 @@ impl Builder {
 
         let certs = CertificateDer::pem_file_iter(cert_file)?.collect::<Result<_, _>>()?;
         let private_key = PrivateKeyDer::from_pem_file(private_key_file)?;
-        let tls_config = rustls::ServerConfig::builder()
-            .with_no_client_auth()
-            .with_single_cert(certs, private_key)?;
+        let tls_config = rustls::ServerConfig::builder_with_provider(Arc::new(
+            rustls::crypto::ring::default_provider(),
+        ))
+        .with_protocol_versions(rustls::DEFAULT_VERSIONS)?
+        .with_no_client_auth()
+        .with_single_cert(certs, private_key)?;
 
         Ok(self.tls_config(tls_config))
     }

crates/sui-types/src/multisig_legacy.rs

@@ -150,9 +150,8 @@ impl TryFrom<MultiSigPublicKeyLegacy> for MultiSigPublicKey {
 
 /// Convert a roaring bitmap to plain bitmap.
 pub fn bitmap_to_u16(roaring: RoaringBitmap) -> Result<u16, FastCryptoError> {
-    let indices: Vec<u32> = roaring.into_iter().collect();
     let mut val = 0;
-    for i in indices {
+    for i in roaring {
         if i >= 10 {
             return Err(FastCryptoError::InvalidInput);
         }

crates/sui-types/src/sui_serde.rs

@@ -21,6 +21,7 @@ use serde_with::{Bytes, DeserializeAs, SerializeAs};
 
 use sui_protocol_config::ProtocolVersion;
 
+use crate::governance::MAX_VALIDATOR_COUNT;
 use crate::{
     DEEPBOOK_ADDRESS, SUI_CLOCK_ADDRESS, SUI_FRAMEWORK_ADDRESS, SUI_SYSTEM_ADDRESS,
     SUI_SYSTEM_STATE_ADDRESS, parse_sui_struct_tag, parse_sui_type_tag,
@@ -343,6 +344,19 @@ impl<'de> DeserializeAs<'de, roaring::RoaringBitmap> for SuiBitmap {
 // So this function is needed to sanitize the bitmap to ensure unique entries.
 pub(crate) fn deserialize_sui_bitmap(bytes: &[u8]) -> std::io::Result<roaring::RoaringBitmap> {
     let orig_bitmap = roaring::RoaringBitmap::deserialize_from(bytes)?;
+
+    // Check cardinality before iteration.
+    if orig_bitmap.len() > MAX_VALIDATOR_COUNT {
+        return Err(std::io::Error::new(
+            std::io::ErrorKind::InvalidData,
+            format!(
+                "bitmap cardinality {} exceeds max {}",
+                orig_bitmap.len(),
+                MAX_VALIDATOR_COUNT
+            ),
+        ));
+    }
+
     // Ensure there is no duplicated entries in the bitmap.
     let mut seen = std::collections::BTreeSet::new();
     let mut new_bitmap = roaring::RoaringBitmap::new();