Merge pull request #159 from cipherstash/rustls-platform-verifier

damncabbage · web-flow · commit e14a9d6dab9b · 2025-03-12T13:34:35.000+11:00
fix(deps): Add rustls-platform-verifier for certs
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/packages/cipherstash-proxy/Cargo.toml b/packages/cipherstash-proxy/Cargo.toml
@@ -37,6 +37,7 @@ rust_decimal = { version = "1.36.0", default-features = false, features = [
 ] }
 rustls = { version = "0.23.20", default-features = false, features = ["std"] }
 rustls-pemfile = "2.2.0"
+rustls-platform-verifier = "0.5.0"
 rustls-pki-types = "1.10.0"
 serde = "1.0"
 serde_json = "1.0"
@@ -54,7 +55,6 @@ tokio-util = { version = "0.7.13", features = ["rt"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 uuid = { version = "1.11.0", features = ["serde", "v4"] }
-webpki-roots = "0.26.7"
 x509-parser = "0.17.0"
 
 
diff --git a/packages/cipherstash-proxy/src/config/tandem.rs b/packages/cipherstash-proxy/src/config/tandem.rs
@@ -539,6 +539,15 @@ impl DatabaseConfig {
     pub fn connection_timeout(&self) -> Duration {
         Duration::from_millis(self.connection_timeout)
     }
+
+    pub fn server_name(&self) -> Result<ServerName, Error> {
+        let name = ServerName::try_from(self.host.as_str()).map_err(|_| {
+            ConfigError::InvalidServerName {
+                name: self.host.to_owned(),
+            }
+        })?;
+        Ok(name)
+    }
 }
 
 impl Display for DatabaseConfig {
diff --git a/packages/cipherstash-proxy/src/tls/mod.rs b/packages/cipherstash-proxy/src/tls/mod.rs
@@ -3,6 +3,7 @@ use crate::{DatabaseConfig, TandemConfig};
 use rustls::client::danger::ServerCertVerifier;
 use rustls::ClientConfig;
 use rustls_pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer, ServerName};
+use rustls_platform_verifier::ConfigVerifierExt;
 use std::sync::Arc;
 use tokio::net::TcpStream;
 use tokio_rustls::{TlsAcceptor, TlsConnector, TlsStream};
@@ -17,7 +18,7 @@ pub async fn client(
 ) -> Result<TlsStream<TcpStream>, Error> {
     let tls_config = configure_client(&config.database);
     let connector = TlsConnector::from(Arc::new(tls_config));
-    let domain = config.server.server_name()?.to_owned();
+    let domain = config.database.server_name()?.to_owned();
     let tls_stream = connector.connect(domain, stream).await?;
 
     Ok(tls_stream.into())
@@ -70,12 +71,7 @@ pub fn configure_server(config: &TlsConfig) -> Result<rustls::ServerConfig, Erro
 /// The client will use the system root certificates
 ///
 pub fn configure_client(config: &DatabaseConfig) -> ClientConfig {
-    let mut root_cert_store = rustls::RootCertStore::empty();
-    root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-
-    let mut tls_config = rustls::ClientConfig::builder()
-        .with_root_certificates(root_cert_store)
-        .with_no_client_auth();
+    let mut tls_config = ClientConfig::with_platform_verifier();
 
     if !config.with_tls_verification {
         let mut dangerous = tls_config.dangerous();
