Avoid implicitly relying on default CryptoProvider

Author: djc

rustls-platform-verifier/src/lib.rs

@@ -4,6 +4,8 @@
 
 use std::sync::Arc;
 
+#[cfg(feature = "dbg")]
+use rustls::crypto::CryptoProvider;
 #[cfg(feature = "dbg")]
 use rustls::pki_types::CertificateDer;
 use rustls::{client::WantsClientCert, ClientConfig, ConfigBuilder, WantsVerifier};
@@ -89,8 +91,9 @@ pub fn tls_config_with_provider(
 #[cfg(feature = "dbg")]
 pub fn verifier_for_dbg(
     root: CertificateDer<'static>,
+    crypto_provider: Arc<CryptoProvider>,
 ) -> Arc<dyn rustls::client::danger::ServerCertVerifier> {
-    Arc::new(Verifier::new_with_fake_root(root))
+    Arc::new(Verifier::new_with_fake_root(root, crypto_provider))
 }
 
 /// Extension trait to help configure [`ClientConfig`]s with the platform verifier.
@@ -111,7 +114,7 @@ impl BuilderVerifierExt for ConfigBuilder<ClientConfig, WantsVerifier> {
     fn with_platform_verifier(self) -> ConfigBuilder<ClientConfig, WantsClientCert> {
         let provider = self.crypto_provider().clone();
         self.dangerous()
-            .with_custom_certificate_verifier(Arc::new(Verifier::new().with_provider(provider)))
+            .with_custom_certificate_verifier(Arc::new(Verifier::new(provider)))
     }
 }
 

rustls-platform-verifier/src/tests/ffi.rs

@@ -47,7 +47,6 @@ mod android {
                     .with_filter(log_filter),
             );
             crate::android::init_with_env(env, cx).unwrap();
-            crate::tests::ensure_global_state();
             std::panic::set_hook(Box::new(|info| {
                 let msg = if let Some(msg) = info.payload().downcast_ref::<&'static str>() {
                     msg

rustls-platform-verifier/src/tests/mod.rs

@@ -1,14 +1,18 @@
 #[cfg(feature = "ffi-testing")]
 pub mod ffi;
 
-use std::error::Error as StdError;
 use std::time::Duration;
+use std::{error::Error as StdError, sync::Arc};
 
 mod verification_real_world;
 
 mod verification_mock;
 
-use rustls::{pki_types, CertificateError, Error as TlsError, Error::InvalidCertificate};
+use rustls::{
+    crypto::CryptoProvider,
+    pki_types, CertificateError,
+    Error::{self as TlsError, InvalidCertificate},
+};
 
 struct TestCase<'a, E: StdError> {
     /// The name of the server we're connecting to.
@@ -62,6 +66,6 @@ pub(crate) fn verification_time() -> pki_types::UnixTime {
     pki_types::UnixTime::since_unix_epoch(Duration::from_secs(1_748_633_220))
 }
 
-fn ensure_global_state() {
-    let _ = rustls::crypto::ring::default_provider().install_default();
+fn test_provider() -> Arc<CryptoProvider> {
+    Arc::new(rustls::crypto::ring::default_provider())
 }

rustls-platform-verifier/src/tests/verification_mock/mod.rs

@@ -34,7 +34,7 @@ use rustls::pki_types::{DnsName, ServerName};
 use rustls::{CertificateError, Error as TlsError, OtherError};
 
 use super::TestCase;
-use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time};
+use crate::tests::{assert_cert_error_eq, test_provider, verification_time};
 use crate::verification::{EkuError, Verifier};
 
 macro_rules! mock_root_test_cases {
@@ -94,18 +94,21 @@ const LOCALHOST_IPV6: &str = "::1";
 #[cfg(any(test, feature = "ffi-testing"))]
 #[cfg_attr(feature = "ffi-testing", allow(dead_code))]
 pub(super) fn verification_without_mock_root() {
-    ensure_global_state();
+    let crypto_provider = test_provider();
+
     // Since Rustls 0.22 constructing a webpki verifier (like the one backing Verifier on unix
     // systems) without any roots produces `OtherError(NoRootAnchors)` - since our FreeBSD CI
     // runner fails to find any roots with openssl-probe we need to provide webpki-root-certs here
     // or the test will fail with the `OtherError` instead of the expected `CertificateError`.
     #[cfg(target_os = "freebsd")]
-    let verifier =
-        Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned())
-            .unwrap();
+    let verifier = Verifier::new_with_extra_roots(
+        webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned(),
+        crypto_provider,
+    )
+    .unwrap();
 
     #[cfg(not(target_os = "freebsd"))]
-    let verifier = Verifier::new();
+    let verifier = Verifier::new(crypto_provider);
 
     let server_name = pki_types::ServerName::try_from(EXAMPLE_COM).unwrap();
     let end_entity = pki_types::CertificateDer::from(ROOT1_INT1_EXAMPLE_COM_GOOD);
@@ -335,13 +338,13 @@ fn test_with_mock_root<E: std::error::Error + PartialEq + 'static>(
     test_case: &TestCase<E>,
     root_src: Roots,
 ) {
-    ensure_global_state();
     log::info!("verifying {:?}", test_case.expected_result);
 
+    let provider = test_provider();
     let verifier = match root_src {
-        Roots::OnlyExtra => Verifier::new_with_fake_root(ROOT1), // TODO: time
+        Roots::OnlyExtra => Verifier::new_with_fake_root(ROOT1, provider), // TODO: time
         #[cfg(not(target_os = "android"))]
-        Roots::ExtraAndPlatform => Verifier::new_with_extra_roots([ROOT1]).unwrap(),
+        Roots::ExtraAndPlatform => Verifier::new_with_extra_roots([ROOT1], provider).unwrap(),
     };
     let mut chain = test_case
         .chain

rustls-platform-verifier/src/tests/verification_real_world/mod.rs

@@ -42,7 +42,7 @@ use rustls::pki_types::{DnsName, ServerName};
 use rustls::{CertificateError, Error as TlsError};
 
 use super::TestCase;
-use crate::tests::{assert_cert_error_eq, ensure_global_state, verification_time};
+use crate::tests::{assert_cert_error_eq, test_provider, verification_time};
 use crate::Verifier;
 
 // This is the certificate chain presented by one server for
@@ -120,22 +120,25 @@ macro_rules! no_error {
 }
 
 fn real_world_test<E: std::error::Error>(test_case: &TestCase<E>) {
-    ensure_global_state();
     log::info!(
         "verifying ref ID {:?} expected {:?}",
         test_case.reference_id,
         test_case.expected_result
     );
 
+    let crypto_provider = test_provider();
+
     // On BSD systems openssl-probe fails to find the system CA bundle,
     // so we must provide extra roots from webpki-root-cert.
     #[cfg(target_os = "freebsd")]
-    let verifier =
-        Verifier::new_with_extra_roots(webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned())
-            .unwrap();
+    let verifier = Verifier::new_with_extra_roots(
+        webpki_root_certs::TLS_SERVER_ROOT_CERTS.iter().cloned(),
+        crypto_provider,
+    )
+    .unwrap();
 
     #[cfg(not(target_os = "freebsd"))]
-    let verifier = Verifier::new();
+    let verifier = Verifier::new(crypto_provider);
 
     let mut chain = test_case
         .chain

rustls-platform-verifier/src/verification/android.rs

@@ -5,7 +5,6 @@ use jni::{
     strings::JavaStr,
     JNIEnv,
 };
-use once_cell::sync::OnceCell;
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerifier};
 use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider};
 use rustls::pki_types;
@@ -47,13 +46,7 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing"))]
     test_only_root_ca_override: Option<pki_types::CertificateDer<'static>>,
-    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
-}
-
-impl Default for Verifier {
-    fn default() -> Self {
-        Self::new()
-    }
+    crypto_provider: Arc<CryptoProvider>,
 }
 
 #[cfg(any(test, feature = "ffi-testing"))]
@@ -71,24 +64,23 @@ impl Drop for Verifier {
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the
     /// Android certificate facilities.
-    ///
-    /// A [`CryptoProvider`] must be set with
-    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
-    /// [`CryptoProvider::install_default`] before the verifier can be used.
-    pub fn new() -> Self {
+    pub fn new(crypto_provider: Arc<CryptoProvider>) -> Self {
         Self {
             #[cfg(any(test, feature = "ffi-testing"))]
             test_only_root_ca_override: None,
-            crypto_provider: OnceCell::new(),
+            crypto_provider,
         }
     }
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing"))]
-    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
+    pub(crate) fn new_with_fake_root(
+        root: pki_types::CertificateDer<'static>,
+        crypto_provider: Arc<CryptoProvider>,
+    ) -> Self {
         Self {
             test_only_root_ca_override: Some(root),
-            crypto_provider: OnceCell::new(),
+            crypto_provider,
         }
     }
 
@@ -314,7 +306,7 @@ impl ServerCertVerifier for Verifier {
             message,
             cert,
             dss,
-            &self.get_provider().signature_verification_algorithms,
+            &self.crypto_provider.signature_verification_algorithms,
         )
     }
 
@@ -328,12 +320,12 @@ impl ServerCertVerifier for Verifier {
             message,
             cert,
             dss,
-            &self.get_provider().signature_verification_algorithms,
+            &self.crypto_provider.signature_verification_algorithms,
         )
     }
 
     fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
-        self.get_provider()
+        self.crypto_provider
             .signature_verification_algorithms
             .supported_schemes()
     }

rustls-platform-verifier/src/verification/apple.rs

@@ -2,7 +2,6 @@ use std::sync::Arc;
 
 use core_foundation::date::CFDate;
 use core_foundation_sys::date::kCFAbsoluteTimeIntervalSince1970;
-use once_cell::sync::OnceCell;
 use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerifier};
 use rustls::crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider};
 use rustls::pki_types;
@@ -50,22 +49,18 @@ pub struct Verifier {
     /// Testing only: The root CA certificate to trust.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
     test_only_root_ca_override: Option<SecCertificate>,
-    pub(super) crypto_provider: OnceCell<Arc<CryptoProvider>>,
+    crypto_provider: Arc<CryptoProvider>,
 }
 
 impl Verifier {
     /// Creates a new instance of a TLS certificate verifier that utilizes the Apple certificate
     /// facilities.
-    ///
-    /// A [`CryptoProvider`] must be set with
-    /// [`set_provider`][Verifier::set_provider]/[`with_provider`][Verifier::with_provider] or
-    /// [`CryptoProvider::install_default`] before the verifier can be used.
-    pub fn new() -> Self {
+    pub fn new(crypto_provider: Arc<CryptoProvider>) -> Self {
         Self {
             extra_roots: Vec::new(),
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            crypto_provider: OnceCell::new(),
+            crypto_provider,
         }
     }
 
@@ -75,6 +70,7 @@ impl Verifier {
     /// See [Verifier::new] for the external requirements the verifier needs.
     pub fn new_with_extra_roots(
         roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
+        crypto_provider: Arc<CryptoProvider>,
     ) -> Result<Self, TlsError> {
         let extra_roots = roots
             .into_iter()
@@ -87,17 +83,20 @@ impl Verifier {
             extra_roots,
             #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
             test_only_root_ca_override: None,
-            crypto_provider: OnceCell::new(),
+            crypto_provider,
         })
     }
 
     /// Creates a test-only TLS certificate verifier which trusts our fake root CA cert.
     #[cfg(any(test, feature = "ffi-testing", feature = "dbg"))]
-    pub(crate) fn new_with_fake_root(root: pki_types::CertificateDer<'static>) -> Self {
+    pub(crate) fn new_with_fake_root(
+        root: pki_types::CertificateDer<'static>,
+        crypto_provider: Arc<CryptoProvider>,
+    ) -> Self {
         Self {
             extra_roots: Vec::new(),
             test_only_root_ca_override: Some(SecCertificate::from_der(root.as_ref()).unwrap()),
-            crypto_provider: OnceCell::new(),
+            crypto_provider,
         }
     }
 
@@ -283,7 +282,7 @@ impl ServerCertVerifier for Verifier {
             message,
             cert,
             dss,
-            &self.get_provider().signature_verification_algorithms,
+            &self.crypto_provider.signature_verification_algorithms,
         )
     }
 
@@ -297,19 +296,13 @@ impl ServerCertVerifier for Verifier {
             message,
             cert,
             dss,
-            &self.get_provider().signature_verification_algorithms,
+            &self.crypto_provider.signature_verification_algorithms,
         )
     }
 
     fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
-        self.get_provider()
+        self.crypto_provider
             .signature_verification_algorithms
             .supported_schemes()
     }
 }
-
-impl Default for Verifier {
-    fn default() -> Self {
-        Self::new()
-    }
-}

rustls-platform-verifier/src/verification/mod.rs

@@ -1,4 +1,4 @@
-use rustls::crypto::CryptoProvider;
+#[cfg(any(windows, target_vendor = "apple"))]
 use std::sync::Arc;
 
 #[cfg(all(
@@ -84,30 +84,3 @@ const ALLOWED_EKUS: &[windows_sys::core::PCSTR] =
     &[windows_sys::Win32::Security::Cryptography::szOID_PKIX_KP_SERVER_AUTH];
 #[cfg(target_os = "android")]
 pub const ALLOWED_EKUS: &[&str] = &["1.3.6.1.5.5.7.3.1"];
-
-impl Verifier {
-    /// Chainable setter to configure the [`CryptoProvider`] for this `Verifier`.
-    ///
-    /// This will be used instead of the rustls process-default `CryptoProvider`, even if one has
-    /// been installed.
-    pub fn with_provider(mut self, crypto_provider: Arc<CryptoProvider>) -> Self {
-        self.set_provider(crypto_provider);
-        self
-    }
-
-    /// Configures the [`CryptoProvider`] for this `Verifier`.
-    ///
-    /// This will be used instead of the rustls process-default `CryptoProvider`, even if one has
-    /// been installed.
-    pub fn set_provider(&mut self, crypto_provider: Arc<CryptoProvider>) {
-        self.crypto_provider = crypto_provider.into();
-    }
-
-    fn get_provider(&self) -> &Arc<CryptoProvider> {
-        self.crypto_provider.get_or_init(|| {
-            CryptoProvider::get_default()
-                .expect("rustls default CryptoProvider not set")
-                .clone()
-        })
-    }
-}