From 6825a35213d604a7149265af2346a69143c0853b Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Tue, 4 Mar 2025 19:15:06 +0100 Subject: [PATCH] crates/*: Use the platform CA bundle instead of the bundled certificates --- Cargo.lock | 284 ++++++++++++++++++++++++++++++- crates/cli/Cargo.toml | 2 +- crates/common/Cargo.toml | 4 +- crates/directory/Cargo.toml | 4 +- crates/imap/Cargo.toml | 2 +- crates/jmap/Cargo.toml | 4 +- crates/mail-send/Cargo.toml | 1 + crates/mail-send/src/smtp/tls.rs | 22 +-- crates/managesieve/Cargo.toml | 2 +- crates/pop3/Cargo.toml | 2 +- crates/smtp/Cargo.toml | 4 +- crates/spam-filter/Cargo.toml | 4 +- crates/store/Cargo.toml | 2 +- crates/trc/Cargo.toml | 2 +- crates/utils/Cargo.toml | 5 +- crates/utils/src/lib.rs | 16 +- tests/Cargo.toml | 10 +- 17 files changed, 314 insertions(+), 56 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index be36759b..eca9699f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -440,6 +440,47 @@ dependencies = [ "url", ] +[[package]] +name = "aws-lc-fips-sys" +version = "0.13.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "29003a681b2b9465c1139bfb726da452a841a8b025f35953f3bce71139f10b21" +dependencies = [ + "bindgen 0.69.5", + "cc", + "cmake", + "dunce", + "fs_extra", + "paste", + "regex", +] + +[[package]] +name = "aws-lc-rs" +version = "1.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e4e8200b9a4a5801a769d50eeabc05670fec7e959a8cb7a63a93e4e519942ae" +dependencies = [ + "aws-lc-fips-sys", + "aws-lc-sys", + "paste", + "zeroize", +] + +[[package]] +name = "aws-lc-sys" +version = "0.26.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f9dd2e03ee80ca2822dd6ea431163d2ef259f2066a4d6ccaca6d9dcb386aa43" +dependencies = [ + "bindgen 0.69.5", + "cc", + "cmake", + "dunce", + "fs_extra", + "paste", +] + [[package]] name = "aws-region" version = "0.25.5" @@ -673,12 +714,15 @@ dependencies = [ "itertools 0.12.1", "lazy_static", "lazycell", + "log", + "prettyplease", "proc-macro2", "quote", "regex", "rustc-hash 1.1.0", "shlex", "syn 2.0.96", + "which", ] [[package]] @@ -1035,6 +1079,12 @@ dependencies = [ "smallvec", ] +[[package]] +name = "cesu8" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c" + [[package]] name = "cexpr" version = "0.6.0" @@ -1347,6 +1397,16 @@ dependencies = [ "libc", ] +[[package]] +name = "core-foundation" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b55271e5c8c478ad3f38ad24ef34923091e0548492a266d19b3c0b4d82574c63" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.7" @@ -1912,6 +1972,12 @@ dependencies = [ "zeroize", ] +[[package]] +name = "dunce" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813" + [[package]] name = "dyn-clone" version = "1.0.17" @@ -2117,6 +2183,29 @@ dependencies = [ "syn 2.0.96", ] +[[package]] +name = "env_filter" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "186e05a59d4c50738528153b83b0b0194d3a29507dfec16eccd4b342903397d0" +dependencies = [ + "log", + "regex", +] + +[[package]] +name = "env_logger" +version = "0.11.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dcaee3d8e3cfc3fd92428d477bc97fc29ec8716d180c0d74c643bb26166660e0" +dependencies = [ + "anstream", + "anstyle", + "env_filter", + "humantime", + "log", +] + [[package]] name = "equivalent" version = "1.0.1" @@ -2423,6 +2512,12 @@ dependencies = [ "syn 2.0.96", ] +[[package]] +name = "fs_extra" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c" + [[package]] name = "funty" version = "2.0.0" @@ -2974,6 +3069,12 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9994b79e8c1a39b3166c63ae7823bb2b00831e2a96a31399c50fe69df408eaeb" +[[package]] +name = "humantime" +version = "2.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" + [[package]] name = "hyper" version = "0.14.32" @@ -3044,6 +3145,7 @@ dependencies = [ "hyper 1.6.0", "hyper-util", "rustls 0.23.21", + "rustls-native-certs 0.8.1", "rustls-pki-types", "tokio", "tokio-rustls 0.26.1", @@ -3607,6 +3709,28 @@ dependencies = [ "utils", ] +[[package]] +name = "jni" +version = "0.21.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a87aa2bb7d2af34197c04845522473242e1aa17c12f4935d5856491a7fb8c97" +dependencies = [ + "cesu8", + "cfg-if", + "combine", + "jni-sys", + "log", + "thiserror 1.0.69", + "walkdir", + "windows-sys 0.45.0", +] + +[[package]] +name = "jni-sys" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130" + [[package]] name = "jobserver" version = "0.1.32" @@ -3959,14 +4083,18 @@ dependencies = [ [[package]] name = "mail-send" version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b12277cdcacfc15af67fe9cf155f31ff68ad8c301304573ea116ed8870f192d5" dependencies = [ "base64 0.22.1", + "env_logger", "gethostname", + "mail-auth", + "mail-builder", + "mail-parser", "md5", + "rand 0.8.5", "rustls 0.23.21", "rustls-pki-types", + "rustls-platform-verifier", "smtp-proto", "tokio", "tokio-rustls 0.26.1", @@ -5552,6 +5680,7 @@ dependencies = [ "pin-project-lite", "quinn", "rustls 0.23.21", + "rustls-native-certs 0.8.1", "rustls-pemfile 2.2.0", "rustls-pki-types", "serde", @@ -5920,6 +6049,8 @@ version = "0.23.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8f287924602bf649d949c63dc8ac8b235fa5387d394020705b80c4eb597ce5b8" dependencies = [ + "aws-lc-rs", + "log", "once_cell", "ring 0.17.8", "rustls-pki-types", @@ -5937,7 +6068,7 @@ dependencies = [ "openssl-probe", "rustls-pemfile 1.0.4", "schannel", - "security-framework", + "security-framework 2.11.1", ] [[package]] @@ -5950,7 +6081,19 @@ dependencies = [ "rustls-pemfile 2.2.0", "rustls-pki-types", "schannel", - "security-framework", + "security-framework 2.11.1", +] + +[[package]] +name = "rustls-native-certs" +version = "0.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3" +dependencies = [ + "openssl-probe", + "rustls-pki-types", + "schannel", + "security-framework 3.2.0", ] [[package]] @@ -5980,6 +6123,33 @@ dependencies = [ "web-time", ] +[[package]] +name = "rustls-platform-verifier" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e012c45844a1790332c9386ed4ca3a06def221092eda277e6f079728f8ea99da" +dependencies = [ + "core-foundation 0.10.0", + "core-foundation-sys", + "jni", + "log", + "once_cell", + "rustls 0.23.21", + "rustls-native-certs 0.8.1", + "rustls-platform-verifier-android", + "rustls-webpki 0.102.8", + "security-framework 3.2.0", + "security-framework-sys", + "webpki-root-certs", + "windows-sys 0.52.0", +] + +[[package]] +name = "rustls-platform-verifier-android" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f87165f0995f63a9fbeea62b64d10b4d9d8e78ec6d7d51fb2125fda7bb36788f" + [[package]] name = "rustls-webpki" version = "0.101.7" @@ -5996,6 +6166,7 @@ version = "0.102.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" dependencies = [ + "aws-lc-rs", "ring 0.17.8", "rustls-pki-types", "untrusted 0.9.0", @@ -6125,7 +6296,20 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02" dependencies = [ "bitflags 2.8.0", - "core-foundation", + "core-foundation 0.9.4", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework" +version = "3.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "271720403f46ca04f7ba6f55d438f8bd878d6b8ca0a1046e8228c4145bcbb316" +dependencies = [ + "bitflags 2.8.0", + "core-foundation 0.10.0", "core-foundation-sys", "libc", "security-framework-sys", @@ -6817,7 +7001,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7" dependencies = [ "bitflags 1.3.2", - "core-foundation", + "core-foundation 0.9.4", "system-configuration-sys", ] @@ -7569,6 +7753,7 @@ dependencies = [ "rustls 0.23.21", "rustls-pemfile 2.2.0", "rustls-pki-types", + "rustls-platform-verifier", "serde", "serde_json", "smtp-proto", @@ -7764,6 +7949,15 @@ dependencies = [ "untrusted 0.9.0", ] +[[package]] +name = "webpki-root-certs" +version = "0.26.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09aed61f5e8d2c18344b3faa33a4c837855fe56642757754775548fee21386c4" +dependencies = [ + "rustls-pki-types", +] + [[package]] name = "webpki-roots" version = "0.25.4" @@ -7789,6 +7983,18 @@ dependencies = [ "once_cell", ] +[[package]] +name = "which" +version = "4.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87ba24419a2078cd2b0f2ede2691b6c66d8e47836da3b6db8265ebad47afbfc7" +dependencies = [ + "either", + "home", + "once_cell", + "rustix", +] + [[package]] name = "whoami" version = "1.5.2" @@ -7886,6 +8092,15 @@ dependencies = [ "windows-targets 0.52.6", ] +[[package]] +name = "windows-sys" +version = "0.45.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "75283be5efb2831d37ea142365f009c02ec203cd29a3ebecbc093d52315b66d0" +dependencies = [ + "windows-targets 0.42.2", +] + [[package]] name = "windows-sys" version = "0.48.0" @@ -7913,6 +8128,21 @@ dependencies = [ "windows-targets 0.52.6", ] +[[package]] +name = "windows-targets" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e5180c00cd44c9b1c88adb3693291f1cd93605ded80c250a75d472756b4d071" +dependencies = [ + "windows_aarch64_gnullvm 0.42.2", + "windows_aarch64_msvc 0.42.2", + "windows_i686_gnu 0.42.2", + "windows_i686_msvc 0.42.2", + "windows_x86_64_gnu 0.42.2", + "windows_x86_64_gnullvm 0.42.2", + "windows_x86_64_msvc 0.42.2", +] + [[package]] name = "windows-targets" version = "0.48.5" @@ -7944,6 +8174,12 @@ dependencies = [ "windows_x86_64_msvc 0.52.6", ] +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "597a5118570b68bc08d8d59125332c54f1ba9d9adeedeef5b99b02ba2b0698f8" + [[package]] name = "windows_aarch64_gnullvm" version = "0.48.5" @@ -7956,6 +8192,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" +[[package]] +name = "windows_aarch64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e08e8864a60f06ef0d0ff4ba04124db8b0fb3be5776a5cd47641e942e58c4d43" + [[package]] name = "windows_aarch64_msvc" version = "0.48.5" @@ -7968,6 +8210,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" +[[package]] +name = "windows_i686_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c61d927d8da41da96a81f029489353e68739737d3beca43145c8afec9a31a84f" + [[package]] name = "windows_i686_gnu" version = "0.48.5" @@ -7986,6 +8234,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" +[[package]] +name = "windows_i686_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44d840b6ec649f480a41c8d80f9c65108b92d89345dd94027bfe06ac444d1060" + [[package]] name = "windows_i686_msvc" version = "0.48.5" @@ -7998,6 +8252,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" +[[package]] +name = "windows_x86_64_gnu" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8de912b8b8feb55c064867cf047dda097f92d51efad5b491dfb98f6bbb70cb36" + [[package]] name = "windows_x86_64_gnu" version = "0.48.5" @@ -8010,6 +8270,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26d41b46a36d453748aedef1486d5c7a85db22e56aff34643984ea85514e94a3" + [[package]] name = "windows_x86_64_gnullvm" version = "0.48.5" @@ -8022,6 +8288,12 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" +[[package]] +name = "windows_x86_64_msvc" +version = "0.42.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9aec5da331524158c6d1a4ac0ab1541149c0b9505fde06423b02f5ef0106b9f0" + [[package]] name = "windows_x86_64_msvc" version = "0.48.5" diff --git a/crates/cli/Cargo.toml b/crates/cli/Cargo.toml index a2d19a06..76866b80 100644 --- a/crates/cli/Cargo.toml +++ b/crates/cli/Cargo.toml @@ -13,7 +13,7 @@ resolver = "2" [dependencies] jmap-client = { version = "0.3", features = ["async"] } mail-parser = { version = "0.10", features = ["full_encoding", "serde_support"] } -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2"]} tokio = { version = "1.23", features = ["full"] } num_cpus = "1.13.1" clap = { version = "4.1.6", features = ["derive"] } diff --git a/crates/common/Cargo.toml b/crates/common/Cargo.toml index 3da0183f..93c49bb5 100644 --- a/crates/common/Cargo.toml +++ b/crates/common/Cargo.toml @@ -16,7 +16,7 @@ sieve-rs = { version = "0.6" } mail-parser = { version = "0.10", features = ["full_encoding"] } mail-builder = { version = "0.4" } mail-auth = { version = "0.6" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } smtp-proto = { version = "0.1", features = ["serde_support"] } dns-update = { version = "0.1" } ahash = { version = "0.8.2", features = ["serde"] } @@ -32,7 +32,7 @@ tokio = { version = "1.23", features = ["net", "macros"] } tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] } futures = "0.3" rcgen = "0.12" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2", "stream"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2", "stream"]} serde = { version = "1.0", features = ["derive"]} serde_json = "1.0" base64 = "0.22" diff --git a/crates/directory/Cargo.toml b/crates/directory/Cargo.toml index dc022e7a..10e0c00a 100644 --- a/crates/directory/Cargo.toml +++ b/crates/directory/Cargo.toml @@ -12,7 +12,7 @@ trc = { path = "../trc" } jmap_proto = { path = "../jmap-proto" } smtp-proto = { version = "0.1" } mail-parser = { version = "0.10", features = ["full_encoding", "serde_support"] } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } mail-builder = { version = "0.4" } tokio = { version = "1.23", features = ["net"] } tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] } @@ -34,7 +34,7 @@ futures = "0.3" regex = "1.7.0" serde = { version = "1.0", features = ["derive"]} totp-rs = { version = "5.5.1", features = ["otpauth"] } -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2"] } +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2"] } serde_json = "1.0" base64 = "0.22" diff --git a/crates/imap/Cargo.toml b/crates/imap/Cargo.toml index 640ca4fd..d91931c1 100644 --- a/crates/imap/Cargo.toml +++ b/crates/imap/Cargo.toml @@ -16,7 +16,7 @@ email = { path = "../email" } nlp = { path = "../nlp" } utils = { path = "../utils" } mail-parser = { version = "0.10", features = ["full_encoding"] } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } rustls = { version = "0.23.5", default-features = false, features = ["std", "ring", "tls12"] } rustls-pemfile = "2.0" tokio = { version = "1.23", features = ["full"] } diff --git a/crates/jmap/Cargo.toml b/crates/jmap/Cargo.toml index 7be56e44..ad5ed795 100644 --- a/crates/jmap/Cargo.toml +++ b/crates/jmap/Cargo.toml @@ -18,7 +18,7 @@ email = { path = "../email" } smtp-proto = { version = "0.1" } mail-parser = { version = "0.10", features = ["full_encoding", "serde_support"] } mail-builder = { version = "0.4" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } mail-auth = { version = "0.6", features = ["generate"] } sieve-rs = { version = "0.6" } serde = { version = "1.0", features = ["derive"]} @@ -38,7 +38,7 @@ p256 = { version = "0.13", features = ["ecdh"] } hkdf = "0.12.3" sha1 = "0.10" sha2 = "0.10" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2"]} tokio-tungstenite = "0.26" tungstenite = "0.26" chrono = "0.4" diff --git a/crates/mail-send/Cargo.toml b/crates/mail-send/Cargo.toml index fb5f402d..6760afab 100644 --- a/crates/mail-send/Cargo.toml +++ b/crates/mail-send/Cargo.toml @@ -27,6 +27,7 @@ rustls = { version = "0.23", default-features = false, features = ["std"]} tokio-rustls = { version = "0.26", default-features = false } webpki-roots = { version = "0.26"} rustls-pki-types = { version = "1" } +rustls-platform-verifier = "0.5" gethostname = { version = "0.5"} [dev-dependencies] diff --git a/crates/mail-send/src/smtp/tls.rs b/crates/mail-send/src/smtp/tls.rs index b15a6db8..7ddd0798 100644 --- a/crates/mail-send/src/smtp/tls.rs +++ b/crates/mail-send/src/smtp/tls.rs @@ -12,9 +12,9 @@ use std::{convert::TryFrom, io, sync::Arc}; use rustls::{ client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, - ClientConfig, ClientConnection, RootCertStore, SignatureScheme, + ClientConfig, ClientConnection, SignatureScheme, }; -use rustls_pki_types::{ServerName, TrustAnchor}; +use rustls_pki_types::ServerName; use tokio::net::TcpStream; use tokio_rustls::{client::TlsStream, TlsConnector}; @@ -78,20 +78,14 @@ impl SmtpClient> { } pub fn build_tls_connector(allow_invalid_certs: bool) -> TlsConnector { + use rustls_platform_verifier::BuilderVerifierExt; + + let config = ClientConfig::builder(); + let config = if !allow_invalid_certs { - let mut root_cert_store = RootCertStore::empty(); - - root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| TrustAnchor { - subject: ta.subject.clone(), - subject_public_key_info: ta.subject_public_key_info.clone(), - name_constraints: ta.name_constraints.clone(), - })); - - ClientConfig::builder() - .with_root_certificates(root_cert_store) - .with_no_client_auth() + config.with_platform_verifier().with_no_client_auth() } else { - ClientConfig::builder() + config .dangerous() .with_custom_certificate_verifier(Arc::new(DummyVerifier {})) .with_no_client_auth() diff --git a/crates/managesieve/Cargo.toml b/crates/managesieve/Cargo.toml index 650ab23b..42738e68 100644 --- a/crates/managesieve/Cargo.toml +++ b/crates/managesieve/Cargo.toml @@ -15,7 +15,7 @@ store = { path = "../store" } utils = { path = "../utils" } trc = { path = "../trc" } mail-parser = { version = "0.10", features = ["full_encoding"] } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } sieve-rs = { version = "0.6" } rustls = { version = "0.23.5", default-features = false, features = ["std", "ring", "tls12"] } rustls-pemfile = "2.0" diff --git a/crates/pop3/Cargo.toml b/crates/pop3/Cargo.toml index 5f86ed00..89e7b732 100644 --- a/crates/pop3/Cargo.toml +++ b/crates/pop3/Cargo.toml @@ -15,7 +15,7 @@ trc = { path = "../trc" } jmap_proto = { path = "../jmap-proto" } email = { path = "../email" } mail-parser = { version = "0.10", features = ["full_encoding"] } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } rustls = { version = "0.23.5", default-features = false, features = ["std", "ring", "tls12"] } tokio = { version = "1.23", features = ["full"] } tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] } diff --git a/crates/smtp/Cargo.toml b/crates/smtp/Cargo.toml index 5997c1c3..5f5badc2 100644 --- a/crates/smtp/Cargo.toml +++ b/crates/smtp/Cargo.toml @@ -21,7 +21,7 @@ email = { path = "../email" } spam-filter = { path = "../spam-filter" } trc = { path = "../trc" } mail-auth = { version = "0.6" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } mail-parser = { version = "0.10", features = ["full_encoding"] } mail-builder = { version = "0.4" } smtp-proto = { version = "0.1", features = ["serde_support"] } @@ -47,7 +47,7 @@ blake3 = "1.3" lru-cache = "0.1.2" rand = "0.8.5" x509-parser = "0.16.0" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2"] } +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2"] } serde = { version = "1.0", features = ["derive", "rc"] } serde_json = "1.0" num_cpus = "1.15.0" diff --git a/crates/spam-filter/Cargo.toml b/crates/spam-filter/Cargo.toml index f5b63353..c9176cf6 100644 --- a/crates/spam-filter/Cargo.toml +++ b/crates/spam-filter/Cargo.toml @@ -14,12 +14,12 @@ smtp-proto = { version = "0.1", features = ["serde_support"] } mail-parser = { version = "0.10", features = ["full_encoding"] } mail-builder = { version = "0.4" } mail-auth = { version = "0.6" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } tokio = { version = "1.23", features = ["net", "macros"] } psl = "2" hyper = { version = "1.0.1", features = ["server", "http1", "http2"] } idna = "1.0" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2", "stream"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2", "stream"]} decancer = "3.0.1" unicode-security = "0.1.0" infer = "0.16" diff --git a/crates/store/Cargo.toml b/crates/store/Cargo.toml index b0cf7d77..67c2d742 100644 --- a/crates/store/Cargo.toml +++ b/crates/store/Cargo.toml @@ -15,7 +15,7 @@ rust-s3 = { version = "=0.35.0-alpha.2", default-features = false, features = [" azure_core = { version = "0.21.0", optional = true } azure_storage = { version = "0.21.0", default-features = false, features = ["enable_reqwest_rustls", "hmac_rust"], optional = true } azure_storage_blobs = { version = "0.21.0", default-features = false, features = ["enable_reqwest_rustls", "hmac_rust"], optional = true } -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2", "stream"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2", "stream"]} tokio = { version = "1.23", features = ["sync", "fs", "io-util"] } r2d2 = { version = "0.8.10", optional = true } futures = { version = "0.3", optional = true } diff --git a/crates/trc/Cargo.toml b/crates/trc/Cargo.toml index e4f2ca7c..f294e469 100644 --- a/crates/trc/Cargo.toml +++ b/crates/trc/Cargo.toml @@ -11,7 +11,7 @@ mail-parser = { version = "0.10", features = ["full_encoding"] } base64 = "0.22.1" serde = "1.0" serde_json = "1.0.120" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2"]} bincode = "1.3.3" rtrb = "0.3.1" parking_lot = "0.12.3" diff --git a/crates/utils/Cargo.toml b/crates/utils/Cargo.toml index e0a7ef9d..14b1d675 100644 --- a/crates/utils/Cargo.toml +++ b/crates/utils/Cargo.toml @@ -9,12 +9,13 @@ trc = { path = "../trc" } rustls = { version = "0.23.5", default-features = false, features = ["std", "ring", "tls12"] } rustls-pemfile = "2.0" rustls-pki-types = { version = "1" } +rustls-platform-verifier = "0.5" tokio = { version = "1.23", features = ["net", "macros"] } tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] } serde = { version = "1.0", features = ["derive"]} mail-auth = { version = "0.6" } smtp-proto = { version = "0.1" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } ahash = { version = "0.8" } chrono = "0.4" rand = "0.8.5" @@ -23,7 +24,7 @@ ring = { version = "0.17" } base64 = "0.22" serde_json = "1.0" rcgen = "0.13" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "http2", "stream"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "http2", "stream"]} x509-parser = "0.16.0" pem = "3.0" parking_lot = "0.12" diff --git a/crates/utils/src/lib.rs b/crates/utils/src/lib.rs index acec2f04..b2cdaf65 100644 --- a/crates/utils/src/lib.rs +++ b/crates/utils/src/lib.rs @@ -18,9 +18,9 @@ use futures::StreamExt; use reqwest::Response; use rustls::{ client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier}, - ClientConfig, RootCertStore, SignatureScheme, + ClientConfig, SignatureScheme, }; -use rustls_pki_types::TrustAnchor; +use rustls_platform_verifier::BuilderVerifierExt; pub const BLOB_HASH_LEN: usize = 32; @@ -280,17 +280,7 @@ pub fn rustls_client_config(allow_invalid_certs: bool) -> ClientConfig { let config = ClientConfig::builder(); if !allow_invalid_certs { - let mut root_cert_store = RootCertStore::empty(); - - root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| TrustAnchor { - subject: ta.subject.clone(), - subject_public_key_info: ta.subject_public_key_info.clone(), - name_constraints: ta.name_constraints.clone(), - })); - - config - .with_root_certificates(root_cert_store) - .with_no_client_auth() + config.with_platform_verifier().with_no_client_auth() } else { config .dangerous() diff --git a/tests/Cargo.toml b/tests/Cargo.toml index 6aa6d35b..256a574b 100644 --- a/tests/Cargo.toml +++ b/tests/Cargo.toml @@ -34,12 +34,12 @@ spam-filter = { path = "../crates/spam-filter", features = ["test_mode", "enterp trc = { path = "../crates/trc" } managesieve = { path = "../crates/managesieve", features = ["test_mode", "enterprise"] } smtp-proto = { version = "0.1" } -mail-send = { version = "0.5", default-features = false, features = ["cram-md5", "ring", "tls12"] } +mail-send = { path = "../crates/mail-send", default-features = false, features = ["cram-md5", "ring", "tls12"] } mail-auth = { version = "0.6", features = ["test"] } -sieve-rs = { version = "0.6" } +sieve-rs = { version = "0.6" } utils = { path = "../crates/utils", features = ["test_mode"] } -jmap-client = { version = "0.3", features = ["websockets", "debug", "async"] } -mail-parser = { version = "0.10", features = ["full_encoding", "serde_support"] } +jmap-client = { version = "0.3", features = ["websockets", "debug", "async"] } +mail-parser = { version = "0.10", features = ["full_encoding", "serde_support"] } tokio = { version = "1.23", features = ["full"] } tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "tls12"] } rustls = { version = "0.23.5", default-features = false, features = ["std", "ring", "tls12"] } @@ -50,7 +50,7 @@ rayon = { version = "1.5.1" } flate2 = { version = "1.0.17", features = ["zlib"], default-features = false } serde = { version = "1.0", features = ["derive"]} serde_json = "1.0" -reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "multipart", "http2"]} +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-native-roots", "multipart", "http2"]} bytes = "1.4.0" futures = "0.3" ece = "2.2" -- 2.47.2