Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add webpki-root-certs crate #75

Merged
merged 7 commits into from
Aug 7, 2024
Merged

Add webpki-root-certs crate #75

merged 7 commits into from
Aug 7, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Aug 5, 2024
edited
Loading

This branch adds a new crate, webpki-root-certs, to the project workspace. Compared to webpki-roots, this crate contains the full self-signed DER X.509 certificate of each trust anchor in a TLS_SERVER_ROOT_CERTS slice.

This is done in a separate crate from webpki-roots because the X.509 representation is quite large compared to the webpki-specific TrustAnchor type. However, in some circumstances (e.g. interfacing with non-webpki consumers like platform verifiers) the full self-signed certificates are required. Users with this requirement can depend on this crate in addition to/or in place of webpki-roots. Care is taken to push regular users of rustls towards the pre-existing crate.

Some related discussion can be found in Discord (e.g. here, and here).

@cpu cpu self-assigned this Aug 5, 2024
@cpu cpu mentioned this pull request Aug 5, 2024
Merged
@cpu
Copy link
Member Author

cpu commented Aug 5, 2024

As extra motivation, wanting full self-signed certs from webpki-roots also came up in this ureq pull-request where it would be helpful for a crate that may want to configure native-tls using webpki-roots for consistency between a native-tls workflow and a rustls/webpki based workflow. It was also requested in rustls/pki-types#15, though we addressed that need with a different solution (splitting the generation crate from the main crate).

@djc
Copy link
Member

djc commented Aug 6, 2024

This feature is off by default because the X509 representation is quite large compared to the webpki-specific TrustAnchor type.

This works for "large" in terms of in-memory size (arguably most important here) and compilation overhead but of course it still bloats the source code and crate download size. A possible alternative might be to put this in another crate, maybe webpki-root-certs? Might make sense if we assume the use case will remain relatively niche (which not be true if most platform-verifier users pull this in?) -- I'm guessing the added maintenance overhead would be minimal.

djc
djc reviewed Aug 6, 2024
View reviewed changes
webpki-roots/Cargo.toml Outdated Show resolved Hide resolved
@ctz
Copy link
Member

ctz commented Aug 6, 2024

I quite like the idea of a separate crate; naturally in this repo and workspace. I think it would also make sense to have its versions match webpki-roots.

@cpu
Copy link
Member Author

cpu commented Aug 6, 2024

I quite like the idea of a separate crate; naturally in this repo and workspace.

That sounds OK to me. Any votes on the name? webpki-roots-full? webpki-roots-certs?

@djc
Copy link
Member

djc commented Aug 6, 2024

I suggested webpki-root-certs in my previous comment, which seems nice. The double plural in roots-certs seems a little awkward?

@cpu
tests: use values() for tls_roots_map iter
1c43714 
It's more idiomatic to use `values()` on a map when the desire is to
iterate just the values vs iterating the map and discarding each key
from the iterated tuple.
@cpu cpu force-pushed the cpu-offer-ta-certs branch from f6b2b0a to 9674120 Compare August 6, 2024 14:30
@cpu
Copy link
Member Author

cpu commented Aug 6, 2024

Pushed an update with a rework around a separate webpki-root-certs crate.

@cpu cpu changed the title Add opt-in root_certs feature Add webpki-root-certs crate Aug 6, 2024
djc
djc reviewed Aug 6, 2024
View reviewed changes
webpki-root-certs/LICENSE-MIT Outdated Show resolved Hide resolved
webpki-root-certs/tests/codegen.rs Show resolved Hide resolved
webpki-root-certs/src/lib.rs Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@cpu
Cargo: update pki-types 1 -> 1.8
82b05a5 
This adds a `const`-friendly `CertificateDer` constructor we will use
for a new opt-in `root_certs` feature.
@cpu cpu force-pushed the cpu-offer-ta-certs branch from 9674120 to a21a912 Compare August 6, 2024 14:46
@cpu cpu marked this pull request as ready for review August 6, 2024 14:48
@cpu cpu force-pushed the cpu-offer-ta-certs branch from a21a912 to cb4647a Compare August 6, 2024 14:50
djc
djc approved these changes Aug 7, 2024
View reviewed changes
webpki-root-certs/tests/codegen.rs Outdated Show resolved Hide resolved
@cpu
webpki-root-certs: add initial crate, code generation
dd7b312 
This commit adds a new crate, `webpki-root-certs`, to the project
workspace. Compared to `webpki-roots`, this crate contains the full
self-signed DER X.509 certificate of each trust anchor in
a `TLS_SERVER_ROOT_CERTS` slice.

This is done in a separate crate from `webpki-roots` because the X.509
representation is quite large compared to the `webpki`-specific
`TrustAnchor` type. However, in some circumstances (e.g. interfacing
with non-webpki consumers like platform verifiers) the full self-signed
certificates are required. Users with this requirement can depend on
this crate in addition to/or in place of `webpki-roots`.

Care is taken to push regular users of `rustls` towards the pre-existing
crate.
@cpu cpu force-pushed the cpu-offer-ta-certs branch from cb4647a to 131a0d4 Compare August 7, 2024 13:55
cpu added 4 commits August 7, 2024 09:57
@cpu
webpki-roots: use explicit lifetimes
7edf39a
@cpu
ci: enforce consistent formatting
a22edc2
@cpu
docs: update workspace README
e6bd685 
* Add webpki-root-certs and describe why you should probably prefer
  webpki-roots
* Removes the regenerating sources information - this is covered by each
  individual crate's README. The Warning is left since this is valuable
  top-level context to remember for each crate.
@cpu
project: use symlinks for license files
6bcc0ec
@cpu cpu force-pushed the cpu-offer-ta-certs branch from 131a0d4 to 6bcc0ec Compare August 7, 2024 13:57
@cpu cpu requested a review from ctz August 7, 2024 14:01
ctz
ctz approved these changes Aug 7, 2024
View reviewed changes
Copy link
Member

@ctz ctz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@cpu cpu merged commit ec9d1fa into rustls:main Aug 7, 2024
1 check passed
@cpu cpu deleted the cpu-offer-ta-certs branch August 7, 2024 14:18
@complexspaces complexspaces mentioned this pull request Aug 20, 2024
Open
@decathorpe decathorpe mentioned this pull request Sep 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

@ctz ctz ctz approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cpu @djc @ctz