http-api-client: preconfigured webpki roots on Android
The default rustls platform verifier needs the app JNI context, which a standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android per Nym's own troubleshooting docs.
This commit is contained in:
Generated
+1
@@ -7020,6 +7020,7 @@ dependencies = [
|
||||
"tracing-subscriber",
|
||||
"url",
|
||||
"wasmtimer",
|
||||
"webpki-roots 0.26.11",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
||||
@@ -38,7 +38,10 @@ itertools = { workspace = true }
|
||||
inventory = { workspace = true }
|
||||
fastrand = { workspace = true }
|
||||
tokio = { workspace = true, features = ["rt", "macros", "time"] }
|
||||
rustls = { workspace=true }
|
||||
rustls = { workspace = true, features = ["aws_lc_rs"] }
|
||||
# Android: preconfigured webpki roots replace the JNI-bound platform verifier
|
||||
# (see registry.rs); a standalone sidecar process can't init the platform store.
|
||||
webpki-roots = { workspace = true }
|
||||
# used for decoding text responses (they were already implicitly included)
|
||||
bytes = { workspace = true }
|
||||
encoding_rs = { workspace = true }
|
||||
|
||||
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
|
||||
}
|
||||
}
|
||||
|
||||
// On Android the default rustls verifier (rustls-platform-verifier) reaches
|
||||
// the system trust store through JNI and must be initialized with the app's
|
||||
// Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
|
||||
// sidecar) has no such context, so the verifier panics
|
||||
// ("Expect rustls-platform-verifier to be initialized") the moment it makes
|
||||
// its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
|
||||
// pin preconfigured webpki roots instead so HTTPS verifies without the
|
||||
// platform store. Desktop/Windows keep the default verifier.
|
||||
#[cfg(target_os = "android")]
|
||||
{
|
||||
let mut roots = rustls::RootCertStore::empty();
|
||||
roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||
let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
|
||||
rustls::crypto::aws_lc_rs::default_provider(),
|
||||
))
|
||||
.with_safe_default_protocol_versions()
|
||||
.expect("aws-lc-rs provides the safe default protocol versions")
|
||||
.with_root_certificates(roots)
|
||||
.with_no_client_auth();
|
||||
b = b.use_preconfigured_tls(tls);
|
||||
}
|
||||
|
||||
b
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user