http-api-client: preconfigured webpki roots on Android
ci-binary-config-checker / publish-nym (arc-ubuntu-22.04) (push) Has been cancelled
ci-contracts / build (push) Has been cancelled

The default rustls platform verifier needs the app JNI context, which a
standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics
on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android
per Nym's own troubleshooting docs.
This commit is contained in:
2ro
2026-06-13 19:57:24 -04:00
parent b6eb391e85
commit f6ed17d949
3 changed files with 27 additions and 1 deletions
Generated
+1
View File
@@ -7020,6 +7020,7 @@ dependencies = [
"tracing-subscriber",
"url",
"wasmtimer",
"webpki-roots 0.26.11",
]
[[package]]
+4 -1
View File
@@ -38,7 +38,10 @@ itertools = { workspace = true }
inventory = { workspace = true }
fastrand = { workspace = true }
tokio = { workspace = true, features = ["rt", "macros", "time"] }
rustls = { workspace=true }
rustls = { workspace = true, features = ["aws_lc_rs"] }
# Android: preconfigured webpki roots replace the JNI-bound platform verifier
# (see registry.rs); a standalone sidecar process can't init the platform store.
webpki-roots = { workspace = true }
# used for decoding text responses (they were already implicitly included)
bytes = { workspace = true }
encoding_rs = { workspace = true }
+22
View File
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
}
}
// On Android the default rustls verifier (rustls-platform-verifier) reaches
// the system trust store through JNI and must be initialized with the app's
// Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
// sidecar) has no such context, so the verifier panics
// ("Expect rustls-platform-verifier to be initialized") the moment it makes
// its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
// pin preconfigured webpki roots instead so HTTPS verifies without the
// platform store. Desktop/Windows keep the default verifier.
#[cfg(target_os = "android")]
{
let mut roots = rustls::RootCertStore::empty();
roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
rustls::crypto::aws_lc_rs::default_provider(),
))
.with_safe_default_protocol_versions()
.expect("aws-lc-rs provides the safe default protocol versions")
.with_root_certificates(roots)
.with_no_client_auth();
b = b.use_preconfigured_tls(tls);
}
b
}