From f6ed17d949cc19fee0fb51db3cb65771fd510d5b Mon Sep 17 00:00:00 2001 From: 2ro <17595647+2ro@users.noreply.github.com> Date: Sat, 13 Jun 2026 19:57:24 -0400 Subject: [PATCH] http-api-client: preconfigured webpki roots on Android MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default rustls platform verifier needs the app JNI context, which a standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android per Nym's own troubleshooting docs. --- Cargo.lock | 1 + common/http-api-client/Cargo.toml | 5 ++++- common/http-api-client/src/registry.rs | 22 ++++++++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index ba1fb92319..cdeddfc727 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -7020,6 +7020,7 @@ dependencies = [ "tracing-subscriber", "url", "wasmtimer", + "webpki-roots 0.26.11", ] [[package]] diff --git a/common/http-api-client/Cargo.toml b/common/http-api-client/Cargo.toml index 6c28d77128..3f577c5d91 100644 --- a/common/http-api-client/Cargo.toml +++ b/common/http-api-client/Cargo.toml @@ -38,7 +38,10 @@ itertools = { workspace = true } inventory = { workspace = true } fastrand = { workspace = true } tokio = { workspace = true, features = ["rt", "macros", "time"] } -rustls = { workspace=true } +rustls = { workspace = true, features = ["aws_lc_rs"] } +# Android: preconfigured webpki roots replace the JNI-bound platform verifier +# (see registry.rs); a standalone sidecar process can't init the platform store. +webpki-roots = { workspace = true } # used for decoding text responses (they were already implicitly included) bytes = { workspace = true } encoding_rs = { workspace = true } diff --git a/common/http-api-client/src/registry.rs b/common/http-api-client/src/registry.rs index 4e09570dd9..03cb945063 100644 --- a/common/http-api-client/src/registry.rs +++ b/common/http-api-client/src/registry.rs @@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder { } } + // On Android the default rustls verifier (rustls-platform-verifier) reaches + // the system trust store through JNI and must be initialized with the app's + // Java context. A standalone client process (e.g. Goblin's bundled SOCKS5 + // sidecar) has no such context, so the verifier panics + // ("Expect rustls-platform-verifier to be initialized") the moment it makes + // its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs, + // pin preconfigured webpki roots instead so HTTPS verifies without the + // platform store. Desktop/Windows keep the default verifier. + #[cfg(target_os = "android")] + { + let mut roots = rustls::RootCertStore::empty(); + roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned()); + let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new( + rustls::crypto::aws_lc_rs::default_provider(), + )) + .with_safe_default_protocol_versions() + .expect("aws-lc-rs provides the safe default protocol versions") + .with_root_certificates(roots) + .with_no_client_auth(); + b = b.use_preconfigured_tls(tls); + } + b }