http-api-client: preconfigured webpki roots on Android
The default rustls platform verifier needs the app JNI context, which a standalone client process (Goblin's bundled SOCKS5 sidecar) lacks — it panics on the first nym-api HTTPS call. Pin webpki_roots::TLS_SERVER_ROOTS on Android per Nym's own troubleshooting docs.
This commit is contained in:
Generated
+1
@@ -7020,6 +7020,7 @@ dependencies = [
|
|||||||
"tracing-subscriber",
|
"tracing-subscriber",
|
||||||
"url",
|
"url",
|
||||||
"wasmtimer",
|
"wasmtimer",
|
||||||
|
"webpki-roots 0.26.11",
|
||||||
]
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
|
|||||||
@@ -38,7 +38,10 @@ itertools = { workspace = true }
|
|||||||
inventory = { workspace = true }
|
inventory = { workspace = true }
|
||||||
fastrand = { workspace = true }
|
fastrand = { workspace = true }
|
||||||
tokio = { workspace = true, features = ["rt", "macros", "time"] }
|
tokio = { workspace = true, features = ["rt", "macros", "time"] }
|
||||||
rustls = { workspace=true }
|
rustls = { workspace = true, features = ["aws_lc_rs"] }
|
||||||
|
# Android: preconfigured webpki roots replace the JNI-bound platform verifier
|
||||||
|
# (see registry.rs); a standalone sidecar process can't init the platform store.
|
||||||
|
webpki-roots = { workspace = true }
|
||||||
# used for decoding text responses (they were already implicitly included)
|
# used for decoding text responses (they were already implicitly included)
|
||||||
bytes = { workspace = true }
|
bytes = { workspace = true }
|
||||||
encoding_rs = { workspace = true }
|
encoding_rs = { workspace = true }
|
||||||
|
|||||||
@@ -66,6 +66,28 @@ pub fn default_builder() -> ReqwestClientBuilder {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// On Android the default rustls verifier (rustls-platform-verifier) reaches
|
||||||
|
// the system trust store through JNI and must be initialized with the app's
|
||||||
|
// Java context. A standalone client process (e.g. Goblin's bundled SOCKS5
|
||||||
|
// sidecar) has no such context, so the verifier panics
|
||||||
|
// ("Expect rustls-platform-verifier to be initialized") the moment it makes
|
||||||
|
// its first HTTPS call to the nym-api. Per Nym's own troubleshooting docs,
|
||||||
|
// pin preconfigured webpki roots instead so HTTPS verifies without the
|
||||||
|
// platform store. Desktop/Windows keep the default verifier.
|
||||||
|
#[cfg(target_os = "android")]
|
||||||
|
{
|
||||||
|
let mut roots = rustls::RootCertStore::empty();
|
||||||
|
roots.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
|
||||||
|
let tls = rustls::ClientConfig::builder_with_provider(std::sync::Arc::new(
|
||||||
|
rustls::crypto::aws_lc_rs::default_provider(),
|
||||||
|
))
|
||||||
|
.with_safe_default_protocol_versions()
|
||||||
|
.expect("aws-lc-rs provides the safe default protocol versions")
|
||||||
|
.with_root_certificates(roots)
|
||||||
|
.with_no_client_auth();
|
||||||
|
b = b.use_preconfigured_tls(tls);
|
||||||
|
}
|
||||||
|
|
||||||
b
|
b
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user