Merge pull request #615 from ranger-ross/better-ca-support

Added support for Cargo `http.cainfo`
mozilla · Sep 12, 2024 · c4ec9a7 · c4ec9a7
2 parents a7632da + e495a72
commit c4ec9a7
Show file tree

Hide file tree

Showing 7 changed files with 366 additions and 64 deletions.
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -56,7 +56,7 @@ jobs:
       - uses: actions/checkout@v2
       - uses: actions-rs/toolchain@v1
         with:
-          toolchain: 1.65.0
+          toolchain: 1.70.0
           override: true
       - name: Run cargo check
         run: |

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -7,7 +7,7 @@ license = "Apache-2.0/MIT"
 repository = "https://github.com/mozilla/cargo-vet"
 homepage = "https://mozilla.github.io/cargo-vet/"
 description = "Supply-chain security for Rust"
-rust-version = "1.65"
+rust-version = "1.70"
 exclude = [
   "book/*",
   "src/snapshots/*",
@@ -51,6 +51,7 @@ thiserror = "1.0.31"
 url = "2.2.2"
 toml = "0.5.9"
 open = "3.0.2"
+cargo-config2 = "0.1.27"
 
 [target.'cfg(windows)'.dependencies.winapi]
 version = "0.3"

diff --git a/src/network.rs b/src/network.rs
@@ -137,9 +137,19 @@ impl Network {
             // TODO: make this configurable on the CLI or something
             let timeout = Duration::from_secs(DEFAULT_TIMEOUT_SECS);
             // TODO: make this configurable on the CLI or something
-            let client = Client::builder()
-                .user_agent(USER_AGENT)
-                .timeout(timeout)
+            let mut client_builder = Client::builder().user_agent(USER_AGENT).timeout(timeout);
+            if let Ok(cargo_config) = cargo_config2::Config::load() {
+                // Add the cargo `http.cainfo` to the reqwest client if it is set
+                if let Some(cainfo) = cargo_config.http.cainfo {
+                    match Network::parse_ca_file(&cainfo) {
+                        Ok(cert) => client_builder = client_builder.add_root_certificate(cert),
+                        Err(e) => println!(
+                            "failed to load certificate from Cargo http.cainfo `{}`, attempting to download without it. Error: {e:?}", cainfo
+                       ),
+                    }
+                }
+            }
+            let client = client_builder
                 .build()
                 .expect("Couldn't construct HTTP Client?");
             Some(Self {
@@ -152,6 +162,10 @@ impl Network {
         }
     }
 
+    fn parse_ca_file(path: &str) -> Result<reqwest::Certificate, Box<dyn std::error::Error>> {
+        Ok(reqwest::Certificate::from_pem(&std::fs::read(path)?)?)
+    }
+
     /// Download a file and persist it to disk
     pub async fn download_and_persist(
         &self,

diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
@@ -19,6 +19,15 @@ pointers. Some `debug_assert!`s document and check these invariants as well
 (though there could be more).
 """
 
+[[audits.cargo-config2]]
+who = "Nika Layzell <nika@thelayzells.com>"
+criteria = "safe-to-deploy"
+version = "0.1.27"
+notes = """
+Contains no unsafe code and does not appear to abuse any powerful capabilities
+such as filesystem access.
+"""
+
 [[audits.cargo_metadata]]
 who = "Nika Layzell <nika@thelayzells.com>"
 criteria = "safe-to-deploy"
@@ -72,3 +81,57 @@ notes = """
 Algorithm crate implemented entirely in safe rust. Does no platform-specific
 logic, only implementing diffing and string manipulation algorithms.
 """
+
+[[trusted.hashbrown]]
+criteria = "safe-to-deploy"
+user-id = 2915 # Amanieu d'Antras (Amanieu)
+start = "2019-04-02"
+end = "2025-09-12"
+
+[[trusted.indexmap]]
+criteria = "safe-to-deploy"
+user-id = 539 # Josh Stone (cuviper)
+start = "2020-01-15"
+end = "2025-09-12"
+
+[[trusted.serde]]
+criteria = "safe-to-deploy"
+user-id = 3618 # David Tolnay (dtolnay)
+start = "2019-03-01"
+end = "2025-09-12"
+
+[[trusted.serde_derive]]
+criteria = "safe-to-deploy"
+user-id = 3618 # David Tolnay (dtolnay)
+start = "2019-03-01"
+end = "2025-09-12"
+
+[[trusted.serde_spanned]]
+criteria = "safe-to-deploy"
+user-id = 6743 # Ed Page (epage)
+start = "2023-01-20"
+end = "2025-09-12"
+
+[[trusted.syn]]
+criteria = "safe-to-deploy"
+user-id = 3618 # David Tolnay (dtolnay)
+start = "2019-03-01"
+end = "2025-09-12"
+
+[[trusted.toml_datetime]]
+criteria = "safe-to-deploy"
+user-id = 6743 # Ed Page (epage)
+start = "2022-10-21"
+end = "2025-09-12"
+
+[[trusted.toml_edit]]
+criteria = "safe-to-deploy"
+user-id = 6743 # Ed Page (epage)
+start = "2021-09-13"
+end = "2025-09-12"
+
+[[trusted.winnow]]
+criteria = "safe-to-deploy"
+user-id = 6743 # Ed Page (epage)
+start = "2023-02-22"
+end = "2025-09-12"