From c994b1caea19b5d7a4e8c0784cfa937127d54462 Mon Sep 17 00:00:00 2001
From: Sean Pianka <pianka@eml.cc>
Date: Mon, 21 Nov 2022 21:28:41 -0500
Subject: [PATCH] feat: add support for webpki (alt. to native-certs)

hyper-rustls pulls in
[rustls-native-certs](https://github.com/rustls/rustls-native-certs) by
default and has a feature flag for swapping it out with webpki. This PR
adds two alternative feature-flags for tokio-based selections that will
enable webpki in hyper-rustls.

Signed-off-by: Sean Pianka <pianka@eml.cc>
---
 Cargo.toml               | 57 +++++++++++++++++++++++++++++++++-------
 src/client/base/tokio.rs | 22 ++++++++++++----
 src/client/mod.rs        | 20 +++++++++++---
 src/lib.rs               | 10 ++++---
 4 files changed, 88 insertions(+), 21 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 21e9038a8..f4119c968 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -66,21 +66,58 @@ events = []
 async = ["futures-util"]
 blocking = []
 
-runtime-tokio-hyper = ["tokio", "hyper-client", "hyper-tls", "async"]
-runtime-tokio-hyper-rustls = ["tokio", "hyper-client", "hyper-rustls", "async"]
-runtime-blocking = ["tokio", "tokio/rt", "hyper-client", "hyper-tls", "blocking"]
+runtime-tokio-hyper = [
+    "tokio",
+    "hyper-client",
+    "hyper-tls",
+    "async",
+]
+runtime-tokio-hyper-rustls = [
+    "tokio",
+    "hyper-client",
+    "hyper-rustls",
+    "hyper-rustls-native",
+    "async",
+]
+runtime-tokio-hyper-rustls-webpki = [
+    "tokio",
+    "hyper-client",
+    "hyper-rustls-webpki",
+    "async",
+]
+runtime-blocking = [
+    "tokio",
+    "tokio/rt",
+    "hyper-client",
+    "hyper-tls",
+    "blocking",
+]
 runtime-blocking-rustls = [
-  "tokio",
-  "tokio/rt",
-  "hyper-client",
-  "hyper-rustls",
-  "blocking",
+    "tokio",
+    "tokio/rt",
+    "hyper-client",
+    "hyper-rustls-native",
+    "blocking",
+]
+runtime-blocking-rustls-webpki = [
+    "tokio",
+    "tokio/rt",
+    "hyper-client",
+    "hyper-rustls-webpki",
+    "blocking",
+]
+runtime-async-std-surf = [
+    "async-std",
+    "surf",
+    "async",
 ]
-runtime-async-std-surf = ["async-std", "surf", "async"]
 
 # we need the compat crate if using hyper
 hyper-client = ["hyper", "http-types/hyperium_http"]
 
+hyper-rustls-native = ["hyper-rustls", "hyper-rustls/native-tokio"]
+hyper-rustls-webpki = ["hyper-rustls", "hyper-rustls/webpki-tokio"]
+
 [dependencies]
 async-std = {version = "1.8,<1.11", optional = true}
 
@@ -89,7 +126,7 @@ thiserror = "1.0.24"
 http-types = { version = "2.12.0", default-features = false }
 hyper = { version = "0.14", default-features = false, features = ["http1", "http2", "client", "tcp"], optional = true }
 hyper-tls = { version = "0.5", optional = true }
-hyper-rustls = { version = "0.22", optional = true }
+hyper-rustls = { version = "0.23", default-features = false, features = ["http1", "http2", "tls12", "logging"], optional = true }
 serde = {version = ">=1.0.79", features = ["derive"] } # we use `serde(other)` which was introduced in 1.0.79
 serde_json = "1.0"
 serde_qs = "0.10.1"
diff --git a/src/client/base/tokio.rs b/src/client/base/tokio.rs
index 67bfa7c3e..9664154be 100644
--- a/src/client/base/tokio.rs
+++ b/src/client/base/tokio.rs
@@ -10,23 +10,35 @@ use tokio::time::sleep;
 use crate::client::request_strategy::{Outcome, RequestStrategy};
 use crate::error::{ErrorResponse, StripeError};
 
-#[cfg(feature = "hyper-rustls")]
+#[cfg(feature = "hyper-rustls-native")]
 mod connector {
     use hyper::client::{connect::dns::GaiResolver, HttpConnector};
     pub use hyper_rustls::HttpsConnector;
+    use hyper_rustls::HttpsConnectorBuilder;
 
     pub fn create() -> HttpsConnector<HttpConnector<GaiResolver>> {
-        HttpsConnector::with_native_roots()
+        HttpsConnectorBuilder::new()
+            .with_native_roots()
+            .https_only()
+            .enable_http1()
+            .enable_http2()
+            .build()
     }
 }
 
-#[cfg(feature = "hyper-tls")]
+#[cfg(feature = "hyper-rustls-webpki")]
 mod connector {
     use hyper::client::{connect::dns::GaiResolver, HttpConnector};
-    pub use hyper_tls::HttpsConnector;
+    pub use hyper_rustls::HttpsConnector;
+    use hyper_rustls::HttpsConnectorBuilder;
 
     pub fn create() -> HttpsConnector<HttpConnector<GaiResolver>> {
-        HttpsConnector::new()
+        HttpsConnectorBuilder::new()
+            .with_webpki_roots()
+            .https_only()
+            .enable_http1()
+            .enable_http2()
+            .build()
     }
 }
 
diff --git a/src/client/mod.rs b/src/client/mod.rs
index 82581e7e2..89228a48a 100644
--- a/src/client/mod.rs
+++ b/src/client/mod.rs
@@ -5,25 +5,39 @@ mod base {
     #[cfg(any(
         feature = "runtime-tokio-hyper",
         feature = "runtime-tokio-hyper-rustls",
+        feature = "runtime-tokio-hyper-rustls-webpki",
         feature = "runtime-blocking",
         feature = "runtime-blocking-rustls",
+        feature = "runtime-blocking-rustls-webpki",
     ))]
     pub mod tokio;
 
     #[cfg(feature = "runtime-async-std-surf")]
     pub mod async_std;
 
-    #[cfg(any(feature = "runtime-blocking", feature = "runtime-blocking-rustls"))]
+    #[cfg(any(
+        feature = "runtime-blocking",
+        feature = "runtime-blocking-rustls",
+        feature = "runtime-blocking-rustls-webpki"
+    ))]
     pub mod tokio_blocking;
 }
 
-#[cfg(any(feature = "runtime-blocking", feature = "runtime-blocking-rustls"))]
+#[cfg(any(
+    feature = "runtime-blocking",
+    feature = "runtime-blocking-rustls",
+    feature = "runtime-blocking-rustls-webpki"
+))]
 pub(crate) mod config {
     pub(crate) use super::base::tokio_blocking::{err, ok};
     pub use super::base::tokio_blocking::{Response, TokioBlockingClient as BaseClient};
 }
 
-#[cfg(any(feature = "runtime-tokio-hyper", feature = "runtime-tokio-hyper-rustls"))]
+#[cfg(any(
+    feature = "runtime-tokio-hyper",
+    feature = "runtime-tokio-hyper-rustls",
+    feature = "runtime-tokio-hyper-rustls-webpki"
+))]
 pub(crate) mod config {
     pub(crate) use super::base::tokio::{err, ok};
     pub use super::base::tokio::{Response, TokioClient as BaseClient};
diff --git a/src/lib.rs b/src/lib.rs
index ab9d766df..b6cc91f5c 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -44,17 +44,21 @@
 #[cfg(not(any(
     feature = "runtime-tokio-hyper",
     feature = "runtime-tokio-hyper-rustls",
+    feature = "runtime-tokio-hyper-rustls-webpki",
     feature = "runtime-blocking",
     feature = "runtime-blocking-rustls",
+    feature = "runtime-blocking-rustls-webpki",
     feature = "runtime-async-std-surf",
 )))]
 compile_error!(
     r"one of the following runtime features must be enabled:
     [
-        'runtime-tokio-hyper', 
+        'runtime-tokio-hyper',
         'runtime-tokio-hyper-rustls',
-        'runtime-blocking', 
-        'runtime-blocking-rustls', 
+        'runtime-tokio-hyper-rustls-webpki',
+        'runtime-blocking',
+        'runtime-blocking-rustls',
+        'runtime-blocking-rustls-webpki',
         'runtime-async-std-surf'
     ]"
 );