Android and iOS support

[quininer]

I think we can look at how chromium is implemented.

https://github.com/chromium/chromium/blob/master/net/cert/cert_verify_proc_android.cc
https://github.com/chromium/chromium/blob/master/net/cert/cert_verify_proc_ios.cc

[buraktabn]

Any updates on this?

[djc]

Nope -- but if you're willing to contribute I'm happy to provide any guidance you need.

[buraktabn]

TBH, I was planning on it because of paritytech/subxt#563. However, using webpki seems to work on Android.

[cpu]

Android and iOS are both supported by https://github.com/rustls/rustls-platform-verifier

Is there user demand for a native-certs solution or should we suggest users consider using the platform verifier instead? That crate isn't quite ready for primetime but I also suspect we can get it ready sooner than we could add support for those platforms here.

[djc]

iOS support might be as easy as enabling the security-framework path for ios in addition to macos, I think?

But in general, the rustls-platform-verifier is probably a better alternative for most use cases.

[djc]

rustls-platform-verifier has been released and is probably a better option in most cases.

[stormshield-gt]

reqwest already supports rustls-native-certs but not rustls-platform-verifier (seanmonstar/reqwest#2286 (comment)), blocked by rustls/rustls-platform-verifier#58.
rustls/rustls-platform-verifier#58 seems harder to resolve that this current issue, Am I right ?

Do you think it will be reasonable to works on this issue first, enabling the usage of reqwest with rustls on android with loading the cert store ? I mean if you are open to contribution.
I know right now it's possible to embed a store with rustls-webpki-roots but it does not fit our need.

[djc]

Happy to review a PR for this but want to caution that if this needs too much complexity we might want to avoid it in favor of improving the platform verifier crate instead.

If you want to contribute, maybe you can contribute there?

[stormshield-gt]

Yes, hopefully I have some bandwidth to contribute here. Do you have any guidance on how things should be done? Maybe we can talk about it on the rustls discord server if you want?

[djc]

@stormshield-gt happy to discuss on Discord.

[ctz]

I would suggest, first, that this issue is asking for almost entirely unrelated things.

iOS: AFAIK this is not possible -- the macOS APIs we use aren't available on iOS. But I'm not an iOS expert, and could well be wrong. The linked code in the OP is not doing the job that is required here; it is using the system verifier rather than extracting the trusted certs.

Android: ditto, the linked code above is not what is needed for this crate. However, I am pretty sure there will be a way via the android keystore service & AndroidCAStore; the question is really whether that can be reasonably accessed from pure rust, or whether it needs a java<->JNI<->rust bridge. If it requires a java component (with the build and packaging complexities), I think it probably doesn't have a good home in this crate (since it cannot conform to the unified API we want). I don't know the answers here, but the starting point would be to make (or find) a rust crate that allows keystore access.

[djc]

As soon as we get to that level of complexity, it seems like we'd almost certainly be better off relying on the context/build infra/testing we already have in place in the rustls-platform-verifier repo.

[stormshield-gt]

Thanks a lot for the guidance. By checking things by my side, I reached to the same conclusion. It seems like everybody agree that it would be better to look for supporting extra roots inside rustls-plaform-verifier to unlock the reqwest integration. I will put some effort in that direction.

[ctz]

On the android side I just came across this in golang: https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L26-L30

[stormshield-gt]

For IOS, they used to embed the cert store statically and then switch to using the platform verifier golang/go@b74f2ef. That seems to confirm there is no API for loading the store on this platform

[cpu]

On the android side I just came across this in golang: https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L26-L30

This seems like it could be reasonably adapted to this crate, but I echo @djc's concerns that when you start to consider test coverage for Android it would ratchet up the complexity of this repo's CI more than I think is deserved.

Given there's no good solution for iOS I suspect most users invested in a "native" experience that includes mobile platforms will want to use rustls-platform-verifier anyway since only supporting Android is probably of limited utility. I'm inclined to say we should call this a WONTFIX for this repo and continue to try and invest in the platform verifier crate. Thoughts?

[djc]

(There was some follow-up in rustls/rustls-platform-verifier#58 (comment).)