From 32173dc7f6521bad8f26b055b6a86d807348f151 Mon Sep 17 00:00:00 2001
From: Josh Triplett <josh@joshtriplett.org>
Date: Mon, 24 May 2021 07:35:05 -0700
Subject: [PATCH] feat(transport): Add a tls-webpki-roots feature to add trust
 roots from webpki-roots (#660)

---
 tonic/Cargo.toml                         | 5 ++++-
 tonic/src/lib.rs                         | 2 ++
 tonic/src/transport/service/connector.rs | 6 +++---
 tonic/src/transport/service/tls.rs       | 7 +++++++
 4 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
index f078d5dbd..989b8f8c0 100644
--- a/tonic/Cargo.toml
+++ b/tonic/Cargo.toml
@@ -35,7 +35,9 @@ transport = [
     "tokio/time",
 ]
 tls = ["transport", "tokio-rustls"]
-tls-roots = ["tls", "rustls-native-certs"]
+tls-roots-common = ["tls"]
+tls-roots = ["tls-roots-common", "rustls-native-certs"]
+tls-webpki-roots = ["tls-roots-common", "webpki-roots"]
 prost = ["prost1", "prost-derive"]
 
 # [[bench]]
@@ -76,6 +78,7 @@ tracing-futures = { version = "0.2", optional = true }
 # rustls
 tokio-rustls = { version = "0.22", optional = true }
 rustls-native-certs = { version = "0.5", optional = true }
+webpki-roots = { version = "0.21.1", optional = true }
 
 [dev-dependencies]
 tokio = { version = "1.0", features = ["rt", "macros"] }
diff --git a/tonic/src/lib.rs b/tonic/src/lib.rs
index 815c0b1a9..4d91643c1 100644
--- a/tonic/src/lib.rs
+++ b/tonic/src/lib.rs
@@ -25,6 +25,8 @@
 //! - `tls-roots`: Adds system trust roots to `rustls`-based gRPC clients using the
 //! `rustls-native-certs` crate. Not enabled by default. `tls` must be enabled to use
 //! `tls-roots`.
+//! - `tls-webpki-roots`: Add the standard trust roots from the `webpki-roots` crate to
+//! `rustls`-based gRPC clients. Not enabled by default.
 //! - `prost`: Enables the [`prost`] based gRPC [`Codec`] implementation.
 //!
 //! # Structure
diff --git a/tonic/src/transport/service/connector.rs b/tonic/src/transport/service/connector.rs
index 5dd0e2702..c4d216b83 100644
--- a/tonic/src/transport/service/connector.rs
+++ b/tonic/src/transport/service/connector.rs
@@ -37,7 +37,7 @@ impl<C> Connector<C> {
         Self { inner, tls }
     }
 
-    #[cfg(feature = "tls-roots")]
+    #[cfg(feature = "tls-roots-common")]
     fn tls_or_default(&self, scheme: Option<&str>, host: Option<&str>) -> Option<TlsConnector> {
         use tokio_rustls::webpki::DNSNameRef;
 
@@ -74,10 +74,10 @@ where
     }
 
     fn call(&mut self, uri: Uri) -> Self::Future {
-        #[cfg(all(feature = "tls", not(feature = "tls-roots")))]
+        #[cfg(all(feature = "tls", not(feature = "tls-roots-common")))]
         let tls = self.tls.clone();
 
-        #[cfg(feature = "tls-roots")]
+        #[cfg(feature = "tls-roots-common")]
         let tls = self.tls_or_default(uri.scheme_str(), uri.host());
 
         let connect = self.inner.make_connection(uri);
diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
index dd3a6965d..1d78df25a 100644
--- a/tonic/src/transport/service/tls.rs
+++ b/tonic/src/transport/service/tls.rs
@@ -64,6 +64,13 @@ impl TlsConnector {
             };
         }
 
+        #[cfg(feature = "tls-webpki-roots")]
+        {
+            config
+                .root_store
+                .add_server_trust_anchors(&webpki_roots::TLS_SERVER_ROOTS);
+        }
+
         if let Some(cert) = ca_cert {
             let mut buf = std::io::Cursor::new(&cert.pem[..]);
             config.root_store.add_pem_file(&mut buf).unwrap();