From 056d125cb2633efd9025188a70ecd1e38da8c1ad Mon Sep 17 00:00:00 2001
From: Roderick van Domburg <roderick@vandomburg.net>
Date: Wed, 13 Aug 2025 19:05:52 +0200
Subject: [PATCH] refactor: move from native to webpki certs on all platforms

---
 Cargo.lock              | 153 ++--------------------------------------
 core/Cargo.toml         |  23 +-----
 core/src/http_client.rs |   7 --
 oauth/Cargo.toml        |   7 +-
 4 files changed, 11 insertions(+), 179 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 21bd10f4..cf103a10 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -369,16 +369,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "core-foundation"
-version = "0.10.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b2a6cd9ae233e7f62ba4e9353e81a88df7fc8a5987b8d445b4d90c879bd156f6"
-dependencies = [
- "core-foundation-sys",
- "libc",
-]
-
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -745,21 +735,6 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@@ -1316,7 +1291,6 @@ dependencies = [
  "hyper-rustls 0.26.0",
  "hyper-util",
  "pin-project-lite",
- "rustls-native-certs 0.7.3",
  "tokio",
  "tokio-rustls 0.25.0",
  "tower-service",
@@ -1336,7 +1310,7 @@ dependencies = [
  "hyper-util",
  "log",
  "rustls 0.22.4",
- "rustls-native-certs 0.7.3",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls 0.25.0",
@@ -1355,7 +1329,6 @@ dependencies = [
  "hyper-util",
  "log",
  "rustls 0.23.31",
- "rustls-native-certs 0.8.1",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls 0.26.2",
@@ -1363,22 +1336,6 @@ dependencies = [
  "webpki-roots 1.0.2",
 ]
 
-[[package]]
-name = "hyper-tls"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70206fc6890eaca9fde8a0bf71caa2ddfc9fe045ac9e5c70df101a7dbde866e0"
-dependencies = [
- "bytes",
- "http-body-util",
- "hyper",
- "hyper-util",
- "native-tls",
- "tokio",
- "tokio-native-tls",
- "tower-service",
-]
-
 [[package]]
 name = "hyper-util"
 version = "0.1.16"
@@ -2152,23 +2109,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "native-tls"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87de3442987e9dbec73158d5c715e7ad9072fda936bb03d19d7fa10e00520f0e"
-dependencies = [
- "libc",
- "log",
- "openssl",
- "openssl-probe",
- "openssl-sys",
- "schannel",
- "security-framework 2.11.1",
- "security-framework-sys",
- "tempfile",
-]
-
 [[package]]
 name = "ndk"
 version = "0.9.0"
@@ -2485,50 +2425,12 @@ dependencies = [
  "pathdiff",
 ]
 
-[[package]]
-name = "openssl"
-version = "0.10.73"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
-dependencies = [
- "bitflags 2.9.1",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "openssl-probe"
 version = "0.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
 
-[[package]]
-name = "openssl-sys"
-version = "0.9.109"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
-dependencies = [
- "cc",
- "libc",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "option-operations"
 version = "0.5.0"
@@ -3012,7 +2914,6 @@ checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
 dependencies = [
  "base64",
  "bytes",
- "encoding_rs",
  "futures-channel",
  "futures-core",
  "futures-util",
@@ -3022,12 +2923,9 @@ dependencies = [
  "http-body-util",
  "hyper",
  "hyper-rustls 0.27.7",
- "hyper-tls",
  "hyper-util",
  "js-sys",
  "log",
- "mime",
- "native-tls",
  "percent-encoding",
  "pin-project-lite",
  "quinn",
@@ -3038,7 +2936,6 @@ dependencies = [
  "serde_urlencoded",
  "sync_wrapper",
  "tokio",
- "tokio-native-tls",
  "tokio-rustls 0.26.2",
  "tower",
  "tower-http",
@@ -3172,19 +3069,7 @@ dependencies = [
  "rustls-pemfile",
  "rustls-pki-types",
  "schannel",
- "security-framework 2.11.1",
-]
-
-[[package]]
-name = "rustls-native-certs"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3"
-dependencies = [
- "openssl-probe",
- "rustls-pki-types",
- "schannel",
- "security-framework 3.3.0",
+ "security-framework",
 ]
 
 [[package]]
@@ -3294,20 +3179,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
 dependencies = [
  "bitflags 2.9.1",
- "core-foundation 0.9.4",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
-[[package]]
-name = "security-framework"
-version = "3.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "80fb1d92c5028aa318b4b8bd7302a5bfcf48be96a37fc6fc790f806b0004ee0c"
-dependencies = [
- "bitflags 2.9.1",
- "core-foundation 0.10.1",
+ "core-foundation",
  "core-foundation-sys",
  "libc",
  "security-framework-sys",
@@ -3676,7 +3548,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3c879d448e9d986b661742763247d3693ed13609438cf3d006f51f5368a5ba6b"
 dependencies = [
  "bitflags 2.9.1",
- "core-foundation 0.9.4",
+ "core-foundation",
  "system-configuration-sys",
 ]
 
@@ -3862,16 +3734,6 @@ dependencies = [
  "syn",
 ]
 
-[[package]]
-name = "tokio-native-tls"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
-dependencies = [
- "native-tls",
- "tokio",
-]
-
 [[package]]
 name = "tokio-rustls"
 version = "0.25.0"
@@ -3913,7 +3775,6 @@ dependencies = [
  "futures-util",
  "log",
  "rustls 0.23.31",
- "rustls-native-certs 0.8.1",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls 0.26.2",
@@ -4145,12 +4006,6 @@ dependencies = [
  "wasm-bindgen",
 ]
 
-[[package]]
-name = "vcpkg"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-
 [[package]]
 name = "vergen"
 version = "9.0.6"
diff --git a/core/Cargo.toml b/core/Cargo.toml
index 5df740be..8d2159be 100644
--- a/core/Cargo.toml
+++ b/core/Cargo.toml
@@ -77,29 +77,8 @@ uuid = { version = "1", default-features = false, features = ["v4"] }
 data-encoding = "2.9"
 flate2 = "1.1"
 protobuf-json-mapping = "3.7"
-rustls = { version = "0.23", default-features = false, features = [
-    "ring",
-] }
+rustls = { version = "0.23", default-features = false, features = ["ring"] }
 
-# Eventually, this should use rustls-platform-verifier to unify the platform-specific dependencies
-# but currently, hyper-proxy2 and tokio-tungstenite do not support it.
-[target.'cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))'.dependencies]
-hyper-proxy2 = { version = "0.1", default-features = false, features = [
-    "rustls",
-] }
-hyper-rustls = { version = "0.27", default-features = false, features = [
-    "ring",
-    "http1",
-    "logging",
-    "tls12",
-    "native-tokio",
-    "http2",
-] }
-tokio-tungstenite = { version = "0.27", default-features = false, features = [
-    "rustls-tls-native-roots",
-] }
-
-[target.'cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))'.dependencies]
 hyper-proxy2 = { version = "0.1", default-features = false, features = [
     "rustls-webpki",
 ] }
diff --git a/core/src/http_client.rs b/core/src/http_client.rs
index 1f0ee6f0..bf461985 100644
--- a/core/src/http_client.rs
+++ b/core/src/http_client.rs
@@ -151,14 +151,7 @@ impl HttpClient {
                 Error::internal(format!("unable to install default crypto provider: {e:?}"))
             });
 
-        // On supported platforms, use native roots
-        #[cfg(any(target_os = "windows", target_os = "macos", target_os = "linux"))]
-        let tls = HttpsConnectorBuilder::new().with_native_roots()?;
-
-        // Otherwise, use webpki roots
-        #[cfg(not(any(target_os = "windows", target_os = "macos", target_os = "linux")))]
         let tls = HttpsConnectorBuilder::new().with_webpki_roots();
-
         let https_connector = tls.https_or_http().enable_http1().enable_http2().build();
 
         // When not using a proxy a dummy proxy is configured that will not intercept any traffic.
diff --git a/oauth/Cargo.toml b/oauth/Cargo.toml
index 9a469487..dd514b00 100644
--- a/oauth/Cargo.toml
+++ b/oauth/Cargo.toml
@@ -11,7 +11,12 @@ edition = "2021"
 [dependencies]
 log = "0.4"
 oauth2 = { version = "5.0", features = ["reqwest", "reqwest-blocking"] }
-reqwest = { version = "0.12", features = ["blocking"] }
+reqwest = { version = "0.12", default-features = false, features = [
+    "blocking",
+    "http2",
+    "rustls-tls",
+    "system-proxy",
+] }
 open = "5.3"
 thiserror = "2"
 url = "2.5"