Replace rustls-native-certs with rustls-platform-verifier

Cargo.toml

@@ -20,7 +20,7 @@ homepage = "https://github.com/pendulum-project/ntpd-rs"
 readme = "./README.md"
 description = "Full-featured implementation of NTP with NTS support"
 publish = true
-rust-version = "1.70" # MSRV
+rust-version = "1.71" # MSRV
 
 # Because of the async runtime, we really want panics to cause an abort, otherwise
 # the binary can keep on running as a ghost
@@ -39,7 +39,7 @@ serde = { version = "1.0.145", features = ["derive"] }
 serde_json = "1.0"
 rand = "0.8.0"
 arbitrary = { version = "1.0" }
-libc = "0.2.145"
+libc = "0.2.150"
 tokio = "1.32"
 toml = { version = ">=0.6.0,<0.9.0", default-features = false, features = ["parse"] }
 async-trait = "0.1.67"
@@ -51,7 +51,7 @@ pps-time = "0.2.3"
 rustls23 = { package = "rustls", version = "0.23.16", features = ["logging", "std", "tls12"] }
 rustls-pemfile2 = { package = "rustls-pemfile", version = "2.0" }
 rustls-pki-types = "1.10"
-rustls-native-certs7 = { package = "rustls-native-certs", version = "0.7" }
+rustls-platform-verifier = "0.5.0"
 tokio-rustls = { version = "0.26.0", features = ["logging", "tls12"] } # testing only
 
 # crypto

clippy.toml

@@ -1 +1 @@
-msrv = "1.70"
+msrv = "1.71"

ntp-proto/Cargo.toml

@@ -29,7 +29,7 @@ serde.workspace = true
 rustls23.workspace = true
 rustls-pki-types.workspace = true
 rustls-pemfile2.workspace = true
-rustls-native-certs7.workspace = true
+rustls-platform-verifier.workspace = true
 arbitrary = { workspace = true, optional = true }
 aead.workspace = true
 aes-siv.workspace = true

ntp-proto/src/server.rs

@@ -313,13 +313,9 @@ impl<T: std::hash::Hash + Eq> TimestampedCache<T> {
     }
 
     fn index(&self, item: &T) -> usize {
-        use std::hash::{BuildHasher, Hasher};
+        use std::hash::BuildHasher;
 
-        let mut hasher = self.randomstate.build_hasher();
-
-        item.hash(&mut hasher);
-
-        hasher.finish() as usize % self.elements.len()
+        self.randomstate.hash_one(item) as usize % self.elements.len()
     }
 
     fn is_allowed(&mut self, item: T, timestamp: Instant, cutoff: Duration) -> bool {

ntp-proto/src/tls_utils.rs

@@ -86,15 +86,12 @@ mod rustls23_shim {
     pub type Certificate = rustls23::pki_types::CertificateDer<'static>;
     pub type PrivateKey = rustls23::pki_types::PrivateKeyDer<'static>;
 
+    pub use rustls_platform_verifier::Verifier as PlatformVerifier;
+
     pub mod pemfile {
-        pub use rustls_native_certs7::load_native_certs;
         pub use rustls_pemfile2::certs;
         pub use rustls_pemfile2::pkcs8_private_keys;
         pub use rustls_pemfile2::private_key;
-
-        pub fn rootstore_ref_shim(cert: &super::Certificate) -> super::Certificate {
-            cert.clone()
-        }
     }
 
     pub trait CloneKeyShim {}

ntp-proto/test-keys/end.fullchain.pem

@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIDsDCCApigAwIBAgIUeLa0dWVwCQr2akxP7Zrw3RDLAF8wDQYJKoZIhvcNAQEL
+MIIDmjCCAoKgAwIBAgIUP9+8F53FXFa+q2SSww8v1zNEPiIwDQYJKoZIhvcNAQEL
 BQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0y
-MzAxMjAwOTQ3MzhaGA80NzYwMTIxNzA5NDczOFowWTELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAsZmqWOnowHpN+nsLk0gqvsmZWPuwMBrnJrlDihyUmMXmf28CDXJL
-/aYDC/3a4EKIAz0uUnH6tCTK6jbmJhouGKnRpo9nS3ee3n0AENgPzcCaBgAoNYMM
-IT7en4a8olRviwKrMCX91fIorbuaUb0VFQ7BgfJhEvXVJinXcxkdTZJ4fztGE5Cy
-iqDGuJ1+EEABmDBrWCOr/gpF5HpAl9m6vbdhEWg3UvM02PAcBAn3z0Eno7O11vEK
-WDjZu6XWRLznY+cFEI0LvF8gLfilC15QgJdtb4+bh5jJsLHCCobBgARBdk50yhbj
-eQBwDOVMm2OJl5/BUl2OYbD/nK9dSUbT6wIDAQABo3AwbjAfBgNVHSMEGDAWgBR3
-Va6VsK3920NVj7trkQittchtpTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNV
-HREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFGWx6Z2EPXqL6pb+65eD/Dl4do/l
-MA0GCSqGSIb3DQEBCwUAA4IBAQCUEyM1M6EfDOkv9MHL3q1U72JvrKFx6lPDMTWd
-n/tWTILyQejETXWLmCxhle4JwIC+EQfAS6o/EFumgGvKp2xKuM4lS0ccaIBCCkjf
-bKkB5WxLppHPznxpv33f1DcU4WRNewBDra3FqJSGYGVjuHAPu4dZbPmU2bqhA22g
-0tdwFZyDC3b32CY40m8gbR7VvcymMufyOeLWImR6GVCm5N6SUVpYEPbL2PFHkvnq
-Z6SALFAeH/Um/uPsWemBPfxMXjq5dDKWaaigiC4wxdfpPqAfORrYbRWcCOoYQv2U
-9BO4LkL8OYBtG0IFuWU9eKpchFZgXbDjeoHFqBHz40yQ2yhk
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0y
+NTAyMjcwODUzMTJaFw0yNjAyMjcwODUzMTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgxtQa9J3GQI88kxGA
+fhkMUz9u9fyPPFOf81Sm+TCgUebhkCk28YeJfEam7iMSo1LqgKBhr4IuqTh6MyIS
+oBcg+4gfy776iHMTncu2x8wGapOUMgopOJVohBiogiJ4m5qBAlI+IT5oCiQddfnF
+HSXR3kfX/8h5hvAfuXoF5rnBRBh+QdId1Pfnsum7XV2PSLAUb8Naz8C+MWD2+6t1
+PxAszvHKL6hrQzLJyy4K/fn5clFNdFcJRtGoWO0XSmt2aok/fhavnyA8cUgWR+C2
+uu6zmuBs6aZ5KJV70Vyggn0e08die2ZgAQs+yfJcg0sB90Tym3mBPg4gHBQ2aYaH
+UgW1AgMBAAGjcDBuMB8GA1UdIwQYMBaAFHdVrpWwrf3bQ1WPu2uRCK21yG2lMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgUgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNV
+HQ4EFgQUg82rmpQGdA7S1aC74TCtI3eE7HEwDQYJKoZIhvcNAQELBQADggEBAGlA
+t6sTGUOHyQw1RUpDsRBwzkN0/as4Hgtu/mIAM177G/Ep+cB5KCAnTjmndEZnkugk
+QVZtO46+u9+LCGqHt61RbeiaIKiLpmIEATqzkciVVjNMbulTfTMMK3mowDKBzkqe
+Ygt1dn1NYfBwViKmUnIQzZyRJw0us/9W1f1SB4ABs4vxnl5NPO2a/feUPTna4FbG
+jk2czinbdXBjhF2kl9GDIfPWyt/C3qFwySGKK5r0xQaP22bF4dbGm1IYY1Uu0T7z
+ma0z/EXHO0E88PWZ14HCFa3AtraBltlmihfmTiDJMrrL5k4IP1gcmbbAgz2ZBmTi
+ECx4XlIQFTs/bxgWqA8=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDkTCCAnmgAwIBAgIUSJ4RLbU532cpXBrIPM0dgLjFoRowDQYJKoZIhvcNAQEL

ntp-proto/test-keys/end.key

@@ -1,28 +1,28 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCxmapY6ejAek36
-ewuTSCq+yZlY+7AwGucmuUOKHJSYxeZ/bwINckv9pgML/drgQogDPS5Scfq0JMrq
-NuYmGi4YqdGmj2dLd57efQAQ2A/NwJoGACg1gwwhPt6fhryiVG+LAqswJf3V8iit
-u5pRvRUVDsGB8mES9dUmKddzGR1Nknh/O0YTkLKKoMa4nX4QQAGYMGtYI6v+CkXk
-ekCX2bq9t2ERaDdS8zTY8BwECffPQSejs7XW8QpYONm7pdZEvOdj5wUQjQu8XyAt
-+KULXlCAl21vj5uHmMmwscIKhsGABEF2TnTKFuN5AHAM5UybY4mXn8FSXY5hsP+c
-r11JRtPrAgMBAAECggEASD/QKe22bx8SO/T0h40TPpw60xVI3rkDEiDKFhR8aw4P
-MAZT2m6F9YEkuisicJsAQ/kOsCGIMOLK3a9Jv3RlDkl/bXfnOK9IJRDLBw8ulrBk
-uE42DVbrh1bRMCqa8JrS6cVDKQo7kl66J7srE1eNjQx8skWNMi5p8OWSrVMpNZXT
-1jGXFHpHkZz4i5TSeovSKMPRHEpXB3QQRIV7izysxtyQiBgHyCgmxwva5vjRZGQN
-BZyZzDcxpRTVR8B8JvUoxKpNSFatPD2+d0JT/g8a26uLymJbwI+K6bDzTY900xR6
-ufH0pcw0nCgryAHp1Zt8+1hC43nblnnOxJwAJ6ad0QKBgQDgCCvcrlNO5AxsgkmT
-CRaSSIoaUF8+QZIhXXUL6wsdGKba5vND8Rjzdow4Ewy4vO/KGH7vvj9sv1mtV2bu
-kkHk5y6uA2FjUnbGHBxnHzv/mbNa3+q8sYFVF/QqTektqRXdLo98ButOZhTQX6I5
-6EIWHvLDeOlgczDcNPBJ5ZdziQKBgQDK8Vt3goNSCqWTsb+4OFS+KsS6Ncakxu9E
-rdWM2m8TSx5z71Jzp3Lj28rVmPrI5bFhwLFxWcHfipRP+xE1uo2Ga8CqXy6UuvVp
-1hbvzltwecAPeEzPD5hs7pWK7DmKLL3iUnl537CREP4UVwKCrHkt4xLZCaiTv5wn
-m2D36WVK0wKBgQCO0Ua8+TjMmx68cdZbcLi96pZ3rfL5qi1xLbX3MhC0rMl51S8R
-ifphAprjCGncvz2SNUl+pmaied2+XnCU+BIfzaz5a9hCzAhBxRvqNYQ3LpGjBgoL
-3pDXYVzbNy3GWPtCNHNuGq8ZHIR6Te0KQ2EV3wbdzA/i16w3RVxFj6KcGQKBgQCG
-7PjW+Bq/DP0QuPiyTiFpXZ31/5LWMr0ZeEmmoAOBXEwe4Fp9MjMccyDj6hWyQ6Qv
-TaGrrvVK3iPFGTNT+XfmivVJUIbzs2k+uGv/e78nhIrAvkay07ePlQAvoOaQizaj
-phnFgYcuq5GBjGfK4UifzXzWd6lwsc/sNU2/BZmmqQKBgQCD2PevU6thArwydWc3
-ALP+1VvS37n6XOp1ywqECNhUI2rJ8ShbIlF/kbB9ylPnei14cnn4oP04HP9ZFXkR
-yx+OWiTAepvQUFjIXDst+CIUVmeFhE5RcHpOyHioDA6eQ88fzE6sTOC0SvZFF04u
-+O3oaJs+4jqY2DpsCuqYZjBEug==
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCgxtQa9J3GQI88
+kxGAfhkMUz9u9fyPPFOf81Sm+TCgUebhkCk28YeJfEam7iMSo1LqgKBhr4IuqTh6
+MyISoBcg+4gfy776iHMTncu2x8wGapOUMgopOJVohBiogiJ4m5qBAlI+IT5oCiQd
+dfnFHSXR3kfX/8h5hvAfuXoF5rnBRBh+QdId1Pfnsum7XV2PSLAUb8Naz8C+MWD2
++6t1PxAszvHKL6hrQzLJyy4K/fn5clFNdFcJRtGoWO0XSmt2aok/fhavnyA8cUgW
+R+C2uu6zmuBs6aZ5KJV70Vyggn0e08die2ZgAQs+yfJcg0sB90Tym3mBPg4gHBQ2
+aYaHUgW1AgMBAAECggEACcjf+r39ZiXiscCPlZ7W/mmImEOvObZlrnvcIIdU3sTt
+RLgF0hqz8XmXQSyIBOfcsXnfiOJqDVXuIn2/KpwEnFTCjZDUUCICwuRdFAQn1hIh
+Zij/dk/DxAcaCxNUbrullQljoPVb+2/2j7Zw236xIQsimzItbLv6HCwpEXffwTO/
+eadGWRQPwX8So6bPkBgkc6jQk/RrmmwOya/9aM54se4buldGRORRjFBSlWG7RbZ9
+6CjxE/VJ2d2NEt15hfiWqtdwRd/lNMHmqJTmsF4R8zTpABTdUh/ti61rG9Qkkg+H
+3qq22JIik2ro3mCDWQ5CuUeyGjpVT/1AG1aHTMGYhwKBgQDaGDsZ4LVF82gnpIoX
+beg9AeQW3utiJTi/Sfsx6N3JwGTEruuMmeHJVFy8cyQXzs8or7CYZS+KZaJtv+z3
+2WgGwX00zUMCFM5PdexvC+9Cmh/cBhRRa9UyrcCZsrtlos7rO6LfV+1bPXSEgsWx
++BC2ZoBQg3RHw8CJdYET21zTLwKBgQC8uFOtRctmPrFhabDTPwRPRSuKzUc1wROC
+6mibpLasKYwONHVUxV9UbgbCnO79g0JcVtm2bomabxIXuIFWglV9z6vlCo+GQJj2
+u+uubsQ02+eKOhr6jXRFBD1RuTn9Dzg+gHlfgfbsZkPKxXdE66Fxuc+GtKdu/CQU
+lYrsFy9MWwKBgFLureKsQSJFadDRT7WTFKHGS06rHATpNIgBAOU8sMHcSDVGcsm3
+ZlVhoBYFDq+C8+F71YJNz+MnvLlRJzIkWNtgzlS6zQVIlh8/L1YWyref1gebxDQl
+9h9cVQXdIkeGvnpS5h9Z1yc/2kPdWoHPW8OQfLChHCGB/YAHz7qWStj/AoGBAKIy
+MgisAcKgg0db1RPaB1Qx+NhU0a0Lgj90Q+/xQub41lynDWiMMgCYh8rfoi/UjkZa
+hsdafX1zlLM6aj71yZBV2kECMJSMFGuK22aR4KQlk/yjL+jDhniCykjgz0wFtqtR
+M/+37YcD5aPyzy027wyVTB1USssCfegLFtkOnCIdAoGBAIZi6Hm1C/D9shV8t572
+0qLsh51pIjQJ8n6Wirs+cO/khMTJNtn/2coJBnwKC5cNMV0Dm/m9B4fRs/pN8Vp2
+DJODmX9ZIcM0Bi8YcCevuPw7Q97ePW8AHqHAQ5lxL9mpkbBfqjqqcFGidN2KAg9Z
+6turOEUzqj1zLXBq+g3qCT2o
 -----END PRIVATE KEY-----

ntp-proto/test-keys/end.pem

@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDsDCCApigAwIBAgIUeLa0dWVwCQr2akxP7Zrw3RDLAF8wDQYJKoZIhvcNAQEL
+MIIDmjCCAoKgAwIBAgIUP9+8F53FXFa+q2SSww8v1zNEPiIwDQYJKoZIhvcNAQEL
 BQAwVzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
-GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAgFw0y
-MzAxMjAwOTQ3MzhaGA80NzYwMTIxNzA5NDczOFowWTELMAkGA1UEBhMCQVUxEzAR
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
-IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
-MIIBCgKCAQEAsZmqWOnowHpN+nsLk0gqvsmZWPuwMBrnJrlDihyUmMXmf28CDXJL
-/aYDC/3a4EKIAz0uUnH6tCTK6jbmJhouGKnRpo9nS3ee3n0AENgPzcCaBgAoNYMM
-IT7en4a8olRviwKrMCX91fIorbuaUb0VFQ7BgfJhEvXVJinXcxkdTZJ4fztGE5Cy
-iqDGuJ1+EEABmDBrWCOr/gpF5HpAl9m6vbdhEWg3UvM02PAcBAn3z0Eno7O11vEK
-WDjZu6XWRLznY+cFEI0LvF8gLfilC15QgJdtb4+bh5jJsLHCCobBgARBdk50yhbj
-eQBwDOVMm2OJl5/BUl2OYbD/nK9dSUbT6wIDAQABo3AwbjAfBgNVHSMEGDAWgBR3
-Va6VsK3920NVj7trkQittchtpTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNV
-HREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFGWx6Z2EPXqL6pb+65eD/Dl4do/l
-MA0GCSqGSIb3DQEBCwUAA4IBAQCUEyM1M6EfDOkv9MHL3q1U72JvrKFx6lPDMTWd
-n/tWTILyQejETXWLmCxhle4JwIC+EQfAS6o/EFumgGvKp2xKuM4lS0ccaIBCCkjf
-bKkB5WxLppHPznxpv33f1DcU4WRNewBDra3FqJSGYGVjuHAPu4dZbPmU2bqhA22g
-0tdwFZyDC3b32CY40m8gbR7VvcymMufyOeLWImR6GVCm5N6SUVpYEPbL2PFHkvnq
-Z6SALFAeH/Um/uPsWemBPfxMXjq5dDKWaaigiC4wxdfpPqAfORrYbRWcCOoYQv2U
-9BO4LkL8OYBtG0IFuWU9eKpchFZgXbDjeoHFqBHz40yQ2yhk
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEQMA4GA1UEAwwHVGVzdCBDQTAeFw0y
+NTAyMjcwODUzMTJaFw0yNjAyMjcwODUzMTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYD
+VQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBM
+dGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgxtQa9J3GQI88kxGA
+fhkMUz9u9fyPPFOf81Sm+TCgUebhkCk28YeJfEam7iMSo1LqgKBhr4IuqTh6MyIS
+oBcg+4gfy776iHMTncu2x8wGapOUMgopOJVohBiogiJ4m5qBAlI+IT5oCiQddfnF
+HSXR3kfX/8h5hvAfuXoF5rnBRBh+QdId1Pfnsum7XV2PSLAUb8Naz8C+MWD2+6t1
+PxAszvHKL6hrQzLJyy4K/fn5clFNdFcJRtGoWO0XSmt2aok/fhavnyA8cUgWR+C2
+uu6zmuBs6aZ5KJV70Vyggn0e08die2ZgAQs+yfJcg0sB90Tym3mBPg4gHBQ2aYaH
+UgW1AgMBAAGjcDBuMB8GA1UdIwQYMBaAFHdVrpWwrf3bQ1WPu2uRCK21yG2lMAkG
+A1UdEwQCMAAwCwYDVR0PBAQDAgUgMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAdBgNV
+HQ4EFgQUg82rmpQGdA7S1aC74TCtI3eE7HEwDQYJKoZIhvcNAQELBQADggEBAGlA
+t6sTGUOHyQw1RUpDsRBwzkN0/as4Hgtu/mIAM177G/Ep+cB5KCAnTjmndEZnkugk
+QVZtO46+u9+LCGqHt61RbeiaIKiLpmIEATqzkciVVjNMbulTfTMMK3mowDKBzkqe
+Ygt1dn1NYfBwViKmUnIQzZyRJw0us/9W1f1SB4ABs4vxnl5NPO2a/feUPTna4FbG
+jk2czinbdXBjhF2kl9GDIfPWyt/C3qFwySGKK5r0xQaP22bF4dbGm1IYY1Uu0T7z
+ma0z/EXHO0E88PWZ14HCFa3AtraBltlmihfmTiDJMrrL5k4IP1gcmbbAgz2ZBmTi
+ECx4XlIQFTs/bxgWqA8=
 -----END CERTIFICATE-----

ntp-proto/test-keys/gen-cert.sh

@@ -37,7 +37,7 @@ DNS.1 = $NAME
 EOF
 
 # generate the signed certificate with the provided CA
-openssl x509 -req -in "$NAME".csr -CA "$CA".pem -CAkey "$CA".key -CAcreateserial -out "$NAME".pem -days 1825 -sha256 -extfile "$NAME".ext
+openssl x509 -req -in "$NAME".csr -CA "$CA".pem -CAkey "$CA".key -CAcreateserial -out "$NAME".pem -days 365 -sha256 -extfile "$NAME".ext
 
 # generate the full certificate chain version
 cat "$NAME".pem "$CA".pem > "$NAME".chain.pem

ntpd/src/daemon/keyexchange.rs

@@ -26,29 +26,15 @@ use super::exitcode;
 async fn build_client_config(
     extra_certificates: &[Certificate],
 ) -> Result<tls_utils::ClientConfig, KeyExchangeError> {
-    let mut roots = tokio::task::spawn_blocking(move || {
-        let mut roots = tls_utils::RootCertStore::empty();
-        for cert in tls_utils::pemfile::load_native_certs()? {
-            roots
-                .add(tls_utils::pemfile::rootstore_ref_shim(&cert))
-                .map_err(KeyExchangeError::Certificate)?;
-        }
-        Ok::<_, KeyExchangeError>(roots)
-    })
-    .await
-    .expect("Unexpected error while loading root certificates")?;
-
-    for cert in extra_certificates {
-        roots
-            .add(tls_utils::pemfile::rootstore_ref_shim(cert))
-            .map_err(KeyExchangeError::Certificate)?;
-    }
-
-    Ok(
-        tls_utils::client_config_builder_with_protocol_versions(&[&TLS13])
-            .with_root_certificates(roots)
-            .with_no_client_auth(),
-    )
+    let builder = tls_utils::client_config_builder_with_protocol_versions(&[&TLS13]);
+    let provider = builder.crypto_provider().clone();
+    let verifier =
+        tls_utils::PlatformVerifier::new_with_extra_roots(extra_certificates.iter().cloned())?
+            .with_provider(provider);
+    Ok(builder
+        .dangerous()
+        .with_custom_certificate_verifier(Arc::new(verifier))
+        .with_no_client_auth())
 }
 
 pub(crate) async fn key_exchange_client(

nts-pool-ke/Cargo.toml

@@ -11,7 +11,7 @@ publish.workspace = true
 rust-version.workspace = true
 
 [package.metadata.cargo-udeps.ignore]
-normal = [ "ntp-proto", "rustls-native-certs7", "rustls-pemfile2", "rustls23", "serde", "tokio-rustls", "toml", "tracing", "tracing-subscriber" ]
+normal = [ "ntp-proto", "rustls-platform-verifier", "rustls-pemfile2", "rustls23", "serde", "tokio-rustls", "toml", "tracing", "tracing-subscriber" ]
 
 [dependencies]
 tokio = { workspace = true, features = ["rt-multi-thread", "io-util", "fs", "net", "macros", "time" ] }
@@ -20,7 +20,7 @@ tracing.workspace = true
 tracing-subscriber = { version = "0.3.0", default-features = false, features = ["std", "fmt", "ansi"] }
 rustls23.workspace = true
 rustls-pemfile2.workspace = true
-rustls-native-certs7.workspace = true
+rustls-platform-verifier.workspace = true
 serde.workspace = true
 ntp-proto = { workspace = true }
 tokio-rustls.workspace = true

nts-pool-ke/src/lib.rs

@@ -1,7 +1,6 @@
 #[cfg(feature = "unstable_nts-pool")]
 mod condcompile {
     extern crate rustls23 as rustls;
-    extern crate rustls_native_certs7 as rustls_native_certs;
     extern crate rustls_pemfile2 as rustls_pemfile;
 
     mod cli;
@@ -22,6 +21,7 @@ mod condcompile {
         pki_types::{CertificateDer, ServerName},
         version::TLS13,
     };
+    use rustls_platform_verifier::Verifier;
     use tokio::{
         io::{AsyncReadExt, AsyncWriteExt},
         net::{TcpListener, ToSocketAddrs},
@@ -458,19 +458,14 @@ mod condcompile {
         certificate_chain: Vec<rustls::pki_types::CertificateDer<'static>>,
         private_key: rustls::pki_types::PrivateKeyDer<'static>,
     ) -> Result<tokio_rustls::TlsConnector, KeyExchangeError> {
-        let mut roots = rustls::RootCertStore::empty();
-        for cert in rustls_native_certs::load_native_certs()? {
-            roots.add(cert).map_err(KeyExchangeError::Certificate)?;
-        }
-
-        for cert in extra_certificates {
-            roots
-                .add(cert.clone())
-                .map_err(KeyExchangeError::Certificate)?;
-        }
-
-        let config = rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13])
-            .with_root_certificates(roots)
+        let builder = rustls::ClientConfig::builder_with_protocol_versions(&[&TLS13]);
+        let provider = builder.crypto_provider().clone();
+        let verifier = Verifier::new_with_extra_roots(extra_certificates.iter().cloned())?
+            .with_provider(provider);
+
+        let config = builder
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(verifier))
             .with_client_auth_cert(certificate_chain, private_key)
             .unwrap();