Add support for reading custom cert paths (#104)

* Add support to env variables REQUESTS_CA_BUNDLE and CURL_CA_BUNDLE * Fix failing cargo fmt and clippy * Fix deny --------- Co-authored-by: Jake Shadle <[email protected]>
Jake-Shadle · Nov 7, 2023 · eee7f11 · eee7f11
1 parent 93cc35e
commit eee7f11
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 115 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,7 +16,7 @@ default = ["rustls-tls"]
 rustls-tls = ["ureq/tls"]
 # If this feature is enabled we instead use the native TLS implementation for the
 # target platform
-native-tls = ["ureq/native-tls", "native-tls-crate/vendored"]
+native-tls = ["ureq/native-tls", "native-tls-crate/vendored", "rustls-pemfile", "rustls"]
 
 [dependencies]
 # Easy errors
@@ -47,6 +47,9 @@ regex = "1.0"
 ureq = { version = "2.4", default-features = false, features = ["gzip"] }
 memchr = "2.6"
 native-tls-crate = { package = "native-tls", version = "0.2", optional = true }
+# CA Cert for HTTP requests
+rustls = { version = "0.21.8", optional = true }
+rustls-pemfile = { version = "1.0.3", optional = true }
 # SHA-256 verification
 sha2 = "0.10"
 # Deserialization

diff --git a/deny.toml b/deny.toml
@@ -43,8 +43,6 @@ skip = [
   { name = "regex-syntax", version = "=0.6.29" },
   # ditto :(
   { name = "regex-automata", version = "=0.1.10" },
-  # ureq
-  { name = "rustls-webpki", version = "=0.100.2" },
 ]
 skip-tree = [
   # clap -> terminal_size

diff --git a/src/ctx.rs b/src/ctx.rs
@@ -27,11 +27,24 @@ pub struct Ctx {
 impl Ctx {
     fn http_client(read_timeout: Option<Duration>) -> Result<ureq::Agent, Error> {
         let mut builder = ureq::builder();
-
         #[cfg(feature = "native-tls")]
         {
+            use std::env;
+            use std::fs::File;
+            use std::io::BufReader;
             use std::sync::Arc;
-            builder = builder.tls_connector(Arc::new(native_tls_crate::TlsConnector::new()?));
+
+            let mut tls_builder = native_tls_crate::TlsConnector::builder();
+            if let Some(custom_ca) =
+                env::var_os("REQUESTS_CA_BUNDLE").or_else(|| env::var_os("CURL_CA_BUNDLE"))
+            {
+                let mut reader = BufReader::new(File::open(custom_ca)?);
+                for cert in rustls_pemfile::certs(&mut reader)? {
+                    tls_builder
+                        .add_root_certificate(native_tls_crate::Certificate::from_pem(&cert)?);
+                }
+            }
+            builder = builder.tls_connector(Arc::new(tls_builder.build()?));
         }
 
         // Allow user to specify timeout values in the case of bad/slow proxies