From 8bb4e10881730576bbb82e54ede1ebf5931194c3 Mon Sep 17 00:00:00 2001
From: Matt Mastracci <matthew@mastracci.com>
Date: Fri, 25 Aug 2023 15:40:25 -0600
Subject: fix(ext/tls): upgrade webpki version (#20285)

This removes a webpki version that was showing up as vulnerable to
https://github.com/briansmith/webpki/issues/69.

Needed to upgrade `reqwest` as part of this.
---
 ext/tls/Cargo.toml |  6 +++---
 ext/tls/lib.rs     | 12 ++++++------
 2 files changed, 9 insertions(+), 9 deletions(-)

(limited to 'ext')

diff --git a/ext/tls/Cargo.toml b/ext/tls/Cargo.toml
index 4dfc045f6..a06af68ac 100644
--- a/ext/tls/Cargo.toml
+++ b/ext/tls/Cargo.toml
@@ -17,8 +17,8 @@ path = "lib.rs"
 deno_core.workspace = true
 once_cell.workspace = true
 rustls = { workspace = true, features = ["dangerous_configuration"] }
-rustls-native-certs = "0.6.2"
+rustls-native-certs.workspace = true
 rustls-pemfile.workspace = true
+rustls-webpki.workspace = true
 serde.workspace = true
-webpki = "0.22"
-webpki-roots = "0.22"
+webpki-roots.workspace = true
diff --git a/ext/tls/lib.rs b/ext/tls/lib.rs
index dded1b385..78ad243c1 100644
--- a/ext/tls/lib.rs
+++ b/ext/tls/lib.rs
@@ -145,15 +145,15 @@ pub struct BasicAuth {
 pub fn create_default_root_cert_store() -> RootCertStore {
   let mut root_cert_store = RootCertStore::empty();
   // TODO(@justinmchase): Consider also loading the system keychain here
-  root_cert_store.add_server_trust_anchors(
-    webpki_roots::TLS_SERVER_ROOTS.0.iter().map(|ta| {
+  root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(
+    |ta| {
       rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
         ta.subject,
         ta.spki,
         ta.name_constraints,
       )
-    }),
-  );
+    },
+  ));
   root_cert_store
 }
 
@@ -187,7 +187,7 @@ pub fn create_client_config(
     let client =
       if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key {
         client_config
-          .with_single_cert(cert_chain, private_key)
+          .with_client_auth_cert(cert_chain, private_key)
           .expect("invalid client key or certificate")
       } else {
         client_config.with_no_client_auth()
@@ -223,7 +223,7 @@ pub fn create_client_config(
   let client = if let Some((cert_chain, private_key)) = maybe_cert_chain_and_key
   {
     client_config
-      .with_single_cert(cert_chain, private_key)
+      .with_client_auth_cert(cert_chain, private_key)
       .expect("invalid client key or certificate")
   } else {
     client_config.with_no_client_auth()
-- 
cgit v1.2.3