account: support default client w/ custom root

Author: cpu

Cargo.toml

@@ -15,7 +15,7 @@ categories = ["web-programming", "api-bindings"]
 default = ["aws-lc-rs", "hyper-rustls"]
 aws-lc-rs = ["dep:aws-lc-rs", "hyper-rustls?/aws-lc-rs", "rcgen/aws_lc_rs"]
 fips = ["aws-lc-rs", "aws-lc-rs?/fips"]
-hyper-rustls = ["dep:hyper", "dep:hyper-rustls", "dep:hyper-util"]
+hyper-rustls = ["dep:hyper", "dep:hyper-rustls", "dep:hyper-util", "dep:rustls"]
 rcgen = ["dep:rcgen"]
 ring = ["dep:ring", "hyper-rustls?/ring", "rcgen/ring"]
 time = ["dep:time"]
@@ -35,6 +35,7 @@ hyper-rustls = { version = "0.27.7", default-features = false, features = ["http
 hyper-util = { version = "0.1.5", features = ["client", "client-legacy", "http1", "http2", "tokio"], optional = true }
 rcgen = { version = "0.14", default-features = false, features = ["pem"], optional = true }
 ring = { version = "0.17", features = ["std"], optional = true }
+rustls = { version = "0.23", default-features = false, optional = true }
 rustls-pki-types = "1.1.0"
 serde = { version = "1.0.104", features = ["derive"] }
 serde_json = "1.0.78"

src/account.rs

@@ -1,3 +1,5 @@
+#[cfg(feature = "hyper-rustls")]
+use std::path::Path;
 use std::sync::Arc;
 #[cfg(feature = "time")]
 use std::time::{Duration, SystemTime};
@@ -6,6 +8,12 @@ use base64::prelude::{BASE64_URL_SAFE_NO_PAD, Engine};
 use http::header::LOCATION;
 #[cfg(feature = "time")]
 use http::{Method, Request};
+#[cfg(feature = "hyper-rustls")]
+use rustls::RootCertStore;
+#[cfg(feature = "hyper-rustls")]
+use rustls_pki_types::CertificateDer;
+#[cfg(feature = "hyper-rustls")]
+use rustls_pki_types::pem::PemObject;
 use rustls_pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
 use serde::de::DeserializeOwned;
 use serde::{Deserialize, Serialize};
@@ -48,6 +56,26 @@ impl Account {
         })
     }
 
+    /// Create an account builder with an HTTP client configured using a custom root CA
+    ///
+    /// This is useful if your ACME server uses a testing PKI and not a certificate
+    /// chain issued by a publicly trusted CA.
+    #[cfg(feature = "hyper-rustls")]
+    pub fn builder_with_root(pem_path: impl AsRef<Path>) -> Result<AccountBuilder, Error> {
+        let root_der = match CertificateDer::from_pem_file(pem_path) {
+            Ok(root_der) => root_der,
+            Err(err) => return Err(Error::Other(err.into())),
+        };
+
+        let mut roots = RootCertStore::empty();
+        match roots.add(root_der) {
+            Ok(()) => Ok(AccountBuilder {
+                http: Box::new(DefaultClient::with_roots(roots)?),
+            }),
+            Err(err) => Err(Error::Other(err.into())),
+        }
+    }
+
     /// Create an account builder with the given HTTP client
     pub fn builder_with_http(http: Box<dyn HttpClient>) -> AccountBuilder {
         AccountBuilder { http }

src/lib.rs

@@ -23,6 +23,10 @@ use httpdate::HttpDate;
 #[cfg(feature = "hyper-rustls")]
 use hyper::body::Incoming;
 #[cfg(feature = "hyper-rustls")]
+use hyper_rustls::HttpsConnectorBuilder;
+#[cfg(feature = "hyper-rustls")]
+use hyper_rustls::builderstates::WantsSchemes;
+#[cfg(feature = "hyper-rustls")]
 use hyper_util::client::legacy::Client as HyperClient;
 #[cfg(feature = "hyper-rustls")]
 use hyper_util::client::legacy::connect::{Connect, HttpConnector};
@@ -195,18 +199,29 @@ struct DefaultClient(HyperClient<hyper_rustls::HttpsConnector<HttpConnector>, Bo
 #[cfg(feature = "hyper-rustls")]
 impl DefaultClient {
     fn try_new() -> Result<Self, Error> {
-        Ok(Self(
-            HyperClient::builder(TokioExecutor::new()).build(
-                hyper_rustls::HttpsConnectorBuilder::new()
-                    .try_with_platform_verifier()
-                    .map_err(|e| Error::Other(Box::new(e)))?
-                    .https_only()
-                    .enable_http1()
-                    .enable_http2()
-                    .build(),
+        Ok(Self::new(
+            hyper_rustls::HttpsConnectorBuilder::new()
+                .try_with_platform_verifier()
+                .map_err(|e| Error::Other(Box::new(e)))?,
+        ))
+    }
+
+    fn with_roots(roots: rustls::RootCertStore) -> Result<Self, Error> {
+        Ok(Self::new(
+            hyper_rustls::HttpsConnectorBuilder::new().with_tls_config(
+                rustls::ClientConfig::builder()
+                    .with_root_certificates(roots)
+                    .with_no_client_auth(),
             ),
         ))
     }
+
+    fn new(builder: HttpsConnectorBuilder<WantsSchemes>) -> Self {
+        Self(
+            HyperClient::builder(TokioExecutor::new())
+                .build(builder.https_only().enable_http1().enable_http2().build()),
+        )
+    }
 }
 
 #[cfg(feature = "hyper-rustls")]