provide with_platform_verifier_and_extra_roots extension function

conradludgate · conradludgate · commit 0bd0573b2927 · 2026-01-02T19:12:24.000Z
diff --git a/rustls-platform-verifier/src/lib.rs b/rustls-platform-verifier/src/lib.rs
@@ -58,6 +58,26 @@ pub trait BuilderVerifierExt {
     fn with_platform_verifier(
         self,
     ) -> Result<ConfigBuilder<ClientConfig, WantsClientCert>, rustls::Error>;
+
+    /// Configures the `ClientConfig` with the platform verifier
+    /// and the extra root certificates to trust.
+    ///
+    /// ```rust
+    /// use rustls::ClientConfig;
+    /// use rustls_platform_verifier::BuilderVerifierExt;
+    ///
+    /// let roots = vec![/* ... */];
+    ///
+    /// let config = ClientConfig::builder()
+    ///     .with_platform_verifier_and_extra_roots(roots)
+    ///     .unwrap()
+    ///     .with_no_client_auth();
+    /// ```
+    #[cfg(not(target_os = "android"))]
+    fn with_platform_verifier_and_extra_roots(
+        self,
+        roots: impl IntoIterator<Item = rustls::pki_types::CertificateDer<'static>>,
+    ) -> Result<ConfigBuilder<ClientConfig, WantsClientCert>, rustls::Error>;
 }
 
 impl BuilderVerifierExt for ConfigBuilder<ClientConfig, WantsVerifier> {
@@ -69,6 +89,17 @@ impl BuilderVerifierExt for ConfigBuilder<ClientConfig, WantsVerifier> {
             .dangerous()
             .with_custom_certificate_verifier(Arc::new(verifier)))
     }
+
+    #[cfg(not(target_os = "android"))]
+    fn with_platform_verifier_and_extra_roots(
+        self,
+        roots: impl IntoIterator<Item = rustls::pki_types::CertificateDer<'static>>,
+    ) -> Result<ConfigBuilder<ClientConfig, WantsClientCert>, rustls::Error> {
+        let verifier = Verifier::new_with_extra_roots(roots, self.crypto_provider().clone())?;
+        Ok(self
+            .dangerous()
+            .with_custom_certificate_verifier(Arc::new(verifier)))
+    }
 }
 
 /// Extension trait to help build a [`ClientConfig`] with the platform verifier.
@@ -78,9 +109,25 @@ pub trait ConfigVerifierExt {
     /// ```rust
     /// use rustls::ClientConfig;
     /// use rustls_platform_verifier::ConfigVerifierExt;
-    /// let config = ClientConfig::with_platform_verifier();
+    /// let config = ClientConfig::with_platform_verifier().unwrap();
     /// ```
     fn with_platform_verifier() -> Result<ClientConfig, rustls::Error>;
+
+    /// Build a [`ClientConfig`] with the platform verifier, the default `CryptoProvider`,
+    /// and the extra root certificates to trust.
+    ///
+    /// ```rust
+    /// use rustls::ClientConfig;
+    /// use rustls_platform_verifier::ConfigVerifierExt;
+    ///
+    /// let roots = vec![/* ... */];
+    ///
+    /// let config = ClientConfig::with_platform_verifier_and_extra_roots(roots).unwrap();
+    /// ```
+    #[cfg(not(target_os = "android"))]
+    fn with_platform_verifier_and_extra_roots(
+        roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
+    ) -> Result<ClientConfig, rustls::Error>;
 }
 
 impl ConfigVerifierExt for ClientConfig {
@@ -89,4 +136,13 @@ impl ConfigVerifierExt for ClientConfig {
             .with_platform_verifier()?
             .with_no_client_auth())
     }
+
+    #[cfg(not(target_os = "android"))]
+    fn with_platform_verifier_and_extra_roots(
+        roots: impl IntoIterator<Item = pki_types::CertificateDer<'static>>,
+    ) -> Result<ClientConfig, rustls::Error> {
+        Ok(ClientConfig::builder()
+            .with_platform_verifier_and_extra_roots(roots)?
+            .with_no_client_auth())
+    }
 }
