polyfill with_native_roots in hyper_legacy to avoid RUSTSEC-2025-0134 (#4441)

arielb1 · web-flow · commit 8a939c7b0de5 · 2025-12-08T19:55:28.000+02:00
diff --git a/.changelog/1765121185.md b/.changelog/1765121185.md
@@ -0,0 +1,14 @@
+---
+applies_to:
+- client
+- aws-sdk-rust
+authors:
+- arielb1
+references:
+- aws-sdk-rust#1390
+breaking: false
+new_feature: false
+bug_fix: true
+---
+In `legacy-rustls-ring`, polyfill `with_native_roots` to use `rustls_native_certs 0.8` to avoid
+RUSTSEC-2025-0134.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -88,7 +88,7 @@ jobs:
         # These correspond to scripts in tools/ci-scripts that will be run in the Docker build image
         test:
         - action: check-aws-sdk-adhoc-tests
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-client-codegen-integration-tests
           runner: smithy_ubuntu-latest_8-core
         - action: check-client-codegen-unit-tests
@@ -101,31 +101,31 @@ jobs:
         - action: check-sdk-codegen-unit-tests
           runner: smithy_ubuntu-latest_8-core
         - action: check-fuzzgen
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-server-codegen-integration-tests
           runner: smithy_ubuntu-latest_8-core
         - action: check-server-codegen-integration-tests-python
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-server-codegen-unit-tests
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-server-codegen-unit-tests-python
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-serde-codegen-unit-tests
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-server-e2e-test
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-server-python-e2e-test
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-style-and-lints
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-book
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-tools
           runner: smithy_ubuntu-latest_8-core
         - action: check-deterministic-codegen
           runner: smithy_ubuntu-latest_8-core
         - action: check-codegen-version
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
     steps:
     - uses: GitHubSecurityLab/actions-permissions/monitor@v1
     - uses: actions/checkout@v4
@@ -177,19 +177,19 @@ jobs:
         - action: check-aws-config
           runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-canary
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-cargo-deny
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-only-aws-sdk-services
           runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-smoketest-docs-clippy-udeps
           runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-smoketest-unit-tests
           runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-standalone-integration-tests
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
         - action: check-aws-sdk-benchmarks
-          runner: ubuntu-latest
+          runner: smithy_ubuntu-latest_8-core
     steps:
     - uses: GitHubSecurityLab/actions-permissions/monitor@v1
     - uses: actions/checkout@v4
diff --git a/aws/rust-runtime/Cargo.lock b/aws/rust-runtime/Cargo.lock
diff --git a/aws/rust-runtime/aws-types/Cargo.toml b/aws/rust-runtime/aws-types/Cargo.toml
@@ -22,7 +22,7 @@ tracing = "0.1.40"
 # cargo does not support optional test dependencies, so to completely disable rustls
 # we need to add the webpki-roots feature here.
 # https://github.com/rust-lang/cargo/issues/1596
-hyper-rustls = { version = "0.24", optional = true, features = ["rustls-native-certs", "http2", "webpki-roots"] }
+hyper-rustls = { version = "0.24.2", optional = true, default-features = false, features = ["http2", "webpki-roots"] }
 
 [dev-dependencies]
 http = "0.2.4"
diff --git a/codegen-server-test/integration-tests/Cargo.lock b/codegen-server-test/integration-tests/Cargo.lock
diff --git a/rust-runtime/aws-smithy-http-client/Cargo.toml b/rust-runtime/aws-smithy-http-client/Cargo.toml
@@ -65,7 +65,7 @@ legacy-test-util = [
     "aws-smithy-types/http-body-0-4-x",
 ]
 
-legacy-rustls-ring = ["dep:legacy-hyper-rustls", "dep:legacy-rustls", "hyper-014"]
+legacy-rustls-ring = ["dep:legacy-hyper-rustls", "dep:legacy-rustls", "dep:rustls-native-certs", "hyper-014"]
 
 rustls-ring = ["dep:rustls", "rustls?/ring", "dep:hyper-rustls", "dep:tokio-rustls", "default-client"]
 rustls-aws-lc = ["dep:rustls", "rustls?/aws_lc_rs", "rustls?/prefer-post-quantum", "dep:hyper-rustls", "dep:tokio-rustls", "default-client"]
@@ -103,7 +103,7 @@ rustls-native-certs = { version = "0.8.1", optional = true }
 http-02x = { package = "http", version = "0.2.9", optional = true}
 http-body-04x = { package = "http-body", version = "0.4.5" , optional = true}
 hyper-0-14 = { package = "hyper", version = "0.14.26", default-features = false, features = ["client", "http1", "http2", "tcp", "stream"], optional = true }
-legacy-hyper-rustls = { package = "hyper-rustls", version = "0.24", features = ["rustls-native-certs", "http2"], optional = true }
+legacy-hyper-rustls = { package = "hyper-rustls", version = "0.24.2", default-features = false, features = ["http1", "tls12", "logging", "acceptor", "tokio-runtime", "http2"], optional = true }
 legacy-rustls = { package = "rustls", version = "0.21.8", optional = true }
 h2-0-3 = { package = "h2", version = "0.3.24", optional = true }
 # end legacy stack deps
diff --git a/rust-runtime/aws-smithy-http-client/src/hyper_legacy.rs b/rust-runtime/aws-smithy-http-client/src/hyper_legacy.rs
@@ -49,10 +49,43 @@ mod default_connector {
     > = LazyLock::new(default_tls);
 
     fn default_tls() -> hyper_rustls::HttpsConnector<hyper_0_14::client::HttpConnector> {
-        use hyper_rustls::ConfigBuilderExt;
+        use legacy_rustls::client::WantsTransparencyPolicyOrClientCert;
+        use legacy_rustls::{ClientConfig, ConfigBuilder, WantsVerifier};
+        use rustls_native_certs;
+        // polyfill with_native_roots from https://docs.rs/hyper-rustls/0.24.2/src/hyper_rustls/config.rs.html#22-70
+        // to use the new rustls_native_certs, since rustls_native_certs 0.6 depends on rustls-pemfile which is deprecated
+        fn with_native_roots(
+            this: ConfigBuilder<ClientConfig, WantsVerifier>,
+        ) -> ConfigBuilder<ClientConfig, WantsTransparencyPolicyOrClientCert> {
+            let mut roots = rustls::RootCertStore::empty();
+            let mut valid_count = 0;
+            let mut invalid_count = 0;
+
+            for cert in
+                rustls_native_certs::load_native_certs().expect("could not load platform certs")
+            {
+                let cert = rustls::Certificate(cert.to_vec());
+                match roots.add(&cert) {
+                    Ok(_) => valid_count += 1,
+                    Err(err) => {
+                        tracing::trace!("invalid cert der {:?}", cert.0);
+                        tracing::debug!("certificate parsing failed: {:?}", err);
+                        invalid_count += 1
+                    }
+                }
+            }
+            tracing::debug!(
+                "with_native_roots processed {} valid and {} invalid certs",
+                valid_count,
+                invalid_count
+            );
+            assert!(!roots.is_empty(), "no CA certificates found");
+
+            this.with_root_certificates(roots)
+        }
         hyper_rustls::HttpsConnectorBuilder::new()
                .with_tls_config(
-                rustls::ClientConfig::builder()
+                with_native_roots(rustls::ClientConfig::builder()
                     .with_cipher_suites(&[
                         // TLS1.3 suites
                         rustls::cipher_suite::TLS13_AES_256_GCM_SHA384,
@@ -66,8 +99,7 @@ mod default_connector {
                     ])
                     .with_safe_default_kx_groups()
                     .with_safe_default_protocol_versions()
-                    .expect("Error with the TLS configuration. Please file a bug report under https://github.com/smithy-lang/smithy-rs/issues.")
-                    .with_native_roots()
+                    .expect("Error with the TLS configuration. Please file a bug report under https://github.com/smithy-lang/smithy-rs/issues."))
                     .with_no_client_auth()
             )
             .https_or_http()
diff --git a/rust-runtime/aws-smithy-http-server-python/Cargo.toml b/rust-runtime/aws-smithy-http-server-python/Cargo.toml
@@ -49,7 +49,7 @@ tower-test = "0.4"
 tokio-test = "0.4"
 pyo3-asyncio = { version = "0.20.0", features = ["testing", "attributes", "tokio-runtime", "unstable-streams"] }
 rcgen = "0.10.0"
-hyper-rustls = { version = "0.24", features = ["http2"] }
+hyper-rustls = { version = "0.24.2", features = ["http2"] }
 
 # PyO3 Asyncio tests cannot use Cargo's default testing harness because `asyncio`
 # wants to control the main thread. So we need to use testing harness provided by `pyo3_asyncio`
