From a9b1e5293c0e9c8bf92899e03e4da622684e4b0e Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Thu, 18 Sep 2025 18:15:24 -0400
Subject: [PATCH] Support `webpki-roots` as a fallback in `simple-request`

---
 Cargo.lock                | 12 +++++++++++-
 common/request/Cargo.toml |  1 +
 common/request/src/lib.rs | 26 ++++++++++++++++----------
 3 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 7ca9d2cb..3c7e4985 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -4317,6 +4317,7 @@ dependencies = [
  "tokio",
  "tokio-rustls",
  "tower-service",
+ "webpki-roots 1.0.2",
 ]
 
 [[package]]
@@ -5622,7 +5623,7 @@ dependencies = [
  "soketto 0.8.1",
  "thiserror 1.0.69",
  "url",
- "webpki-roots",
+ "webpki-roots 0.25.4",
 ]
 
 [[package]]
@@ -13396,6 +13397,15 @@ version = "0.25.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"
 
+[[package]]
+name = "webpki-roots"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "which"
 version = "4.4.2"
diff --git a/common/request/Cargo.toml b/common/request/Cargo.toml
index 7ed74def..75c7d67a 100644
--- a/common/request/Cargo.toml
+++ b/common/request/Cargo.toml
@@ -31,5 +31,6 @@ base64ct = { version = "1", features = ["alloc"], optional = true }
 
 [features]
 tls = ["hyper-rustls"]
+webpki-roots = ["tls", "hyper-rustls/webpki-roots"]
 basic-auth = ["zeroize", "base64ct"]
 default = ["tls"]
diff --git a/common/request/src/lib.rs b/common/request/src/lib.rs
index 4feffd7d..63350a1c 100644
--- a/common/request/src/lib.rs
+++ b/common/request/src/lib.rs
@@ -52,24 +52,30 @@ pub struct Client {
 }
 
 impl Client {
+  #[allow(clippy::unnecessary_wraps)]
   fn connector() -> Result<Connector, Error> {
     let mut res = HttpConnector::new();
     res.set_keepalive(Some(core::time::Duration::from_secs(60)));
     res.set_nodelay(true);
     res.set_reuse_address(true);
+
     #[cfg(feature = "tls")]
     res.enforce_http(false);
     #[cfg(feature = "tls")]
-    let res = HttpsConnectorBuilder::new()
-      .with_native_roots()
-      .map_err(|e| {
-        Error::ConnectionError(
-          format!("couldn't load system's SSL root certificates: {e:?}").into(),
-        )
-      })?
-      .https_or_http()
-      .enable_http1()
-      .wrap_connector(res);
+    let https = HttpsConnectorBuilder::new().with_native_roots();
+    #[cfg(all(feature = "tls", not(feature = "webpki-roots")))]
+    let https = https.map_err(|e| {
+      Error::ConnectionError(
+        format!("couldn't load system's SSL root certificates and webpki-roots unavilable: {e:?}")
+          .into(),
+      )
+    })?;
+    // Fallback to `webpki-roots` if present
+    #[cfg(all(feature = "tls", feature = "webpki-roots"))]
+    let https = https.unwrap_or(HttpsConnectorBuilder::new().with_webpki_roots());
+    #[cfg(feature = "tls")]
+    let res = https.https_or_http().enable_http1().wrap_connector(res);
+
     Ok(res)
   }