Codex Handbook
utils/rustls-provider/src/lib.rs 39 lines
use std::sync::Once;const REQUIRED_SIGNATURE_SCHEME: rustls::SignatureScheme =    rustls::SignatureScheme::ECDSA_NISTP521_SHA512;/// Ensures a process-wide rustls crypto provider is installed.////// rustls cannot auto-select a provider when both `ring` and `aws-lc-rs`/// features are enabled in the dependency graph.pub fn ensure_rustls_crypto_provider() {    static RUSTLS_PROVIDER_INIT: Once = Once::new();    RUSTLS_PROVIDER_INIT.call_once(|| {        // aws-lc-rs supports a broader WebPKI signature set than ring, including        // ECDSA P-521/SHA-512 certs used by some enterprise TLS proxies.        if rustls::crypto::aws_lc_rs::default_provider()            .install_default()            .is_err()        {            // Preserve the previous best-effort behavior for embedded hosts that            // install a process-global provider before Codex can install one.            return;        }        let Some(provider) = rustls::crypto::CryptoProvider::get_default() else {            panic!("aws-lc-rs rustls crypto provider should be installed");        };        assert!(            provider_supports_required_signature_scheme(provider),            "installed rustls crypto provider must support {REQUIRED_SIGNATURE_SCHEME:?}"        );    });}fn provider_supports_required_signature_scheme(provider: &rustls::crypto::CryptoProvider) -> bool {    provider        .signature_verification_algorithms        .supported_schemes()        .contains(&REQUIRED_SIGNATURE_SCHEME)}