incorporating feedback from code review

- separate webpki-roots crate into its own subdirectory
- change pki-types dependency from `0.2.2` to `=0.2.2`
- set rustls-webpki dependency version to `=0.102.0-alpha.7`
- move pki-types to a workplace dependency
- add top-level README.md
- add Rustdoc comment to `webpki_ccadb::fetch_ccadb_roots`

Cargo.toml

@@ -1,15 +1,8 @@
-[package]
-name = "webpki-roots"
-version = { workspace = true }
-edition = { workspace = true }
-readme = { workspace = true }
-license = { workspace = true }
-homepage = { workspace = true }
-repository = { workspace = true }
-description = "Mozilla's CA root certificates for use with webpki"
-
 [workspace]
-members = [ "webpki-ccadb" ]
+members = [ 
+    "webpki-ccadb",
+    "webpki-roots",
+    ]
 
 [workspace.package]
 version = "0.26.0-alpha.2"
@@ -21,20 +14,7 @@ repository = "https://github.com/rustls/webpki-roots"
 
 [workspace.dependencies]
 hex = "0.4.3"
-webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.8", features = ["alloc"] }
+pki-types = { package = "rustls-pki-types", version = "=0.2.2", default-features = false }
+webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.7", features = ["alloc"] }
 x509-parser = "0.15.1"
-yasna = "0.5.2"
-
-[dependencies]
-pki-types = { package = "rustls-pki-types", version = "0.2.2", default-features = false }
-
-[dev-dependencies]
-hex = { workspace = true }
-percent-encoding = "2.3"
-rcgen = "0.11.1"
-ring = "0.17.0"
-tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
-webpki = { workspace = true }
-webpki-ccadb = { path = "webpki-ccadb" }
-x509-parser = { workspace = true }
-yasna = { workspace = true }
+yasna = "0.5.2"

README.md

@@ -1,20 +1,13 @@
-# webpki-roots
-This is a crate containing Mozilla's root certificates for use with
+This workspace contains the crates webpki-roots and webpki-ccadb.
+
+The webpki-roots crate contains Mozilla's root certificates for use with
 the [webpki](https://github.com/rustls/webpki) or
 [rustls](https://github.com/rustls/rustls) crates.
 
-This crate is inspired by [certifi.io](https://certifi.io/en/latest/) and
-uses the data provided by the [Common CA Database (CCADB)](https://www.ccadb.org/).
-
-[![webpki-roots](https://github.com/rustls/webpki-roots/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/rustls/webpki-roots/actions/workflows/build.yml)
-[![Crate](https://img.shields.io/crates/v/webpki-roots.svg)](https://crates.io/crates/webpki-roots)
+The webpki-ccadb crate populates the root certificates for the webpki-roots crate
+using the data provided by the [Common CA Database (CCADB)](https://www.ccadb.org/).
+Inspired by [certifi.io](https://certifi.io/en/latest/).
 
 # License
 The underlying data is MPL-licensed, and `src/lib.rs`
-is therefore a derived work.
-
-# Regenerating sources
-Sources are generated in an integration test, in `tests/codegen.rs`. The test
-will fail if the sources are out of date relative to upstream, and update
-`src/lib.rs` if so. The code is generated in deterministic order so changes
-to the source should only result from upstream changes.
+is therefore a derived work.

webpki-ccadb/Cargo.toml

@@ -13,7 +13,7 @@ chrono = { version = "0.4.26", default-features = false, features = ["clock"] }
 csv = "1.2.2"
 hex = { workspace = true }
 num-bigint = "0.4.3"
-pki-types = { package = "rustls-pki-types", version = "0.2.3", default-features = false }
+pki-types = { workspace = true }
 reqwest = { version = "0.11", features = ["rustls-tls-manual-roots"] }
 rustls-pemfile = "=2.0.0-alpha.2"
 serde = { version = "1.0.183", features = ["derive"] }

webpki-ccadb/src/lib.rs

@@ -6,6 +6,10 @@ use num_bigint::BigUint;
 use pki_types::CertificateDer;
 use serde::Deserialize;
 
+// Fetch root certificate data from the CCADB server.
+//
+// Returns an ordered BTreeMap of the root certificates, keyed by the SHA256 fingerprint of the
+// certificate. Panics if there are any duplicate fingerprints.
 pub async fn fetch_ccadb_roots() -> BTreeMap<String, CertificateMetadata> {
     // Configure a Reqwest client that only trusts the CA certificate expected to be the
     // root of trust for the CCADB server.

webpki-roots/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "webpki-roots"
+version = { workspace = true }
+edition = { workspace = true }
+readme = { workspace = true }
+license = { workspace = true }
+homepage = { workspace = true }
+repository = { workspace = true }
+description = "Mozilla's CA root certificates for use with webpki"
+
+[dependencies]
+pki-types = { workspace = true }
+
+[dev-dependencies]
+hex = { workspace = true }
+percent-encoding = "2.3"
+rcgen = "0.11.1"
+ring = "0.17.0"
+tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
+webpki = { workspace = true }
+webpki-ccadb = { path = "../webpki-ccadb" }
+x509-parser = { workspace = true }
+yasna = { workspace = true }

webpki-roots/README.md

@@ -0,0 +1,20 @@
+# webpki-roots
+This is a crate containing Mozilla's root certificates for use with
+the [webpki](https://github.com/rustls/webpki) or
+[rustls](https://github.com/rustls/rustls) crates.
+
+This crate is inspired by [certifi.io](https://certifi.io/en/latest/) and
+uses the data provided by the [Common CA Database (CCADB)](https://www.ccadb.org/).
+
+[![webpki-roots](https://github.com/rustls/webpki-roots/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/rustls/webpki-roots/actions/workflows/build.yml)
+[![Crate](https://img.shields.io/crates/v/webpki-roots.svg)](https://crates.io/crates/webpki-roots)
+
+# License
+The underlying data is MPL-licensed, and `src/lib.rs`
+is therefore a derived work.
+
+# Regenerating sources
+Sources are generated in an integration test, in `tests/codegen.rs`. The test
+will fail if the sources are out of date relative to upstream, and update
+`src/lib.rs` if so. The code is generated in deterministic order so changes
+to the source should only result from upstream changes.