Account for "additional constraints" in the macOS (and Windows) certificate stores

[briansmith]

From https://twitter.com/BasileBailey/status/1494801237694300161:

Just because a root certificate is in the built-in iOS/macOS trust store doesn't mean that it is trusted. Apple applies additional constraints via configuration updates to maintain a high-level of security. See https://support.apple.com/HT212865 for more detail.

It seems like this might be hinting that the approach taken by rustls-native-certs (and other libraries) is not valid/safe. This is something we already know from previous discussions.

I'm not sure what could reasonably be done other than deprecating this crate on macOS (and Windows) and replacing it with custom verification logic that uses the OS-provided APIs. I have done this at $work and we are open to open sourcing it.

[Ralith]

It sounds pretty clear that invoking OS verification APIs is the correct path forwards; I'd love to have a crate that does that to recommend for use with quinn.

[complexspaces]

Hopefully should have something to share this summer, stay tuned 😄.

[cpu]

PTAL at https://github.com/rustls/rustls-platform-verifier :-)