chore: replace rustls-pemfile with rustls-pki-types

Cargo.toml

@@ -88,11 +88,11 @@ http3 = ["rustls-tls-manual-roots", "dep:h3", "dep:h3-quinn", "dep:quinn", "dep:
 # Don't rely on these whatsoever. They may disappear at any time.
 
 # Enables common types used for TLS. Useless on its own.
-__tls = ["dep:rustls-pemfile", "tokio/io-util"]
+__tls = ["dep:rustls-pki-types", "tokio/io-util"]
 
 # Enables common rustls code.
 # Equivalent to rustls-tls-manual-roots but shorter :)
-__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls", "dep:rustls-pemfile", "dep:rustls-pki-types"]
+__rustls = ["dep:hyper-rustls", "dep:tokio-rustls", "dep:rustls", "__tls"]
 __rustls-ring = ["hyper-rustls?/ring", "tokio-rustls?/ring", "rustls?/ring", "quinn?/ring"]
 
 [dependencies]
@@ -131,7 +131,7 @@ pin-project-lite = "0.2.11"
 ipnet = "2.3"
 
 # Optional deps...
-rustls-pemfile = { version = "2", optional = true }
+rustls-pki-types = { version = "1.9.0", features = ["std"], optional = true }
 
 ## default-tls
 hyper-tls = { version = "0.6", optional = true }
@@ -141,7 +141,6 @@ tokio-native-tls = { version = "0.3.0", optional = true }
 # rustls-tls
 hyper-rustls = { version = "0.27.0", default-features = false, optional = true, features = ["http1", "tls12"] }
 rustls = { version = "0.23.4", optional = true, default-features = false, features = ["std", "tls12"] }
-rustls-pki-types = { version = "1.1.0", features = ["alloc"] ,optional = true }
 tokio-rustls = { version = "0.26", optional = true, default-features = false, features = ["tls12"] }
 webpki-roots = { version = "0.26.0", optional = true }
 rustls-native-certs = { version = "0.8.0", optional = true }

src/tls.rs

@@ -51,6 +51,7 @@ use rustls::{
     server::ParsedCertificate, DigitallySignedStruct, Error as TLSError, RootCertStore,
     SignatureScheme,
 };
+use rustls_pki_types::pem::PemObject;
 #[cfg(feature = "__rustls")]
 use rustls_pki_types::{ServerName, UnixTime};
 use std::{
@@ -228,7 +229,7 @@ impl Certificate {
     }
 
     fn read_pem_certs(reader: &mut impl BufRead) -> crate::Result<Vec<Vec<u8>>> {
-        rustls_pemfile::certs(reader)
+        rustls_pki_types::CertificateDer::pem_reader_iter(reader)
             .map(|result| match result {
                 Ok(cert) => Ok(cert.as_ref().to_vec()),
                 Err(_) => Err(crate::error::builder("invalid certificate encoding")),
@@ -339,30 +340,31 @@ impl Identity {
     /// This requires the `rustls-tls(-...)` Cargo feature enabled.
     #[cfg(feature = "__rustls")]
     pub fn from_pem(buf: &[u8]) -> crate::Result<Identity> {
-        use rustls_pemfile::Item;
+        use rustls_pki_types::{pem::SectionKind, PrivateKeyDer};
         use std::io::Cursor;
 
         let (key, certs) = {
             let mut pem = Cursor::new(buf);
             let mut sk = Vec::<rustls_pki_types::PrivateKeyDer>::new();
             let mut certs = Vec::<rustls_pki_types::CertificateDer>::new();
 
-            for result in rustls_pemfile::read_all(&mut pem) {
-                match result {
-                    Ok(Item::X509Certificate(cert)) => certs.push(cert),
-                    Ok(Item::Pkcs1Key(key)) => sk.push(key.into()),
-                    Ok(Item::Pkcs8Key(key)) => sk.push(key.into()),
-                    Ok(Item::Sec1Key(key)) => sk.push(key.into()),
-                    Ok(_) => {
+            while let Some((kind, data)) =
+                rustls_pki_types::pem::from_buf(&mut pem).map_err(|_| {
+                    crate::error::builder(TLSError::General(String::from(
+                        "Invalid identity PEM file",
+                    )))
+                })?
+            {
+                match kind {
+                    SectionKind::Certificate => certs.push(data.into()),
+                    SectionKind::PrivateKey => sk.push(PrivateKeyDer::Pkcs8(data.into())),
+                    SectionKind::RsaPrivateKey => sk.push(PrivateKeyDer::Pkcs1(data.into())),
+                    SectionKind::EcPrivateKey => sk.push(PrivateKeyDer::Sec1(data.into())),
+                    _ => {
                         return Err(crate::error::builder(TLSError::General(String::from(
                             "No valid certificate was found",
                         ))))
                     }
-                    Err(_) => {
-                        return Err(crate::error::builder(TLSError::General(String::from(
-                            "Invalid identity PEM file",
-                        ))))
-                    }
                 }
             }
 
@@ -469,9 +471,7 @@ impl CertificateRevocationList {
     /// This requires the `rustls-tls(-...)` Cargo feature enabled.
     #[cfg(feature = "__rustls")]
     pub fn from_pem_bundle(pem_bundle: &[u8]) -> crate::Result<Vec<CertificateRevocationList>> {
-        let mut reader = BufReader::new(pem_bundle);
-
-        rustls_pemfile::crls(&mut reader)
+        rustls_pki_types::CertificateRevocationListDer::pem_slice_iter(pem_bundle)
             .map(|result| match result {
                 Ok(crl) => Ok(CertificateRevocationList { inner: crl }),
                 Err(_) => Err(crate::error::builder("invalid crl encoding")),