chore: replace rustls-pemfile with rustls-pki-types

seanmonstar · Feb 7, 2025 · b9e43a5 · b9e43a5
1 parent 1cbf029
commit b9e43a5
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 12 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,7 +40,6 @@ tokio-tungstenite = { version = "0.21", optional = true }
 percent-encoding = "2.1"
 pin-project = "1.0"
 tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
-rustls-pemfile = { version = "2.0", optional = true }
 
 [dev-dependencies]
 pretty_env_logger = "0.5"
@@ -56,7 +55,7 @@ listenfd = "1.0"
 default = ["multipart", "websocket"]
 multipart = ["multer"]
 websocket = ["tokio-tungstenite"]
-tls = ["tokio-rustls", "rustls-pemfile"]
+tls = ["tokio-rustls"]
 
 # Enable compression-related filters
 compression = ["compression-brotli", "compression-gzip"]

diff --git a/src/tls.rs b/src/tls.rs
@@ -12,6 +12,7 @@ use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use futures_util::ready;
 use hyper::server::accept::Accept;
 use hyper::server::conn::{AddrIncoming, AddrStream};
+use tokio_rustls::rustls::pki_types::{self, pem::PemObject};
 use tokio_rustls::rustls::server::WebPkiClientVerifier;
 use tokio_rustls::rustls::{Error as TlsError, RootCertStore, ServerConfig};
 
@@ -173,7 +174,7 @@ impl TlsConfigBuilder {
 
     pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
         let mut cert_rdr = BufReader::new(self.cert);
-        let cert = rustls_pemfile::certs(&mut cert_rdr)
+        let cert = pki_types::CertificateDer::pem_reader_iter(&mut cert_rdr)
             .collect::<Result<Vec<_>, _>>()
             .map_err(|_e| TlsConfigError::CertParseError)?;
 
@@ -188,15 +189,19 @@ impl TlsConfigBuilder {
 
         let mut key_opt = None;
         let mut key_cur = std::io::Cursor::new(key_vec);
-        for item in rustls_pemfile::read_all(&mut key_cur)
-            .collect::<Result<Vec<_>, _>>()
+        while let Some((kind, pem)) = pki_types::pem::from_buf(&mut key_cur)
             .map_err(|_e| TlsConfigError::InvalidIdentityPem)?
         {
-            match item {
-                rustls_pemfile::Item::Pkcs1Key(k) => key_opt = Some(k.into()),
-                rustls_pemfile::Item::Pkcs8Key(k) => key_opt = Some(k.into()),
-                rustls_pemfile::Item::Sec1Key(k) => key_opt = Some(k.into()),
-                _ => return Err(TlsConfigError::UnknownPrivateKeyFormat),
+            use pki_types::pem::SectionKind;
+
+            if let (
+                SectionKind::PrivateKey | SectionKind::RsaPrivateKey | SectionKind::EcPrivateKey,
+                key @ Some(_),
+            ) = (kind, pki_types::PrivateKeyDer::from_pem(kind, pem))
+            {
+                key_opt = key;
+            } else {
+                return Err(TlsConfigError::UnknownPrivateKeyFormat);
             }
         }
         let key = match key_opt {
@@ -209,9 +214,12 @@ impl TlsConfigBuilder {
         ) -> Result<RootCertStore, TlsConfigError> {
             let trust_anchors = {
                 let mut reader = BufReader::new(trust_anchor);
-                rustls_pemfile::certs(&mut reader)
+                pki_types::CertificateDer::pem_reader_iter(&mut reader)
                     .collect::<Result<Vec<_>, _>>()
-                    .map_err(TlsConfigError::Io)?
+                    .map_err(|e| match e {
+                        pki_types::pem::Error::Io(e) => TlsConfigError::Io(e),
+                        _ => TlsConfigError::CertParseError,
+                    })?
             };
 
             let mut store = RootCertStore::empty();