chore(deps): update pem

Update `pem` to the latest version. That caused some API changes

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

Cargo.toml

@@ -87,7 +87,7 @@ openidconnect = { version = "2.3", default-features = false, features = [
 p256 = "0.13.2"
 p384 = "0.13"
 webbrowser = "0.8.4"
-pem = "1.0.2"
+pem = "2.0"
 picky = { version = "7.0.0-rc.5", default-features = false, features = [
   "x509",
   "ec",

examples/cosign/verify/main.rs

@@ -349,7 +349,7 @@ fn parse_cert_bundle(bundle_path: &str) -> Result<Vec<sigstore::registry::Certif
         .iter()
         .map(|pem| sigstore::registry::Certificate {
             encoding: sigstore::registry::CertificateEncoding::Der,
-            data: pem.contents.clone(),
+            data: pem.contents().to_vec(),
         })
         .collect())
 }

examples/fulcio/cert/main.rs

@@ -21,7 +21,7 @@ async fn main() {
 
         let pems = pem::parse_many(cert.as_ref()).expect("parse pem failed");
         for pem in &pems {
-            let cert = Certificate::from_der(&pem.contents).expect("parse certificate from der");
+            let cert = Certificate::from_der(pem.contents()).expect("parse certificate from der");
 
             let (_, san) = cert
                 .tbs_certificate

src/cosign/mod.rs

@@ -161,7 +161,7 @@ pub trait CosignCapabilities {
     fn verify_blob(cert: &str, signature: &str, blob: &[u8]) -> Result<()> {
         let cert = BASE64_STD_ENGINE.decode(cert)?;
         let pem = pem::parse(cert)?;
-        let cert = Certificate::from_der(&pem.contents).map_err(|e| {
+        let cert = Certificate::from_der(pem.contents()).map_err(|e| {
             SigstoreError::PKCS8SpkiError(format!("parse der into cert failed: {e}"))
         })?;
         let spki = cert.tbs_certificate.subject_public_key_info;

src/cosign/verification_constraint/certificate_verifier.rs

@@ -35,7 +35,7 @@ impl CertificateVerifier {
         cert_chain: Option<&[crate::registry::Certificate]>,
     ) -> Result<Self> {
         let pem = pem::parse(cert_bytes)?;
-        Self::from_der(&pem.contents, require_rekor_bundle, cert_chain)
+        Self::from_der(pem.contents(), require_rekor_bundle, cert_chain)
     }
 
     /// Create a new instance of `CertificateVerifier` using the DER encoded

src/crypto/certificate.rs

@@ -135,7 +135,7 @@ mod tests {
         let issued_cert = generate_certificate(Some(&ca_data), CertGenerationOptions::default())?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
         assert!(verify_key_usages(&cert).is_ok());
 
         Ok(())
@@ -154,7 +154,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         let err = verify_key_usages(&cert).expect_err("Was supposed to return an error");
         let found = match err {
@@ -179,7 +179,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         let err = verify_key_usages(&cert).expect_err("Was supposed to return an error");
         let found = match err {
@@ -205,7 +205,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         let error = verify_has_san(&cert).expect_err("Didn't get an error");
         let found = match error {
@@ -224,7 +224,7 @@ mod tests {
         let issued_cert = generate_certificate(Some(&ca_data), CertGenerationOptions::default())?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         assert!(verify_validity(&cert).is_ok());
 
@@ -245,7 +245,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         let err = verify_validity(&cert).expect_err("Was expecting an error");
         let found = match err {
@@ -273,7 +273,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         assert!(verify_expiration(&cert, integrated_time.timestamp(),).is_ok());
 
@@ -296,7 +296,7 @@ mod tests {
         )?;
         let issued_cert_pem = issued_cert.cert.to_pem().unwrap();
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = x509_cert::Certificate::from_der(&pem.contents)?;
+        let cert = x509_cert::Certificate::from_der(pem.contents())?;
 
         let err = verify_expiration(&cert, integrated_time.timestamp())
             .expect_err("Was expecting an error");

src/crypto/signing_key/ecdsa/ec.rs

@@ -144,9 +144,9 @@ where
     /// [`SIGSTORE_PRIVATE_KEY_PEM_LABEL`].
     pub fn from_encrypted_pem(private_key: &[u8], password: &[u8]) -> Result<Self> {
         let key = pem::parse(private_key)?;
-        match &key.tag[..] {
+        match key.tag() {
             COSIGN_PRIVATE_KEY_PEM_LABEL | SIGSTORE_PRIVATE_KEY_PEM_LABEL => {
-                let der = kdf::decrypt(&key.contents, password)?;
+                let der = kdf::decrypt(key.contents(), password)?;
                 let pkcs8 = pkcs8::PrivateKeyInfo::try_from(&der[..]).map_err(|e| {
                     SigstoreError::PKCS8Error(format!("Read PrivateKeyInfo failed: {e}"))
                 })?;
@@ -249,14 +249,11 @@ where
     fn private_key_to_encrypted_pem(&self, password: &[u8]) -> Result<Zeroizing<String>> {
         let der = self.private_key_to_der()?;
         let pem = match password.len() {
-            0 => pem::Pem {
-                tag: PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: der.to_vec(),
-            },
-            _ => pem::Pem {
-                tag: SIGSTORE_PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: kdf::encrypt(&der, password)?,
-            },
+            0 => pem::Pem::new(PRIVATE_KEY_PEM_LABEL, der.to_vec()),
+            _ => pem::Pem::new(
+                SIGSTORE_PRIVATE_KEY_PEM_LABEL,
+                kdf::encrypt(&der, password)?,
+            ),
         };
         let pem = pem::encode(&pem);
         Ok(zeroize::Zeroizing::new(pem))

src/crypto/signing_key/ed25519.rs

@@ -107,9 +107,9 @@ impl Ed25519Keys {
     /// [`SIGSTORE_PRIVATE_KEY_PEM_LABEL`].
     pub fn from_encrypted_pem(encrypted_pem: &[u8], password: &[u8]) -> Result<Self> {
         let key = pem::parse(encrypted_pem)?;
-        match &key.tag[..] {
+        match key.tag() {
             COSIGN_PRIVATE_KEY_PEM_LABEL | SIGSTORE_PRIVATE_KEY_PEM_LABEL => {
-                let der = kdf::decrypt(&key.contents, password)?;
+                let der = kdf::decrypt(key.contents(), password)?;
                 let pkcs8 =
                     ed25519_dalek::pkcs8::PrivateKeyInfo::try_from(&der[..]).map_err(|e| {
                         SigstoreError::PKCS8Error(format!("Read PrivateKeyInfo failed: {e}"))
@@ -209,14 +209,11 @@ impl KeyPair for Ed25519Keys {
     fn private_key_to_encrypted_pem(&self, password: &[u8]) -> Result<zeroize::Zeroizing<String>> {
         let der = self.private_key_to_der()?;
         let pem = match password.len() {
-            0 => pem::Pem {
-                tag: PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: der.to_vec(),
-            },
-            _ => pem::Pem {
-                tag: SIGSTORE_PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: kdf::encrypt(&der, password)?,
-            },
+            0 => pem::Pem::new(PRIVATE_KEY_PEM_LABEL, der.to_vec()),
+            _ => pem::Pem::new(
+                SIGSTORE_PRIVATE_KEY_PEM_LABEL,
+                kdf::encrypt(&der, password)?,
+            ),
         };
         let pem = pem::encode(&pem);
         Ok(zeroize::Zeroizing::new(pem))

src/crypto/signing_key/rsa/keypair.rs

@@ -90,9 +90,9 @@ impl RSAKeys {
     /// [`SIGSTORE_PRIVATE_KEY_PEM_LABEL`].
     pub fn from_encrypted_pem(encrypted_pem: &[u8], password: &[u8]) -> Result<Self> {
         let key = pem::parse(encrypted_pem)?;
-        match &key.tag[..] {
+        match key.tag() {
             COSIGN_PRIVATE_KEY_PEM_LABEL | SIGSTORE_PRIVATE_KEY_PEM_LABEL => {
-                let der = kdf::decrypt(&key.contents, password)?;
+                let der = kdf::decrypt(key.contents(), password)?;
                 let pkcs8 = pkcs8::PrivateKeyInfo::try_from(&der[..]).map_err(|e| {
                     SigstoreError::PKCS8Error(format!("Read PrivateKeyInfo failed: {e}"))
                 })?;
@@ -234,14 +234,11 @@ impl KeyPair for RSAKeys {
     fn private_key_to_encrypted_pem(&self, password: &[u8]) -> Result<zeroize::Zeroizing<String>> {
         let der = self.private_key_to_der()?;
         let pem = match password.len() {
-            0 => pem::Pem {
-                tag: PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: der.to_vec(),
-            },
-            _ => pem::Pem {
-                tag: SIGSTORE_PRIVATE_KEY_PEM_LABEL.to_string(),
-                contents: kdf::encrypt(&der, password)?,
-            },
+            0 => pem::Pem::new(PRIVATE_KEY_PEM_LABEL, der.to_vec()),
+            _ => pem::Pem::new(
+                SIGSTORE_PRIVATE_KEY_PEM_LABEL,
+                kdf::encrypt(&der, password)?,
+            ),
         };
         let pem = pem::encode(&pem);
         Ok(zeroize::Zeroizing::new(pem))

src/crypto/verification_key.rs

@@ -232,7 +232,7 @@ impl CosignVerificationKey {
     /// from the DER-encoded bytes.
     pub fn from_pem(pem_data: &[u8], signing_scheme: &SigningScheme) -> Result<Self> {
         let key_pem = pem::parse(pem_data)?;
-        Self::from_der(key_pem.contents.as_slice(), signing_scheme)
+        Self::from_der(key_pem.contents(), signing_scheme)
     }
 
     /// Builds a [`CosignVerificationKey`] from PEM-encoded public key data. This function will
@@ -243,7 +243,7 @@ impl CosignVerificationKey {
     /// * `Ed25519 public key`: `Ed25519`
     pub fn try_from_pem(pem_data: &[u8]) -> Result<Self> {
         let key_pem = pem::parse(pem_data)?;
-        Self::try_from_der(key_pem.contents.as_slice())
+        Self::try_from_der(key_pem.contents())
     }
 
     /// Builds a `CosignVerificationKey` from [`SigStoreSigner`]. The methods will derive
@@ -451,7 +451,7 @@ DwIDAQAB
         let issued_cert = generate_certificate(Some(&ca_data), issued_cert_generation_options)?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = Certificate::from_der(&pem.contents)?;
+        let cert = Certificate::from_der(pem.contents())?;
         let spki = cert.tbs_certificate.subject_public_key_info;
 
         let cosign_verification_key =
@@ -478,7 +478,7 @@ DwIDAQAB
         let issued_cert = generate_certificate(Some(&ca_data), issued_cert_generation_options)?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = Certificate::from_der(&pem.contents)?;
+        let cert = Certificate::from_der(pem.contents())?;
         let spki = cert.tbs_certificate.subject_public_key_info;
 
         let cosign_verification_key =
@@ -505,7 +505,7 @@ DwIDAQAB
         let issued_cert = generate_certificate(Some(&ca_data), issued_cert_generation_options)?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = Certificate::from_der(&pem.contents)?;
+        let cert = Certificate::from_der(pem.contents())?;
         let spki = cert.tbs_certificate.subject_public_key_info;
 
         let cosign_verification_key =
@@ -532,7 +532,7 @@ DwIDAQAB
         let issued_cert = generate_certificate(Some(&ca_data), issued_cert_generation_options)?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = Certificate::from_der(&pem.contents)?;
+        let cert = Certificate::from_der(pem.contents())?;
         let spki = cert.tbs_certificate.subject_public_key_info;
 
         let cosign_verification_key =
@@ -560,7 +560,7 @@ DwIDAQAB
         let issued_cert = generate_certificate(Some(&ca_data), issued_cert_generation_options)?;
         let issued_cert_pem = issued_cert.cert.to_pem()?;
         let pem = pem::parse(issued_cert_pem)?;
-        let cert = Certificate::from_der(&pem.contents)?;
+        let cert = Certificate::from_der(pem.contents())?;
         let spki = cert.tbs_certificate.subject_public_key_info;
 
         let err = CosignVerificationKey::try_from(&spki);