chore: replace rustls-pemfile with rustls-pki-types

seanmonstar · Feb 4, 2025 · c804341 · c804341
1 parent 1cbf029
commit c804341
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 25 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,7 +40,6 @@ tokio-tungstenite = { version = "0.21", optional = true }
 percent-encoding = "2.1"
 pin-project = "1.0"
 tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
-rustls-pemfile = { version = "2.0", optional = true }
 
 [dev-dependencies]
 pretty_env_logger = "0.5"
@@ -56,7 +55,7 @@ listenfd = "1.0"
 default = ["multipart", "websocket"]
 multipart = ["multer"]
 websocket = ["tokio-tungstenite"]
-tls = ["tokio-rustls", "rustls-pemfile"]
+tls = ["tokio-rustls"]
 
 # Enable compression-related filters
 compression = ["compression-brotli", "compression-gzip"]

diff --git a/src/tls.rs b/src/tls.rs
@@ -12,6 +12,7 @@ use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use futures_util::ready;
 use hyper::server::accept::Accept;
 use hyper::server::conn::{AddrIncoming, AddrStream};
+use tokio_rustls::rustls::pki_types::{self, pem::PemObject};
 use tokio_rustls::rustls::server::WebPkiClientVerifier;
 use tokio_rustls::rustls::{Error as TlsError, RootCertStore, ServerConfig};
 
@@ -27,8 +28,6 @@ pub(crate) enum TlsConfigError {
     InvalidIdentityPem,
     /// Identity PEM is missing a private key such as RSA, ECC or PKCS8
     MissingPrivateKey,
-    /// Unknown private key format
-    UnknownPrivateKeyFormat,
     /// An error from an empty key
     EmptyKey,
     /// An error from an invalid key
@@ -40,7 +39,6 @@ impl fmt::Display for TlsConfigError {
         match self {
             TlsConfigError::Io(err) => err.fmt(f),
             TlsConfigError::CertParseError => write!(f, "certificate parse error"),
-            TlsConfigError::UnknownPrivateKeyFormat => write!(f, "unknown private key format"),
             TlsConfigError::MissingPrivateKey => write!(
                 f,
                 "Identity PEM is missing a private key such as RSA, ECC or PKCS8"
@@ -173,7 +171,7 @@ impl TlsConfigBuilder {
 
     pub(crate) fn build(mut self) -> Result<ServerConfig, TlsConfigError> {
         let mut cert_rdr = BufReader::new(self.cert);
-        let cert = rustls_pemfile::certs(&mut cert_rdr)
+        let cert = pki_types::CertificateDer::pem_reader_iter(&mut cert_rdr)
             .collect::<Result<Vec<_>, _>>()
             .map_err(|_e| TlsConfigError::CertParseError)?;
 
@@ -186,32 +184,23 @@ impl TlsConfigBuilder {
             return Err(TlsConfigError::EmptyKey);
         }
 
-        let mut key_opt = None;
-        let mut key_cur = std::io::Cursor::new(key_vec);
-        for item in rustls_pemfile::read_all(&mut key_cur)
-            .collect::<Result<Vec<_>, _>>()
-            .map_err(|_e| TlsConfigError::InvalidIdentityPem)?
-        {
-            match item {
-                rustls_pemfile::Item::Pkcs1Key(k) => key_opt = Some(k.into()),
-                rustls_pemfile::Item::Pkcs8Key(k) => key_opt = Some(k.into()),
-                rustls_pemfile::Item::Sec1Key(k) => key_opt = Some(k.into()),
-                _ => return Err(TlsConfigError::UnknownPrivateKeyFormat),
-            }
-        }
-        let key = match key_opt {
-            Some(v) => v,
-            _ => return Err(TlsConfigError::MissingPrivateKey),
-        };
+        let key = pki_types::PrivateKeyDer::from_pem_slice(&key_vec).map_err(|e| match e {
+            pki_types::pem::Error::Io(e) => TlsConfigError::Io(e),
+            pki_types::pem::Error::NoItemsFound => TlsConfigError::MissingPrivateKey,
+            _ => TlsConfigError::InvalidIdentityPem,
+        })?;
 
         fn read_trust_anchor(
             trust_anchor: Box<dyn Read + Send + Sync>,
         ) -> Result<RootCertStore, TlsConfigError> {
             let trust_anchors = {
                 let mut reader = BufReader::new(trust_anchor);
-                rustls_pemfile::certs(&mut reader)
+                pki_types::CertificateDer::pem_reader_iter(&mut reader)
                     .collect::<Result<Vec<_>, _>>()
-                    .map_err(TlsConfigError::Io)?
+                    .map_err(|e| match e {
+                        pki_types::pem::Error::Io(e) => TlsConfigError::Io(e),
+                        _ => TlsConfigError::CertParseError,
+                    })?
             };
 
             let mut store = RootCertStore::empty();