diff --git a/Cargo.toml b/Cargo.toml index fda2c1ac..35b036ad 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,7 +40,6 @@ tokio-tungstenite = { version = "0.21", optional = true } percent-encoding = "2.1" pin-project = "1.0" tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true } -rustls-pemfile = { version = "2.0", optional = true } [dev-dependencies] pretty_env_logger = "0.5" @@ -56,7 +55,7 @@ listenfd = "1.0" default = ["multipart", "websocket"] multipart = ["multer"] websocket = ["tokio-tungstenite"] -tls = ["tokio-rustls", "rustls-pemfile"] +tls = ["tokio-rustls"] # Enable compression-related filters compression = ["compression-brotli", "compression-gzip"] diff --git a/src/tls.rs b/src/tls.rs index aa743875..9fc5b349 100644 --- a/src/tls.rs +++ b/src/tls.rs @@ -12,6 +12,7 @@ use tokio::io::{AsyncRead, AsyncWrite, ReadBuf}; use futures_util::ready; use hyper::server::accept::Accept; use hyper::server::conn::{AddrIncoming, AddrStream}; +use tokio_rustls::rustls::pki_types::{self, pem::PemObject}; use tokio_rustls::rustls::server::WebPkiClientVerifier; use tokio_rustls::rustls::{Error as TlsError, RootCertStore, ServerConfig}; @@ -27,8 +28,6 @@ pub(crate) enum TlsConfigError { InvalidIdentityPem, /// Identity PEM is missing a private key such as RSA, ECC or PKCS8 MissingPrivateKey, - /// Unknown private key format - UnknownPrivateKeyFormat, /// An error from an empty key EmptyKey, /// An error from an invalid key @@ -40,7 +39,6 @@ impl fmt::Display for TlsConfigError { match self { TlsConfigError::Io(err) => err.fmt(f), TlsConfigError::CertParseError => write!(f, "certificate parse error"), - TlsConfigError::UnknownPrivateKeyFormat => write!(f, "unknown private key format"), TlsConfigError::MissingPrivateKey => write!( f, "Identity PEM is missing a private key such as RSA, ECC or PKCS8" @@ -173,7 +171,7 @@ impl TlsConfigBuilder { pub(crate) fn build(mut self) -> Result { let mut cert_rdr = BufReader::new(self.cert); - let cert = rustls_pemfile::certs(&mut cert_rdr) + let cert = pki_types::CertificateDer::pem_reader_iter(&mut cert_rdr) .collect::, _>>() .map_err(|_e| TlsConfigError::CertParseError)?; @@ -186,32 +184,23 @@ impl TlsConfigBuilder { return Err(TlsConfigError::EmptyKey); } - let mut key_opt = None; - let mut key_cur = std::io::Cursor::new(key_vec); - for item in rustls_pemfile::read_all(&mut key_cur) - .collect::, _>>() - .map_err(|_e| TlsConfigError::InvalidIdentityPem)? - { - match item { - rustls_pemfile::Item::Pkcs1Key(k) => key_opt = Some(k.into()), - rustls_pemfile::Item::Pkcs8Key(k) => key_opt = Some(k.into()), - rustls_pemfile::Item::Sec1Key(k) => key_opt = Some(k.into()), - _ => return Err(TlsConfigError::UnknownPrivateKeyFormat), - } - } - let key = match key_opt { - Some(v) => v, - _ => return Err(TlsConfigError::MissingPrivateKey), - }; + let key = pki_types::PrivateKeyDer::from_pem_slice(&key_vec).map_err(|e| match e { + pki_types::pem::Error::Io(e) => TlsConfigError::Io(e), + pki_types::pem::Error::NoItemsFound => TlsConfigError::MissingPrivateKey, + _ => TlsConfigError::InvalidIdentityPem, + })?; fn read_trust_anchor( trust_anchor: Box, ) -> Result { let trust_anchors = { let mut reader = BufReader::new(trust_anchor); - rustls_pemfile::certs(&mut reader) + pki_types::CertificateDer::pem_reader_iter(&mut reader) .collect::, _>>() - .map_err(TlsConfigError::Io)? + .map_err(|e| match e { + pki_types::pem::Error::Io(e) => TlsConfigError::Io(e), + _ => TlsConfigError::CertParseError, + })? }; let mut store = RootCertStore::empty();