From 9b65574885c35e2cda34b7c19df1ab98d0abe87f Mon Sep 17 00:00:00 2001 From: Devon Hudson Date: Tue, 9 Dec 2025 12:37:56 -0700 Subject: [PATCH] Remove rustls-pemfile dependency --- Cargo.lock | 11 ----------- Cargo.toml | 4 ---- crates/config/Cargo.toml | 1 - crates/config/src/sections/http.rs | 10 ++++------ crates/listener/Cargo.toml | 1 - crates/listener/examples/demo/main.rs | 22 ++++++++++------------ 6 files changed, 14 insertions(+), 35 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 6e9d36327..127f1411c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3222,7 +3222,6 @@ dependencies = [ "pem-rfc7468", "rand 0.8.5", "rand_chacha 0.3.1", - "rustls-pemfile", "rustls-pki-types", "schemars 0.9.0", "serde", @@ -3516,7 +3515,6 @@ dependencies = [ "hyper-util", "mas-context", "pin-project-lite", - "rustls-pemfile", "socket2", "thiserror 2.0.17", "tokio", @@ -5133,15 +5131,6 @@ dependencies = [ "security-framework", ] -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "rustls-pki-types" version = "1.13.0" diff --git a/Cargo.toml b/Cargo.toml index b49f4546e..856667eed 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -523,10 +523,6 @@ version = "0.16.0" [workspace.dependencies.rustls] version = "0.23.35" -# PEM parsing for rustls -[workspace.dependencies.rustls-pemfile] -version = "2.2.0" - # PKI types for rustls [workspace.dependencies.rustls-pki-types] version = "1.13.0" diff --git a/crates/config/Cargo.toml b/crates/config/Cargo.toml index c6eb76d7c..4882647a6 100644 --- a/crates/config/Cargo.toml +++ b/crates/config/Cargo.toml @@ -30,7 +30,6 @@ lettre.workspace = true pem-rfc7468.workspace = true rand_chacha.workspace = true rand.workspace = true -rustls-pemfile.workspace = true rustls-pki-types.workspace = true schemars.workspace = true serde_json.workspace = true diff --git a/crates/config/src/sections/http.rs b/crates/config/src/sections/http.rs index c01b8eb0d..880e4e069 100644 --- a/crates/config/src/sections/http.rs +++ b/crates/config/src/sections/http.rs @@ -6,13 +6,13 @@ #![allow(deprecated)] -use std::{borrow::Cow, io::Cursor}; +use std::borrow::Cow; use anyhow::bail; use camino::Utf8PathBuf; use ipnetwork::IpNetwork; use mas_keystore::PrivateKey; -use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer}; +use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject}; use schemars::JsonSchema; use serde::{Deserialize, Serialize}; use url::Url; @@ -238,10 +238,8 @@ impl TlsConfig { (None, Some(path)) => Cow::Owned(std::fs::read_to_string(path)?), }; - let mut certificate_chain_reader = Cursor::new(certificate_chain_pem.as_bytes()); - let certificate_chain: Result, _> = - rustls_pemfile::certs(&mut certificate_chain_reader).collect(); - let certificate_chain = certificate_chain?; + let certificate_chain = CertificateDer::pem_slice_iter(certificate_chain_pem.as_bytes()) + .collect::, _>>()?; if certificate_chain.is_empty() { bail!("TLS certificate chain is empty (or invalid)") diff --git a/crates/listener/Cargo.toml b/crates/listener/Cargo.toml index 5171e86b4..56f50154e 100644 --- a/crates/listener/Cargo.toml +++ b/crates/listener/Cargo.toml @@ -36,7 +36,6 @@ mas-context.workspace = true [dev-dependencies] anyhow.workspace = true -rustls-pemfile.workspace = true tokio-test.workspace = true tokio.workspace = true tracing-subscriber.workspace = true diff --git a/crates/listener/examples/demo/main.rs b/crates/listener/examples/demo/main.rs index 2a0462309..f418831d6 100644 --- a/crates/listener/examples/demo/main.rs +++ b/crates/listener/examples/demo/main.rs @@ -6,7 +6,6 @@ use std::{ convert::Infallible, - io::BufReader, net::{Ipv4Addr, TcpListener}, sync::Arc, time::Duration, @@ -15,7 +14,11 @@ use std::{ use anyhow::Context; use hyper::{Request, Response}; use mas_listener::{ConnectionInfo, server::Server}; -use tokio_rustls::rustls::{RootCertStore, ServerConfig, server::WebPkiClientVerifier}; +use tokio_rustls::rustls::{ + RootCertStore, ServerConfig, + pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer, pem::PemObject}, + server::WebPkiClientVerifier, +}; use tokio_util::sync::CancellationToken; use tower::service_fn; @@ -77,23 +80,18 @@ async fn main() -> Result<(), anyhow::Error> { } fn load_tls_config() -> Result, anyhow::Error> { - let mut ca_cert_reader = BufReader::new(CA_CERT_PEM); - let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader) + let ca_cert = CertificateDer::pem_slice_iter(CA_CERT_PEM) .collect::, _>>() .context("Invalid CA certificate")?; let mut ca_cert_store = RootCertStore::empty(); ca_cert_store.add_parsable_certificates(ca_cert); - let mut server_cert_reader = BufReader::new(SERVER_CERT_PEM); - let server_cert: Vec<_> = rustls_pemfile::certs(&mut server_cert_reader) + let server_cert: Vec<_> = CertificateDer::pem_slice_iter(SERVER_CERT_PEM) .collect::, _>>() .context("Invalid server certificate")?; - let mut server_key_reader = BufReader::new(SERVER_KEY_PEM); - let server_key = rustls_pemfile::rsa_private_keys(&mut server_key_reader) - .next() - .context("No RSA private key found")? - .context("Invalid server TLS keys")?; + let server_key = + PrivatePkcs1KeyDer::from_pem_slice(SERVER_KEY_PEM).context("Invalid server TLS keys")?; let client_cert_verifier = WebPkiClientVerifier::builder(Arc::new(ca_cert_store)) .allow_unauthenticated() @@ -101,7 +99,7 @@ fn load_tls_config() -> Result, anyhow::Error> { let mut config = ServerConfig::builder() .with_client_cert_verifier(client_cert_verifier) - .with_single_cert(server_cert, server_key.into())?; + .with_single_cert(server_cert, PrivateKeyDer::Pkcs1(server_key))?; config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()]; Ok(Arc::new(config))