refactor: replace rustls-pemfile with rustls-pki-types (#1050)

2025-02-22 08:59:14 +01:00
parent 4a4a96d805
commit cfa29743a8
3 changed files with 15 additions and 24 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1218,7 +1218,6 @@ dependencies = [
 "rsa",
 "rustls",
 "rustls-native-certs",
- "rustls-pemfile",
 "rustls-pki-types",
 "serde",
 "serde_json",
@@ -1868,15 +1867,6 @@ dependencies = [
 "security-framework 3.0.1",
 ]

-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.10.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -49,9 +49,8 @@ percent-encoding = { version = "2.3", optional = true }
 ## tls
 native-tls = { version = "0.2.9", optional = true } # feature
 rustls = { version = "0.23.5", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
-rustls-pemfile = { version = "2", optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
-rustls-pki-types = { version = "1.7", optional = true }
+rustls-pki-types = { version = "1.10", optional = true }
 webpki-roots = { version = "0.26", optional = true }
 boring = { version = "4", optional = true }

@@ -111,7 +110,7 @@ smtp-transport = ["dep:base64", "dep:nom", "dep:socket2", "dep:url", "dep:percen

 pool = ["dep:futures-util"]

-rustls-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pemfile", "dep:rustls-pki-types"]
+rustls-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pki-types"]

 boring-tls = ["dep:boring"]

--- a/src/transport/smtp/client/tls.rs
+++ b/src/transport/smtp/client/tls.rs
@@ -1,6 +1,6 @@
 use std::fmt::{self, Debug};
 #[cfg(feature = "rustls-tls")]
-use std::{io, sync::Arc};
+use std::sync::Arc;

 #[cfg(feature = "boring-tls")]
 use boring::{
@@ -15,7 +15,7 @@ use rustls::{
    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
    crypto::WebPkiSupportedAlgorithms,
    crypto::{verify_tls12_signature, verify_tls13_signature},
-    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    pki_types::{self, pem::PemObject, CertificateDer, PrivateKeyDer, ServerName, UnixTime},
    server::ParsedCertificate,
    ClientConfig, DigitallySignedStruct, Error as TlsError, RootCertStore, SignatureScheme,
 };
@@ -585,11 +585,8 @@ impl Certificate {

        #[cfg(feature = "rustls-tls")]
        let rustls_cert = {
-            use std::io::Cursor;
-
-            let mut pem = Cursor::new(pem);
-            rustls_pemfile::certs(&mut pem)
-                .collect::<io::Result<Vec<_>>>()
+            CertificateDer::pem_slice_iter(pem)
+                .collect::<Result<Vec<_>, rustls_pki_types::pem::Error>>()
                .map_err(|_| error::tls("invalid certificates"))?
        };

@@ -661,11 +658,16 @@ impl Identity {
    #[cfg(feature = "rustls-tls")]
    fn from_pem_rustls_tls(
        pem: &[u8],
-        mut key: &[u8],
+        key: &[u8],
    ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), Error> {
-        let key = rustls_pemfile::private_key(&mut key)
-            .map_err(error::tls)?
-            .ok_or_else(|| error::tls("no private key found"))?;
+        let key = match PrivateKeyDer::from_pem_slice(key) {
+            Ok(key) => key,
+            Err(pki_types::pem::Error::NoItemsFound) => {
+                return Err(error::tls("no private key found"))
+            }
+            Err(err) => return Err(error::tls(err)),
+        };
+
        Ok((vec![pem.to_owned().into()], key))
    }