From cfa29743a8e64ef7dc93e32fc9553ee46e67c836 Mon Sep 17 00:00:00 2001
From: Paolo Barbolini <paolo.barbolini@m4ss.net>
Date: Sat, 22 Feb 2025 08:59:14 +0100
Subject: [PATCH] refactor: replace `rustls-pemfile` with `rustls-pki-types`
 (#1050)

---
 Cargo.lock                       | 10 ----------
 Cargo.toml                       |  5 ++---
 src/transport/smtp/client/tls.rs | 24 +++++++++++++-----------
 3 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a520345..139309b 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1218,7 +1218,6 @@ dependencies = [
  "rsa",
  "rustls",
  "rustls-native-certs",
- "rustls-pemfile",
  "rustls-pki-types",
  "serde",
  "serde_json",
@@ -1868,15 +1867,6 @@ dependencies = [
  "security-framework 3.0.1",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.10.0"
diff --git a/Cargo.toml b/Cargo.toml
index 91df067..94895e8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -49,9 +49,8 @@ percent-encoding = { version = "2.3", optional = true }
 ## tls
 native-tls = { version = "0.2.9", optional = true } # feature
 rustls = { version = "0.23.5", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
-rustls-pemfile = { version = "2", optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
-rustls-pki-types = { version = "1.7", optional = true }
+rustls-pki-types = { version = "1.10", optional = true }
 webpki-roots = { version = "0.26", optional = true }
 boring = { version = "4", optional = true }
 
@@ -111,7 +110,7 @@ smtp-transport = ["dep:base64", "dep:nom", "dep:socket2", "dep:url", "dep:percen
 
 pool = ["dep:futures-util"]
 
-rustls-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pemfile", "dep:rustls-pki-types"]
+rustls-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pki-types"]
 
 boring-tls = ["dep:boring"]
 
diff --git a/src/transport/smtp/client/tls.rs b/src/transport/smtp/client/tls.rs
index 215a917..a2f9e76 100644
--- a/src/transport/smtp/client/tls.rs
+++ b/src/transport/smtp/client/tls.rs
@@ -1,6 +1,6 @@
 use std::fmt::{self, Debug};
 #[cfg(feature = "rustls-tls")]
-use std::{io, sync::Arc};
+use std::sync::Arc;
 
 #[cfg(feature = "boring-tls")]
 use boring::{
@@ -15,7 +15,7 @@ use rustls::{
     client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
     crypto::WebPkiSupportedAlgorithms,
     crypto::{verify_tls12_signature, verify_tls13_signature},
-    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    pki_types::{self, pem::PemObject, CertificateDer, PrivateKeyDer, ServerName, UnixTime},
     server::ParsedCertificate,
     ClientConfig, DigitallySignedStruct, Error as TlsError, RootCertStore, SignatureScheme,
 };
@@ -585,11 +585,8 @@ impl Certificate {
 
         #[cfg(feature = "rustls-tls")]
         let rustls_cert = {
-            use std::io::Cursor;
-
-            let mut pem = Cursor::new(pem);
-            rustls_pemfile::certs(&mut pem)
-                .collect::<io::Result<Vec<_>>>()
+            CertificateDer::pem_slice_iter(pem)
+                .collect::<Result<Vec<_>, rustls_pki_types::pem::Error>>()
                 .map_err(|_| error::tls("invalid certificates"))?
         };
 
@@ -661,11 +658,16 @@ impl Identity {
     #[cfg(feature = "rustls-tls")]
     fn from_pem_rustls_tls(
         pem: &[u8],
-        mut key: &[u8],
+        key: &[u8],
     ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), Error> {
-        let key = rustls_pemfile::private_key(&mut key)
-            .map_err(error::tls)?
-            .ok_or_else(|| error::tls("no private key found"))?;
+        let key = match PrivateKeyDer::from_pem_slice(key) {
+            Ok(key) => key,
+            Err(pki_types::pem::Error::NoItemsFound) => {
+                return Err(error::tls("no private key found"))
+            }
+            Err(err) => return Err(error::tls(err)),
+        };
+
         Ok((vec![pem.to_owned().into()], key))
     }