fix: Replace rustls-pemfile with rustls-pki-types

chantra · chantra · commit 23eb3a2e904b · 2025-12-05T21:07:24.000-08:00
Summary: rustls-pemfile is now unmaintained and the recommendation is to migrate to rustls-pki-types. RUSTSEC advisory https://rustsec.org/advisories/RUSTSEC-2025-0134 Test Plan: ``` cargo test --features tls-rustls-no-provider ``` and ``` cargo test --features tls-rustls ``` Fixes #177
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,5 +1,8 @@
 [package]
-authors = ["Programatik <programatik29@gmail.com>", "Adi Salimgereev <adisalimgereev@gmail.com>"]
+authors = [
+    "Programatik <programatik29@gmail.com>",
+    "Adi Salimgereev <adisalimgereev@gmail.com>",
+]
 categories = ["asynchronous", "network-programming", "web-programming"]
 description = "High level server designed to be used with axum framework."
 edition = "2021"
@@ -15,8 +18,22 @@ rust-version = "1.82"
 [features]
 default = []
 tls-rustls = ["tls-rustls-no-provider", "rustls/aws-lc-rs"]
-tls-rustls-no-provider = ["arc-swap", "rustls", "rustls-pemfile", "tokio/fs", "tokio/time", "tokio-rustls", "rustls-pki-types", "dep:pin-project-lite"]
-tls-openssl = ["arc-swap", "openssl", "openssl-sys", "tokio-openssl", "dep:pin-project-lite"]
+tls-rustls-no-provider = [
+    "arc-swap",
+    "rustls",
+    "tokio/fs",
+    "tokio/time",
+    "tokio-rustls",
+    "rustls-pki-types",
+    "dep:pin-project-lite",
+]
+tls-openssl = [
+    "arc-swap",
+    "openssl",
+    "openssl-sys",
+    "tokio-openssl",
+    "dep:pin-project-lite",
+]
 
 [dependencies]
 bytes = "1"
@@ -27,14 +44,17 @@ http-body = "1.0"
 hyper = { version = "1.4", features = ["http1", "http2", "server"] }
 tokio = { version = "1", features = ["macros", "net", "sync"] }
 tower-service = "0.3"
-hyper-util = { version = "0.1.18", features = ["server-auto", "service", "tokio"] }
+hyper-util = { version = "0.1.18", features = [
+    "server-auto",
+    "service",
+    "tokio",
+] }
 
 # optional dependencies
 ## rustls
 arc-swap = { version = "1", optional = true }
 rustls = { version = "0.23", default-features = false, optional = true }
-rustls-pki-types = { version = "1.7", optional = true }
-rustls-pemfile = { version = "2.2", optional = true }
+rustls-pki-types = { version = "1.9", features = ["std"], optional = true }
 tokio-rustls = { version = "0.26", default-features = false, optional = true }
 
 ## openssl
diff --git a/src/tls_rustls/mod.rs b/src/tls_rustls/mod.rs
@@ -34,7 +34,7 @@ use crate::{
 };
 use arc_swap::ArcSwap;
 use rustls::ServerConfig;
-use rustls_pemfile::Item;
+use rustls_pki_types::pem::PemObject;
 use rustls_pki_types::{CertificateDer, PrivateKeyDer};
 use std::time::Duration;
 use std::{fmt, io, net::SocketAddr, path::Path, sync::Arc};
@@ -295,32 +295,17 @@ fn config_from_der(cert: Vec<Vec<u8>>, key: Vec<u8>) -> io::Result<ServerConfig>
 }
 
 fn config_from_pem(cert: Vec<u8>, key: Vec<u8>) -> io::Result<ServerConfig> {
-    let cert = rustls_pemfile::certs(&mut cert.as_ref())
-        .map(|it| it.map(|it| it.to_vec()))
-        .collect::<Result<Vec<_>, _>>()?;
+    let cert: Vec<CertificateDer> = CertificateDer::pem_slice_iter(&cert)
+        .collect::<Result<Vec<_>, _>>()
+        .map_err(|_| io_other("failed to parse certificate"))?;
 
-    let mut key_result = Err(io_other("The private key file contained no keys"));
+    let mut key_result: Result<PrivateKeyDer, io::Error> =
+        Err(io_other("The private key file contained no keys"));
 
     // Check the entire PEM file for the key in case it is not first section
-    for item in rustls_pemfile::read_all(&mut key.as_ref()) {
-        let key = item.and_then(|i| match i {
-            Item::Sec1Key(key) => Ok(key.secret_sec1_der().to_vec()),
-            Item::Pkcs1Key(key) => Ok(key.secret_pkcs1_der().to_vec()),
-            Item::Pkcs8Key(key) => Ok(key.secret_pkcs8_der().to_vec()),
-            Item::X509Certificate(_) => {
-                Err(io_other("Unsupported private key format 'X509Certificate'"))
-            }
-            Item::Crl(_) => Err(io_other(
-                "Unsupported private key format 'CertificateRevocationList'",
-            )),
-            Item::Csr(_) => Err(io_other(
-                "Unsupported private key format 'CertificateSigningRequest'",
-            )),
-            Item::SubjectPublicKeyInfo(_) => Err(io_other(
-                "Unsupported private key format 'SubjectPublicKeyInfo'",
-            )),
-            _ => Err(io_other("Unrecognized private key format")),
-        });
+    for item in rustls_pki_types::pem::PemObject::pem_slice_iter(&key) {
+        let key: Result<PrivateKeyDer, io::Error> =
+            item.map_err(|_| io_other("failed to parse PEM"));
 
         match key_result {
             // if we already got a key, then...
@@ -339,7 +324,11 @@ fn config_from_pem(cert: Vec<u8>, key: Vec<u8>) -> io::Result<ServerConfig> {
         }
     }
 
-    config_from_der(cert, key_result?)
+    let key = key_result?;
+    let cert_der: Vec<Vec<u8>> = cert.into_iter().map(|c| c.to_vec()).collect();
+    let key_der = key.secret_der().to_vec();
+
+    config_from_der(cert_der, key_der)
 }
 
 async fn config_from_pem_file(
@@ -357,20 +346,12 @@ async fn config_from_pem_chain_file(
     chain: impl AsRef<Path>,
 ) -> io::Result<ServerConfig> {
     let cert = fs_err::tokio::read(cert.as_ref()).await?;
-    let cert = rustls_pemfile::certs(&mut cert.as_ref())
-        .map(|it| it.map(|it| CertificateDer::from(it.to_vec())))
-        .collect::<Result<Vec<_>, _>>()?;
+    let cert = CertificateDer::pem_slice_iter(&cert)
+        .collect::<Result<Vec<_>, _>>()
+        .map_err(|_| io_other("failed to parse certificate"))?;
     let key = fs_err::tokio::read(chain.as_ref()).await?;
-    let key_cert: PrivateKeyDer = match rustls_pemfile::read_one(&mut key.as_ref())?
-        .ok_or_else(|| io_other("could not parse pem file"))?
-    {
-        Item::Pkcs8Key(key) => Ok(key.into()),
-        Item::Sec1Key(key) => Ok(key.into()),
-        Item::Pkcs1Key(key) => Ok(key.into()),
-        x => Err(io_other(format!(
-            "invalid certificate format, received: {x:?}"
-        ))),
-    }?;
+    let key_cert: PrivateKeyDer =
+        PrivateKeyDer::from_pem_slice(&key).map_err(|_| io_other("could not parse pem file"))?;
 
     ServerConfig::builder()
         .with_no_client_auth()
