chore(tls): Use rustls-pki-types crate pem api

hyperium · Oct 4, 2024 · c3af5d1 · c3af5d1
1 parent 045008c
commit c3af5d1
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 17 deletions.
diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
@@ -28,7 +28,7 @@ gzip = ["dep:flate2"]
 zstd = ["dep:zstd"]
 default = ["transport", "codegen", "prost"]
 prost = ["dep:prost"]
-tls = ["dep:rustls-pemfile", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "tokio?/macros"]
+tls = ["dep:rustls-pki-types", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "tokio?/macros"]
 tls-roots = ["tls-native-roots"] # Deprecated. Please use `tls-native-roots` instead.
 tls-native-roots = ["tls", "channel", "dep:rustls-native-certs"]
 tls-webpki-roots = ["tls", "channel", "dep:webpki-roots"]
@@ -88,7 +88,7 @@ tower = {version = "0.4.7", default-features = false, optional = true}
 axum = {version = "0.7", default-features = false, optional = true}
 
 # rustls
-rustls-pemfile = { version = "2.0", optional = true }
+rustls-pki-types = { version = "1.9", features = ["std"], optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
 tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
 webpki-roots = { version = "0.26", optional = true }

diff --git a/tonic/src/request.rs b/tonic/src/request.rs
@@ -4,13 +4,13 @@ use crate::transport::server::TcpConnectInfo;
 #[cfg(all(feature = "server", feature = "tls"))]
 use crate::transport::server::TlsConnectInfo;
 use http::Extensions;
+#[cfg(all(feature = "server", feature = "tls"))]
+use rustls_pki_types::CertificateDer;
 #[cfg(feature = "server")]
 use std::net::SocketAddr;
 #[cfg(all(feature = "server", feature = "tls"))]
 use std::sync::Arc;
 use std::time::Duration;
-#[cfg(all(feature = "server", feature = "tls"))]
-use tokio_rustls::rustls::pki_types::CertificateDer;
 use tokio_stream::Stream;
 
 /// A gRPC request and metadata from an RPC call.

diff --git a/tonic/src/transport/channel/service/tls.rs b/tonic/src/transport/channel/service/tls.rs
@@ -2,12 +2,10 @@ use std::fmt;
 use std::sync::Arc;
 
 use hyper_util::rt::TokioIo;
+use rustls_pki_types::{ServerName, TrustAnchor};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::{
-    rustls::{
-        pki_types::{ServerName, TrustAnchor},
-        ClientConfig, RootCertStore,
-    },
+    rustls::{ClientConfig, RootCertStore},
     TlsConnector as RustlsConnector,
 };
 

diff --git a/tonic/src/transport/channel/tls.rs b/tonic/src/transport/channel/tls.rs
@@ -4,7 +4,7 @@ use crate::transport::{
     Error,
 };
 use http::Uri;
-use tokio_rustls::rustls::pki_types::TrustAnchor;
+use rustls_pki_types::TrustAnchor;
 
 /// Configures TLS settings for endpoints.
 #[derive(Debug, Clone, Default)]

diff --git a/tonic/src/transport/mod.rs b/tonic/src/transport/mod.rs
@@ -113,7 +113,7 @@ pub use crate::status::TimeoutExpired;
 pub use self::tls::Certificate;
 pub use hyper::{body::Body, Uri};
 #[cfg(feature = "tls")]
-pub use tokio_rustls::rustls::pki_types::CertificateDer;
+pub use rustls_pki_types::CertificateDer;
 
 #[cfg(all(feature = "channel", feature = "tls"))]
 pub use self::channel::ClientTlsConfig;

diff --git a/tonic/src/transport/server/conn.rs b/tonic/src/transport/server/conn.rs
@@ -2,9 +2,9 @@ use std::net::SocketAddr;
 use tokio::net::TcpStream;
 
 #[cfg(feature = "tls")]
-use std::sync::Arc;
+use rustls_pki_types::CertificateDer;
 #[cfg(feature = "tls")]
-use tokio_rustls::rustls::pki_types::CertificateDer;
+use std::sync::Arc;
 #[cfg(feature = "tls")]
 use tokio_rustls::server::TlsStream;
 

diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
@@ -1,6 +1,6 @@
 use std::{fmt, io::Cursor};
 
-use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls_pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 
 use crate::transport::{Certificate, Identity};
 
@@ -38,7 +38,7 @@ impl std::error::Error for TlsError {}
 pub(crate) fn convert_certificate_to_pki_types(
     certificate: &Certificate,
 ) -> Result<Vec<CertificateDer<'static>>, TlsError> {
-    rustls_pemfile::certs(&mut Cursor::new(certificate))
+    CertificateDer::pem_reader_iter(&mut Cursor::new(certificate))
         .collect::<Result<Vec<_>, _>>()
         .map_err(|_| TlsError::CertificateParseError)
 }
@@ -47,8 +47,7 @@ pub(crate) fn convert_identity_to_pki_types(
     identity: &Identity,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), TlsError> {
     let cert = convert_certificate_to_pki_types(&identity.cert)?;
-    let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&identity.key)) else {
-        return Err(TlsError::PrivateKeyParseError);
-    };
+    let key = PrivateKeyDer::from_pem_reader(&mut Cursor::new(&identity.key))
+        .map_err(|_| TlsError::PrivateKeyParseError)?;
     Ok((cert, key))
 }