Use newer rustls-pki-types PEM parser API

Author: djc

Cargo.lock

@@ -39,7 +39,6 @@ rcgen = "0.14"
 ring = "0.17"
 rustc-hash = "2"
 rustls = { version = "0.23.5", default-features = false, features = ["std"] }
-rustls-pemfile = "2"
 rustls-platform-verifier = "0.6"
 rustls-pki-types = "1.7"
 serde = { version = "1.0", features = ["derive"] }

Cargo.toml

@@ -34,7 +34,6 @@ quinn = { path = "../quinn" }
 quinn-proto = { path = "../quinn-proto" }
 rcgen = { workspace = true }
 rustls = { workspace = true }
-rustls-pemfile = { workspace = true }
 serde = { workspace = true, optional = true  }
 serde_json = { workspace = true, optional = true }
 socket2 = { workspace = true }

perf/Cargo.toml

@@ -1,10 +1,10 @@
-use std::{fs, net::SocketAddr, path::PathBuf, sync::Arc, time::Duration};
+use std::{net::SocketAddr, path::PathBuf, sync::Arc, time::Duration};
 
 use anyhow::{Context, Result};
 use bytes::Bytes;
 use clap::Parser;
 use quinn::{TokioRuntime, crypto::rustls::QuicServerConfig};
-use rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject};
 use tracing::{debug, error, info};
 
 use crate::{CommonOpt, PERF_CIPHER_SUITES, noprotection::NoProtectionServerConfig};
@@ -28,20 +28,17 @@ pub struct Opt {
 
 pub async fn run(opt: Opt) -> Result<()> {
     let (key, cert) = match (&opt.key, &opt.cert) {
-        (Some(key), Some(cert)) => {
-            let key = fs::read(key).context("reading key")?;
-            let cert = fs::read(cert).expect("reading cert");
-            (
-                PrivatePkcs8KeyDer::from(key),
-                rustls_pemfile::certs(&mut cert.as_ref())
-                    .collect::<Result<_, _>>()
-                    .context("parsing cert")?,
-            )
-        }
+        (Some(key), Some(cert)) => (
+            PrivateKeyDer::from_pem_file(key).context("reading private key")?,
+            CertificateDer::pem_file_iter(cert)
+                .context("reading certificate chain file")?
+                .collect::<Result<_, _>>()
+                .context("reading certificate chain")?,
+        ),
         _ => {
             let cert = rcgen::generate_simple_self_signed(vec!["localhost".into()]).unwrap();
             (
-                PrivatePkcs8KeyDer::from(cert.signing_key.serialize_der()),
+                PrivatePkcs8KeyDer::from(cert.signing_key.serialize_der()).into(),
                 vec![CertificateDer::from(cert.cert)],
             )
         }
@@ -57,7 +54,7 @@ pub async fn run(opt: Opt) -> Result<()> {
         .with_protocol_versions(&[&rustls::version::TLS13])
         .unwrap()
         .with_no_client_auth()
-        .with_single_cert(cert, key.into())
+        .with_single_cert(cert, key)
         .unwrap();
     crypto.alpn_protocols = vec![b"perf".to_vec()];
 

perf/src/server.rs

@@ -80,7 +80,6 @@ bencher = { workspace = true }
 directories-next = { workspace = true }
 rand = { workspace = true }
 rcgen = { workspace = true }
-rustls-pemfile = { workspace = true }
 clap = { workspace = true }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread", "time", "macros"] }
 tracing-subscriber = { workspace = true }

quinn/Cargo.toml

@@ -13,7 +13,7 @@ use std::{
 use anyhow::{Context, Result, anyhow, bail};
 use clap::Parser;
 use proto::crypto::rustls::QuicServerConfig;
-use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject};
 use tracing::{error, info, info_span};
 use tracing_futures::Instrument as _;
 
@@ -69,19 +69,22 @@ fn main() {
 #[tokio::main]
 async fn run(options: Opt) -> Result<()> {
     let (certs, key) = if let (Some(key_path), Some(cert_path)) = (&options.key, &options.cert) {
-        let key = fs::read(key_path).context("failed to read private key")?;
         let key = if key_path.extension().is_some_and(|x| x == "der") {
-            PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key))
+            PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(
+                fs::read(key_path).context("failed to read private key file")?,
+            ))
         } else {
-            rustls_pemfile::private_key(&mut &*key)
-                .context("malformed PKCS #1 private key")?
-                .ok_or_else(|| anyhow::Error::msg("no private keys found"))?
+            PrivateKeyDer::from_pem_file(key_path)
+                .context("failed to read PEM from private key file")?
         };
-        let cert_chain = fs::read(cert_path).context("failed to read certificate chain")?;
+
         let cert_chain = if cert_path.extension().is_some_and(|x| x == "der") {
-            vec![CertificateDer::from(cert_chain)]
+            vec![CertificateDer::from(
+                fs::read(cert_path).context("failed to read certificate chain file")?,
+            )]
         } else {
-            rustls_pemfile::certs(&mut &*cert_chain)
+            CertificateDer::pem_file_iter(cert_path)
+                .context("failed to read PEM from certificate chain file")?
                 .collect::<Result<_, _>>()
                 .context("invalid PEM-encoded certificate")?
         };