chore: replace rustls-pemfile with rustls-pki-types (#3725)

2025-12-29 21:00:54 +00:00 · 2025-02-06 06:48:19 +09:00 · 2025-02-06 06:48:19 +09:00 · 3a20a92a3f
commit 3a20a92a3f
parent f42561b8d7
3 changed files with 13 additions and 25 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -3143,15 +3143,6 @@ dependencies = [
 "security-framework 3.2.0",
 ]

-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.10.1"
@ -3591,7 +3582,7 @@ dependencies = [
 "rust_decimal",
 "rustls",
 "rustls-native-certs",
- "rustls-pemfile",
+ "rustls-pki-types",
 "serde",
 "serde_json",
 "sha2",
--- a/sqlx-core/Cargo.toml
+++ b/sqlx-core/Cargo.toml
@ -25,7 +25,7 @@ _tls-native-tls = ["native-tls"]
 _tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs", "webpki-roots"]
 _tls-rustls-ring-webpki = ["_tls-rustls", "rustls/ring", "webpki-roots"]
 _tls-rustls-ring-native-roots = ["_tls-rustls", "rustls/ring", "rustls-native-certs"]
-_tls-rustls = ["rustls", "rustls-pemfile"]
+_tls-rustls = ["rustls"]
 _tls-none = []

 # support offline/decoupled building (enables serialization of `Describe`)
@ -39,8 +39,7 @@ tokio = { workspace = true, optional = true }
 # TLS
 native-tls = { version = "0.2.10", optional = true }

-rustls = { version = "0.23.11", default-features = false, features = ["std", "tls12"], optional = true }
-rustls-pemfile = { version = "2", optional = true }
+rustls = { version = "0.23.15", default-features = false, features = ["std", "tls12"], optional = true }
 webpki-roots = { version = "0.26", optional = true }
 rustls-native-certs = { version = "0.8.0", optional = true }

--- a/sqlx-core/src/net/tls/tls_rustls.rs
+++ b/sqlx-core/src/net/tls/tls_rustls.rs
@ -1,5 +1,5 @@
 use futures_util::future;
-use std::io::{self, BufReader, Cursor, Read, Write};
+use std::io::{self, Read, Write};
 use std::sync::Arc;
 use std::task::{Context, Poll};

@ -9,7 +9,10 @@ use rustls::{
        WebPkiServerVerifier,
    },
    crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
-    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    pki_types::{
+        pem::{self, PemObject},
+        CertificateDer, PrivateKeyDer, ServerName, UnixTime,
+    },
    CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore,
 };

@ -141,9 +144,8 @@ where

        if let Some(ca) = tls_config.root_cert_path {
            let data = ca.data().await?;
-            let mut cursor = Cursor::new(data);

-            for result in rustls_pemfile::certs(&mut cursor) {
+            for result in CertificateDer::pem_slice_iter(&data) {
                let Ok(cert) = result else {
                    return Err(Error::Tls(format!("Invalid certificate {ca}").into()));
                };
@ -196,19 +198,15 @@ where
 }

 fn certs_from_pem(pem: Vec<u8>) -> Result<Vec<CertificateDer<'static>>, Error> {
-    let cur = Cursor::new(pem);
-    let mut reader = BufReader::new(cur);
-    rustls_pemfile::certs(&mut reader)
+    CertificateDer::pem_slice_iter(&pem)
        .map(|result| result.map_err(|err| Error::Tls(err.into())))
        .collect()
 }

 fn private_key_from_pem(pem: Vec<u8>) -> Result<PrivateKeyDer<'static>, Error> {
-    let cur = Cursor::new(pem);
-    let mut reader = BufReader::new(cur);
-    match rustls_pemfile::private_key(&mut reader) {
-        Ok(Some(key)) => Ok(key),
-        Ok(None) => Err(Error::Configuration("no keys found pem file".into())),
+    match PrivateKeyDer::from_pem_slice(&pem) {
+        Ok(key) => Ok(key),
+        Err(pem::Error::NoItemsFound) => Err(Error::Configuration("no keys found pem file".into())),
        Err(e) => Err(Error::Configuration(e.to_string().into())),
    }
 }