chore: replace rustls-pemfile with rustls-pki-types (#3725)

launchbadge · Feb 5, 2025 · 3a20a92 · 3a20a92
1 parent f42561b
commit 3a20a92
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 25 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/sqlx-core/Cargo.toml b/sqlx-core/Cargo.toml
@@ -25,7 +25,7 @@ _tls-native-tls = ["native-tls"]
 _tls-rustls-aws-lc-rs = ["_tls-rustls", "rustls/aws-lc-rs", "webpki-roots"]
 _tls-rustls-ring-webpki = ["_tls-rustls", "rustls/ring", "webpki-roots"]
 _tls-rustls-ring-native-roots = ["_tls-rustls", "rustls/ring", "rustls-native-certs"]
-_tls-rustls = ["rustls", "rustls-pemfile"]
+_tls-rustls = ["rustls"]
 _tls-none = []
 
 # support offline/decoupled building (enables serialization of `Describe`)
@@ -39,8 +39,7 @@ tokio = { workspace = true, optional = true }
 # TLS
 native-tls = { version = "0.2.10", optional = true }
 
-rustls = { version = "0.23.11", default-features = false, features = ["std", "tls12"], optional = true }
-rustls-pemfile = { version = "2", optional = true }
+rustls = { version = "0.23.15", default-features = false, features = ["std", "tls12"], optional = true }
 webpki-roots = { version = "0.26", optional = true }
 rustls-native-certs = { version = "0.8.0", optional = true }
 

diff --git a/sqlx-core/src/net/tls/tls_rustls.rs b/sqlx-core/src/net/tls/tls_rustls.rs
@@ -1,5 +1,5 @@
 use futures_util::future;
-use std::io::{self, BufReader, Cursor, Read, Write};
+use std::io::{self, Read, Write};
 use std::sync::Arc;
 use std::task::{Context, Poll};
 
@@ -9,7 +9,10 @@ use rustls::{
         WebPkiServerVerifier,
     },
     crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
-    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
+    pki_types::{
+        pem::{self, PemObject},
+        CertificateDer, PrivateKeyDer, ServerName, UnixTime,
+    },
     CertificateError, ClientConfig, ClientConnection, Error as TlsError, RootCertStore,
 };
 
@@ -141,9 +144,8 @@ where
 
         if let Some(ca) = tls_config.root_cert_path {
             let data = ca.data().await?;
-            let mut cursor = Cursor::new(data);
 
-            for result in rustls_pemfile::certs(&mut cursor) {
+            for result in CertificateDer::pem_slice_iter(&data) {
                 let Ok(cert) = result else {
                     return Err(Error::Tls(format!("Invalid certificate {ca}").into()));
                 };
@@ -196,19 +198,15 @@ where
 }
 
 fn certs_from_pem(pem: Vec<u8>) -> Result<Vec<CertificateDer<'static>>, Error> {
-    let cur = Cursor::new(pem);
-    let mut reader = BufReader::new(cur);
-    rustls_pemfile::certs(&mut reader)
+    CertificateDer::pem_slice_iter(&pem)
         .map(|result| result.map_err(|err| Error::Tls(err.into())))
         .collect()
 }
 
 fn private_key_from_pem(pem: Vec<u8>) -> Result<PrivateKeyDer<'static>, Error> {
-    let cur = Cursor::new(pem);
-    let mut reader = BufReader::new(cur);
-    match rustls_pemfile::private_key(&mut reader) {
-        Ok(Some(key)) => Ok(key),
-        Ok(None) => Err(Error::Configuration("no keys found pem file".into())),
+    match PrivateKeyDer::from_pem_slice(&pem) {
+        Ok(key) => Ok(key),
+        Err(pem::Error::NoItemsFound) => Err(Error::Configuration("no keys found pem file".into())),
         Err(e) => Err(Error::Configuration(e.to_string().into())),
     }
 }