Remove rustls-pemfile dependency (#5339)

sandhose · web-flow · commit 7f65f21b4b30 · 2025-12-16T13:27:30.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -525,10 +525,6 @@ version = "0.16.0"
 [workspace.dependencies.rustls]
 version = "0.23.35"
 
-# PEM parsing for rustls
-[workspace.dependencies.rustls-pemfile]
-version = "2.2.0"
-
 # PKI types for rustls
 [workspace.dependencies.rustls-pki-types]
 version = "1.13.0"
diff --git a/crates/config/Cargo.toml b/crates/config/Cargo.toml
@@ -30,7 +30,6 @@ lettre.workspace = true
 pem-rfc7468.workspace = true
 rand_chacha.workspace = true
 rand.workspace = true
-rustls-pemfile.workspace = true
 rustls-pki-types.workspace = true
 schemars.workspace = true
 serde_json.workspace = true
diff --git a/crates/config/src/sections/http.rs b/crates/config/src/sections/http.rs
@@ -6,13 +6,13 @@
 
 #![allow(deprecated)]
 
-use std::{borrow::Cow, io::Cursor};
+use std::borrow::Cow;
 
 use anyhow::bail;
 use camino::Utf8PathBuf;
 use ipnetwork::IpNetwork;
 use mas_keystore::PrivateKey;
-use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
+use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject};
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use url::Url;
@@ -238,10 +238,8 @@ impl TlsConfig {
             (None, Some(path)) => Cow::Owned(std::fs::read_to_string(path)?),
         };
 
-        let mut certificate_chain_reader = Cursor::new(certificate_chain_pem.as_bytes());
-        let certificate_chain: Result<Vec<_>, _> =
-            rustls_pemfile::certs(&mut certificate_chain_reader).collect();
-        let certificate_chain = certificate_chain?;
+        let certificate_chain = CertificateDer::pem_slice_iter(certificate_chain_pem.as_bytes())
+            .collect::<Result<Vec<_>, _>>()?;
 
         if certificate_chain.is_empty() {
             bail!("TLS certificate chain is empty (or invalid)")
diff --git a/crates/listener/Cargo.toml b/crates/listener/Cargo.toml
@@ -36,7 +36,6 @@ mas-context.workspace = true
 
 [dev-dependencies]
 anyhow.workspace = true
-rustls-pemfile.workspace = true
 tokio-test.workspace = true
 tokio.workspace = true
 tracing-subscriber.workspace = true
diff --git a/crates/listener/examples/demo/main.rs b/crates/listener/examples/demo/main.rs
@@ -6,7 +6,6 @@
 
 use std::{
     convert::Infallible,
-    io::BufReader,
     net::{Ipv4Addr, TcpListener},
     sync::Arc,
     time::Duration,
@@ -15,7 +14,11 @@ use std::{
 use anyhow::Context;
 use hyper::{Request, Response};
 use mas_listener::{ConnectionInfo, server::Server};
-use tokio_rustls::rustls::{RootCertStore, ServerConfig, server::WebPkiClientVerifier};
+use tokio_rustls::rustls::{
+    RootCertStore, ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs1KeyDer, pem::PemObject},
+    server::WebPkiClientVerifier,
+};
 use tokio_util::sync::CancellationToken;
 use tower::service_fn;
 
@@ -77,31 +80,26 @@ async fn main() -> Result<(), anyhow::Error> {
 }
 
 fn load_tls_config() -> Result<Arc<ServerConfig>, anyhow::Error> {
-    let mut ca_cert_reader = BufReader::new(CA_CERT_PEM);
-    let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader)
+    let ca_cert = CertificateDer::pem_slice_iter(CA_CERT_PEM)
         .collect::<Result<Vec<_>, _>>()
         .context("Invalid CA certificate")?;
     let mut ca_cert_store = RootCertStore::empty();
     ca_cert_store.add_parsable_certificates(ca_cert);
 
-    let mut server_cert_reader = BufReader::new(SERVER_CERT_PEM);
-    let server_cert: Vec<_> = rustls_pemfile::certs(&mut server_cert_reader)
+    let server_cert: Vec<_> = CertificateDer::pem_slice_iter(SERVER_CERT_PEM)
         .collect::<Result<Vec<_>, _>>()
         .context("Invalid server certificate")?;
 
-    let mut server_key_reader = BufReader::new(SERVER_KEY_PEM);
-    let server_key = rustls_pemfile::rsa_private_keys(&mut server_key_reader)
-        .next()
-        .context("No RSA private key found")?
-        .context("Invalid server TLS keys")?;
+    let server_key =
+        PrivatePkcs1KeyDer::from_pem_slice(SERVER_KEY_PEM).context("Invalid server TLS keys")?;
 
     let client_cert_verifier = WebPkiClientVerifier::builder(Arc::new(ca_cert_store))
         .allow_unauthenticated()
         .build()?;
 
     let mut config = ServerConfig::builder()
         .with_client_cert_verifier(client_cert_verifier)
-        .with_single_cert(server_cert, server_key.into())?;
+        .with_single_cert(server_cert, PrivateKeyDer::Pkcs1(server_key))?;
     config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
 
     Ok(Arc::new(config))
diff --git a/deny.toml b/deny.toml
@@ -19,9 +19,6 @@ ignore = [
     # RSA key extraction "Marvin Attack". This is only relevant when using
     # PKCS#1 v1.5 encryption, which we don't
     "RUSTSEC-2023-0071",
-    # This is a newly unmaintained package that we can allow temporarily.
-    # Remove ASAP once https://github.com/element-hq/matrix-authentication-service/issues/5337 is fixed.
-    "RUSTSEC-2025-0134",
 ]
 
 [licenses]

Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,6 @@ ignore = [`
`19`	`19`	`# RSA key extraction "Marvin Attack". This is only relevant when using`
`20`	`20`	`# PKCS#1 v1.5 encryption, which we don't`
`21`	`21`	`"RUSTSEC-2023-0071",`
`22`		`- # This is a newly unmaintained package that we can allow temporarily.`
`23`		`- # Remove ASAP once https://github.com/element-hq/matrix-authentication-service/issues/5337 is fixed.`
`24`		`- "RUSTSEC-2025-0134",`
`25`	`22`	`]`
`26`	`23`
`27`	`24`	`[licenses]`