From 41f99b0ddd41fa3c588cb412bfdbec4186356391 Mon Sep 17 00:00:00 2001 From: Yuki Okushi Date: Fri, 12 Dec 2025 08:11:24 +0900 Subject: [PATCH] fix(*): replace rustls-pemfile (#3855) --- Cargo.lock | 19 +++++-------------- actix-http/Cargo.toml | 2 +- actix-http/examples/tls_rustls.rs | 21 +++++---------------- actix-http/examples/ws.rs | 23 +++++------------------ actix-http/tests/test_rustls.rs | 21 +++++---------------- actix-web/Cargo.toml | 2 +- actix-web/tests/test_server.rs | 18 ++++-------------- awc/Cargo.toml | 2 +- awc/tests/test_rustls_client.rs | 30 ++++++++---------------------- 9 files changed, 35 insertions(+), 103 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a180b4be1..837a43552 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -113,7 +113,7 @@ dependencies = [ "rcgen", "regex", "rustls 0.23.35", - "rustls-pemfile", + "rustls-pki-types", "rustversion", "serde", "serde_json", @@ -388,7 +388,7 @@ dependencies = [ "regex", "regex-lite", "rustls 0.23.35", - "rustls-pemfile", + "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", @@ -649,7 +649,7 @@ dependencies = [ "rustls 0.21.12", "rustls 0.22.4", "rustls 0.23.35", - "rustls-pemfile", + "rustls-pki-types", "serde", "serde_json", "serde_urlencoded", @@ -2531,20 +2531,11 @@ dependencies = [ "security-framework", ] -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "rustls-pki-types" -version = "1.13.0" +version = "1.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "94182ad936a0c91c324cd46c6511b9510ed16af436d7b5bab34beab0afd55f7a" +checksum = "708c0f9d5f54ba0272468c1d306a52c495b31fa155e91bc25371e6df7996908c" dependencies = [ "zeroize", ] diff --git a/actix-http/Cargo.toml b/actix-http/Cargo.toml index 9f41e627f..59a763736 100644 --- a/actix-http/Cargo.toml +++ b/actix-http/Cargo.toml @@ -149,7 +149,7 @@ memchr = "2.4" once_cell = "1.21" rcgen = "0.13" regex = "1.3" -rustls-pemfile = "2" +rustls-pki-types = "1.13.1" rustversion = "1" serde = { version = "1", features = ["derive"] } serde_json = "1.0" diff --git a/actix-http/examples/tls_rustls.rs b/actix-http/examples/tls_rustls.rs index 17303c556..a1db91b12 100644 --- a/actix-http/examples/tls_rustls.rs +++ b/actix-http/examples/tls_rustls.rs @@ -45,25 +45,14 @@ async fn main() -> io::Result<()> { fn rustls_config() -> rustls::ServerConfig { let rcgen::CertifiedKey { cert, key_pair } = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); - let cert_file = cert.pem(); - let key_file = key_pair.serialize_pem(); - - let cert_file = &mut io::BufReader::new(cert_file.as_bytes()); - let key_file = &mut io::BufReader::new(key_file.as_bytes()); - - let cert_chain = rustls_pemfile::certs(cert_file) - .collect::, _>>() - .unwrap(); - let mut keys = rustls_pemfile::pkcs8_private_keys(key_file) - .collect::, _>>() - .unwrap(); + let cert_chain = vec![cert.der().clone()]; + let key_der = rustls_pki_types::PrivateKeyDer::Pkcs8( + rustls_pki_types::PrivatePkcs8KeyDer::from(key_pair.serialize_der()), + ); let mut config = rustls::ServerConfig::builder() .with_no_client_auth() - .with_single_cert( - cert_chain, - rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)), - ) + .with_single_cert(cert_chain, key_der) .unwrap(); const H1_ALPN: &[u8] = b"http/1.1"; diff --git a/actix-http/examples/ws.rs b/actix-http/examples/ws.rs index af83e4c3d..9750a1a2a 100644 --- a/actix-http/examples/ws.rs +++ b/actix-http/examples/ws.rs @@ -82,29 +82,16 @@ impl Stream for Heartbeat { } fn tls_config() -> rustls::ServerConfig { - use std::io::BufReader; - - use rustls_pemfile::{certs, pkcs8_private_keys}; - let rcgen::CertifiedKey { cert, key_pair } = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); - let cert_file = cert.pem(); - let key_file = key_pair.serialize_pem(); - - let cert_file = &mut BufReader::new(cert_file.as_bytes()); - let key_file = &mut BufReader::new(key_file.as_bytes()); - - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .collect::, _>>() - .unwrap(); + let cert_chain = vec![cert.der().clone()]; + let key_der = rustls_pki_types::PrivateKeyDer::Pkcs8( + rustls_pki_types::PrivatePkcs8KeyDer::from(key_pair.serialize_der()), + ); let mut config = rustls::ServerConfig::builder() .with_no_client_auth() - .with_single_cert( - cert_chain, - rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)), - ) + .with_single_cert(cert_chain, key_der) .unwrap(); config.alpn_protocols.push(b"http/1.1".to_vec()); diff --git a/actix-http/tests/test_rustls.rs b/actix-http/tests/test_rustls.rs index 43e47c0a4..29e559666 100644 --- a/actix-http/tests/test_rustls.rs +++ b/actix-http/tests/test_rustls.rs @@ -4,7 +4,7 @@ extern crate tls_rustls_023 as rustls; use std::{ convert::Infallible, - io::{self, BufReader, Write}, + io::{self, Write}, net::{SocketAddr, TcpStream as StdTcpStream}, sync::Arc, task::Poll, @@ -27,7 +27,7 @@ use derive_more::{Display, Error}; use futures_core::{ready, Stream}; use futures_util::stream::once; use rustls::{pki_types::ServerName, ServerConfig as RustlsServerConfig}; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls_pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; async fn load_body(stream: S) -> Result where @@ -54,23 +54,12 @@ where fn tls_config() -> RustlsServerConfig { let rcgen::CertifiedKey { cert, key_pair } = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); - let cert_file = cert.pem(); - let key_file = key_pair.serialize_pem(); - - let cert_file = &mut BufReader::new(cert_file.as_bytes()); - let key_file = &mut BufReader::new(key_file.as_bytes()); - - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .collect::, _>>() - .unwrap(); + let cert_chain = vec![cert.der().clone()]; + let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der())); let mut config = RustlsServerConfig::builder() .with_no_client_auth() - .with_single_cert( - cert_chain, - rustls::pki_types::PrivateKeyDer::Pkcs8(keys.remove(0)), - ) + .with_single_cert(cert_chain, key_der) .unwrap(); config.alpn_protocols.push(HTTP1_1_ALPN_PROTOCOL.to_vec()); diff --git a/actix-web/Cargo.toml b/actix-web/Cargo.toml index cc02f197c..085e89371 100644 --- a/actix-web/Cargo.toml +++ b/actix-web/Cargo.toml @@ -179,7 +179,7 @@ flate2 = "1.0.13" futures-util = { version = "0.3.17", default-features = false, features = ["std"] } rand = "0.9" rcgen = "0.13" -rustls-pemfile = "2" +rustls-pki-types = "1.13.1" serde = { version = "1", features = ["derive"] } static_assertions = "1" tls-openssl = { package = "openssl", version = "0.10.55" } diff --git a/actix-web/tests/test_server.rs b/actix-web/tests/test_server.rs index f13aa3cfd..343b7f104 100644 --- a/actix-web/tests/test_server.rs +++ b/actix-web/tests/test_server.rs @@ -688,30 +688,20 @@ async fn test_brotli_encoding_large_openssl() { #[cfg(feature = "rustls-0_23")] mod plus_rustls { - use std::io::BufReader; - use rustls::{pki_types::PrivateKeyDer, ServerConfig as RustlsServerConfig}; - use rustls_pemfile::{certs, pkcs8_private_keys}; + use rustls_pki_types::PrivatePkcs8KeyDer; use super::*; fn tls_config() -> RustlsServerConfig { let rcgen::CertifiedKey { cert, key_pair } = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); - let cert_file = cert.pem(); - let key_file = key_pair.serialize_pem(); - - let cert_file = &mut BufReader::new(cert_file.as_bytes()); - let key_file = &mut BufReader::new(key_file.as_bytes()); - - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .collect::, _>>() - .unwrap(); + let cert_chain = vec![cert.der().clone()]; + let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der())); RustlsServerConfig::builder() .with_no_client_auth() - .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0))) + .with_single_cert(cert_chain, key_der) .unwrap() } diff --git a/awc/Cargo.toml b/awc/Cargo.toml index 05b0f4d7b..5386b7994 100644 --- a/awc/Cargo.toml +++ b/awc/Cargo.toml @@ -149,7 +149,7 @@ flate2 = "1.0.13" futures-util = { version = "0.3.17", default-features = false } static_assertions = "1.1" rcgen = "0.13" -rustls-pemfile = "2" +rustls-pki-types = "1.13.1" tokio = { version = "1.38.2", features = ["rt-multi-thread", "macros"] } zstd = "0.13" tls-rustls-0_23 = { package = "rustls", version = "0.23" } # add rustls 0.23 with default features to make aws_lc_rs work in tests diff --git a/awc/tests/test_rustls_client.rs b/awc/tests/test_rustls_client.rs index 7e832f67d..9ce6bd31f 100644 --- a/awc/tests/test_rustls_client.rs +++ b/awc/tests/test_rustls_client.rs @@ -2,12 +2,9 @@ extern crate tls_rustls_0_23 as rustls; -use std::{ - io::BufReader, - sync::{ - atomic::{AtomicUsize, Ordering}, - Arc, - }, +use std::sync::{ + atomic::{AtomicUsize, Ordering}, + Arc, }; use actix_http::HttpService; @@ -16,29 +13,18 @@ use actix_service::{fn_service, map_config, ServiceFactoryExt}; use actix_tls::connect::rustls_0_23::webpki_roots_cert_store; use actix_utils::future::ok; use actix_web::{dev::AppConfig, http::Version, web, App, HttpResponse}; -use rustls::{ - pki_types::{CertificateDer, PrivateKeyDer, ServerName}, - ClientConfig, ServerConfig, -}; -use rustls_pemfile::{certs, pkcs8_private_keys}; +use rustls::{pki_types::ServerName, ClientConfig, ServerConfig}; +use rustls_pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer}; fn tls_config() -> ServerConfig { let rcgen::CertifiedKey { cert, key_pair } = rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap(); - let cert_file = cert.pem(); - let key_file = key_pair.serialize_pem(); - - let cert_file = &mut BufReader::new(cert_file.as_bytes()); - let key_file = &mut BufReader::new(key_file.as_bytes()); - - let cert_chain = certs(cert_file).collect::, _>>().unwrap(); - let mut keys = pkcs8_private_keys(key_file) - .collect::, _>>() - .unwrap(); + let cert_chain = vec![cert.der().clone()]; + let key_der = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialize_der())); ServerConfig::builder() .with_no_client_auth() - .with_single_cert(cert_chain, PrivateKeyDer::Pkcs8(keys.remove(0))) + .with_single_cert(cert_chain, key_der) .unwrap() }