fix(tls): migrate from rustls-pemfile to rustls-pki-types#437
fix(tls): migrate from rustls-pemfile to rustls-pki-types#437
rustls-pemfile to rustls-pki-types#437Conversation
|
(cc: @unleashed, who may be a good reviewer for this) |
| @@ -1,4 +1,5 @@ | |||
| use super::*; | |||
| use rustls_pki_types::{pem::PemObject, PrivatePkcs1KeyDer, PrivatePkcs8KeyDer}; | |||
There was a problem hiding this comment.
minor nit:
| use rustls_pki_types::{pem::PemObject, PrivatePkcs1KeyDer, PrivatePkcs8KeyDer}; | |
| use rustls_pki_types::{pem::PemObject as _, PrivatePkcs1KeyDer, PrivatePkcs8KeyDer}; |
| rustls_pemfile::certs(&mut pem.as_slice()).collect() | ||
| CertificateDer::pem_slice_iter(pem.as_slice()) | ||
| .collect::<Result<Vec<_>, _>>() | ||
| .map_err(std::io::Error::other) |
There was a problem hiding this comment.
Took me a while to figure this out following the code and requirements on the error type generated by the iterator, but yes, this will require the std feature flag in the new crate.
There was a problem hiding this comment.
I was wondering why we now need to call map_err() here, so I went check for changes in the error types, before and after.
After a few indirections I found out that rustls-pemfile ultimately maps to either returning directly an std::io::Error as a result of file operations, or a newly crafted io::Error type with InvalidData kind and a lossy string out of the byte buffer (presumably with PEM data), see https://docs.rs/rustls-pemfile/2.2.0/src/rustls_pemfile/pemfile.rs.html#123-145. With the new crate and this mapping we'll end up with an io::Error type with an other/custom kind that prints out PEM data buffers directly, see https://docs.rs/rustls-pki-types/latest/src/rustls_pki_types/pem.rs.html#498-513.
Consumers won't be able to match on the kind directly (it's always the same kind now), although they will still be able to downcast the inner error at the cost of depending on rustls-pki-types. The display implementation prints out bytes directly instead of a string, which I'm not sure is an improvement.
Not sure this matters much in practice, but it changes the semantics of error handling code. I think if we want to keep the same semantics we could adapt the code in rustls-pemfile converting to an io::Error.
`rustls-pemfile` is unmaintained and has been archived since Aug 2025 (see https://rustsec.org/advisories/RUSTSEC-2025-0134), leading to RUSTSEC audit errors downstream. `rustls-pemfile` at this point is thin wrappers around the parsing logic in `rustls-pki-types`, so this does a direct translation to those APIs.
Co-Authored-By: Alejandro Martinez Ruiz <alex@flawedcode.org> Signed-off-by: katelyn martin <kate@buoyant.io>
cratelyn
force-pushed
the
kate/rustls-pemfile-migrate
branch
from
3386f7c to
852bbea
Compare
|
rebased on main to pick up ci fixes in #444, no changes to the commits here... |
3 participants
rustls-pemfileis unmaintained and has been archived since Aug 2025(see https://rustsec.org/advisories/RUSTSEC-2025-0134), leading to
RUSTSEC audit errors downstream.
rustls-pemfileat this point is thin wrappers around the parsing logicin
rustls-pki-types, so this does a direct translation to those APIs.