Remove rustls-pemfile usage

Author: rnijveld

Cargo.lock

@@ -49,8 +49,6 @@ pps-time = "0.2.3"
 
 # TLS
 rustls23 = { package = "rustls", version = "0.23.16", features = ["logging", "std", "tls12"] }
-rustls-pemfile2 = { package = "rustls-pemfile", version = "2.0" }
-rustls-pki-types = "1.10"
 rustls-platform-verifier = "0.5.0"
 tokio-rustls = { version = "0.26.0", features = ["logging", "tls12"] } # testing only
 

Cargo.toml

@@ -27,8 +27,6 @@ rand.workspace = true
 tracing.workspace = true
 serde.workspace = true
 rustls23.workspace = true
-rustls-pki-types.workspace = true
-rustls-pemfile2.workspace = true
 rustls-platform-verifier.workspace = true
 arbitrary = { workspace = true, optional = true }
 aead.workspace = true

ntp-proto/Cargo.toml

@@ -89,9 +89,41 @@ mod rustls23_shim {
     pub use rustls_platform_verifier::Verifier as PlatformVerifier;
 
     pub mod pemfile {
-        pub use rustls_pemfile2::certs;
-        pub use rustls_pemfile2::pkcs8_private_keys;
-        pub use rustls_pemfile2::private_key;
+        use rustls23::pki_types::{
+            pem::PemObject, CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer,
+        };
+
+        pub fn certs(
+            rd: &mut dyn std::io::BufRead,
+        ) -> impl Iterator<Item = Result<CertificateDer<'static>, std::io::Error>> + '_ {
+            CertificateDer::pem_reader_iter(rd).map(|item| {
+                item.map_err(|err| match err {
+                    rustls23::pki_types::pem::Error::Io(error) => error,
+                    _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+                })
+            })
+        }
+
+        pub fn private_key(
+            rd: &mut dyn std::io::BufRead,
+        ) -> Result<PrivateKeyDer<'static>, std::io::Error> {
+            PrivateKeyDer::from_pem_reader(rd).map_err(|err| match err {
+                rustls23::pki_types::pem::Error::Io(error) => error,
+                _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+            })
+        }
+
+        pub fn pkcs8_private_keys(
+            rd: &mut dyn std::io::BufRead,
+        ) -> impl Iterator<Item = Result<PrivatePkcs8KeyDer<'static>, std::io::Error>> + '_
+        {
+            PrivatePkcs8KeyDer::pem_reader_iter(rd).map(|item| {
+                item.map_err(|err| match err {
+                    rustls23::pki_types::pem::Error::Io(error) => error,
+                    _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+                })
+            })
+        }
     }
 
     pub trait CloneKeyShim {}

ntp-proto/src/tls_utils.rs

@@ -137,8 +137,7 @@ async fn run_nts_ke(
     }
 
     let private_key =
-        ntp_proto::tls_utils::pemfile::private_key(&mut std::io::BufReader::new(private_key_file))?
-            .ok_or(io_error("could not parse private key"))?;
+        ntp_proto::tls_utils::pemfile::private_key(&mut std::io::BufReader::new(private_key_file))?;
 
     key_exchange_server(keyset, nts_ke_config, cert_chain, pool_certs, private_key).await
 }
@@ -630,33 +629,23 @@ mod tests {
     #[test]
     fn parse_private_keys() {
         let input = include_bytes!("../../test-keys/end.key");
-        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice())
-            .unwrap()
-            .unwrap();
+        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice()).unwrap();
 
         let input = include_bytes!("../../test-keys/testca.key");
-        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice())
-            .unwrap()
-            .unwrap();
+        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice()).unwrap();
 
         // openssl does no longer seem to want to generate this format
         // so we use https://github.com/rustls/pemfile/blob/main/tests/data/rsa1024.pkcs1.pem
         let input = include_bytes!("../../test-keys/rsa_key.pem");
-        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice())
-            .unwrap()
-            .unwrap();
+        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice()).unwrap();
 
         // openssl ecparam -name prime256v1 -genkey -noout -out ec_key.pem
         let input = include_bytes!("../../test-keys/ec_key.pem");
-        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice())
-            .unwrap()
-            .unwrap();
+        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice()).unwrap();
 
         // openssl genpkey -algorithm EC -out pkcs8_key.pem -pkeyopt ec_paramgen_curve:prime256v1
         let input = include_bytes!("../../test-keys/pkcs8_key.pem");
-        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice())
-            .unwrap()
-            .unwrap();
+        let _ = ntp_proto::tls_utils::pemfile::private_key(&mut input.as_slice()).unwrap();
     }
 
     #[tokio::test]
@@ -958,9 +947,8 @@ mod tests {
                 certificates_from_bufread(BufReader::new(Cursor::new(cc))).unwrap();
 
             let pk = include_bytes!("../../test-keys/end.key");
-            let private_key = ntp_proto::tls_utils::pemfile::private_key(&mut pk.as_slice())
-                .unwrap()
-                .unwrap();
+            let private_key =
+                ntp_proto::tls_utils::pemfile::private_key(&mut pk.as_slice()).unwrap();
 
             let config = build_server_config(certificate_chain, private_key).unwrap();
 
@@ -993,9 +981,7 @@ mod tests {
         let certificate_chain = certificates_from_bufread(BufReader::new(Cursor::new(cc)))?;
 
         let pk = include_bytes!("../../test-keys/end.key");
-        let private_key = ntp_proto::tls_utils::pemfile::private_key(&mut pk.as_slice())
-            .unwrap()
-            .unwrap();
+        let private_key = ntp_proto::tls_utils::pemfile::private_key(&mut pk.as_slice()).unwrap();
 
         let config = build_server_config(certificate_chain, private_key).unwrap();
         let pool_certs = Arc::<[_]>::from(vec![]);

ntpd/src/daemon/keyexchange.rs

@@ -19,7 +19,6 @@ toml.workspace = true
 tracing.workspace = true
 tracing-subscriber = { version = "0.3.0", default-features = false, features = ["std", "fmt", "ansi"] }
 rustls23.workspace = true
-rustls-pemfile2.workspace = true
 rustls-platform-verifier.workspace = true
 serde.workspace = true
 ntp-proto = { workspace = true }

nts-pool-ke/Cargo.toml

@@ -1,7 +1,6 @@
 #[cfg(feature = "unstable_nts-pool")]
 mod condcompile {
     extern crate rustls23 as rustls;
-    extern crate rustls_pemfile2 as rustls_pemfile;
 
     mod cli;
     mod config;
@@ -21,6 +20,7 @@ mod condcompile {
         pki_types::{CertificateDer, ServerName},
         version::TLS13,
     };
+    use rustls23::pki_types::pem::PemObject;
     use rustls_platform_verifier::Verifier;
     use tokio::{
         io::{AsyncReadExt, AsyncWriteExt},
@@ -153,16 +153,36 @@ mod condcompile {
             })?;
 
         let certificate_authority: Arc<[rustls::pki_types::CertificateDer]> =
-            rustls_pemfile::certs(&mut std::io::BufReader::new(certificate_authority_file))
-                .collect::<std::io::Result<Arc<[rustls::pki_types::CertificateDer]>>>()?;
+            rustls::pki_types::CertificateDer::pem_reader_iter(&mut std::io::BufReader::new(
+                certificate_authority_file,
+            ))
+            .map(|item| {
+                item.map_err(|err| match err {
+                    rustls::pki_types::pem::Error::Io(error) => error,
+                    _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+                })
+            })
+            .collect::<std::io::Result<Arc<[rustls::pki_types::CertificateDer]>>>()?;
 
         let certificate_chain: Vec<rustls::pki_types::CertificateDer> =
-            rustls_pemfile::certs(&mut std::io::BufReader::new(certificate_chain_file))
-                .collect::<std::io::Result<Vec<rustls::pki_types::CertificateDer>>>()?;
-
-        let private_key =
-            rustls_pemfile::private_key(&mut std::io::BufReader::new(private_key_file))?
-                .ok_or(io_error("could not parse private key"))?;
+            rustls::pki_types::CertificateDer::pem_reader_iter(&mut std::io::BufReader::new(
+                certificate_chain_file,
+            ))
+            .map(|item| {
+                item.map_err(|err| match err {
+                    rustls::pki_types::pem::Error::Io(error) => error,
+                    _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+                })
+            })
+            .collect::<std::io::Result<Vec<rustls::pki_types::CertificateDer>>>()?;
+
+        let private_key = rustls::pki_types::PrivateKeyDer::from_pem_reader(
+            &mut std::io::BufReader::new(private_key_file),
+        )
+        .map_err(|err| match err {
+            rustls::pki_types::pem::Error::Io(error) => error,
+            _ => std::io::Error::new(std::io::ErrorKind::InvalidInput, err.to_string()),
+        })?;
 
         pool_key_exchange_server(
             nts_pool_ke_config.listen,