examples: use pki-types pem decoder

author: Joe Birr-Pixton <jpixton@gmail.com> 2024-09-30 12:26:01 +0100
committer: Joe Birr-Pixton <jpixton@gmail.com> 2024-10-01 17:09:38 +0000
commit: ce10e59bb5add6b6856ed7462f82cc8bd6d9f59e (patch)
tree: 03356490b874e566dc942438f1dcd0828cc114e6
parent: 5a04f5e4b491129550196cd8bc1b8119c646e661 (diff)
9 files changed, 52 insertions, 95 deletions
diff --git a/Cargo.lock b/Cargo.lock
index 6dcb4c54..ea71eb8d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2179,7 +2179,6 @@ dependencies = [
  "mio 0.8.11",
  "rcgen",
  "rustls 0.23.13",
- "rustls-pemfile",
  "rustls-pki-types",
  "serde",
  "serde_derive",
diff --git a/examples/Cargo.toml b/examples/Cargo.toml
index b7fa4e67..7286c419 100644
--- a/examples/Cargo.toml
+++ b/examples/Cargo.toml
@@ -13,10 +13,9 @@ env_logger = "0.10" # 0.11 requires 1.71 MSRV even as a dev-dep (due to manifest
 hickory-resolver = { version = "0.25.0-alpha.1", features = ["dns-over-https-rustls", "webpki-roots"] }
 log = { version = "0.4.4" }
 mio = { version = "0.8", features = ["net", "os-poll"] }
-pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
+pki-types = { package = "rustls-pki-types", version = "1.9", features = ["std"] }
 rcgen = { version = "0.13", features = ["pem", "aws_lc_rs"], default-features = false }
 rustls = { path = "../rustls", features = [ "logging" ]}
-rustls-pemfile = "2"
 serde = "1.0"
 serde_derive = "1.0"
 tokio = { version = "1.34.0", features = ["io-util", "macros", "net", "rt"]}
diff --git a/examples/src/bin/ech-client.rs b/examples/src/bin/ech-client.rs
index dc9d2d7e..e0524a10 100644
--- a/examples/src/bin/ech-client.rs
+++ b/examples/src/bin/ech-client.rs
@@ -35,7 +35,8 @@ use rustls::client::{EchConfig, EchGreaseConfig, EchStatus};
 use rustls::crypto::aws_lc_rs;
 use rustls::crypto::aws_lc_rs::hpke::ALL_SUPPORTED_SUITES;
 use rustls::crypto::hpke::Hpke;
-use rustls::pki_types::ServerName;
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, ServerName};
 use rustls::RootCertStore;
 
 fn main() {
@@ -78,10 +79,10 @@ fn main() {
     let root_store = match args.cafile {
         Some(file) => {
             let mut root_store = RootCertStore::empty();
-            let certfile = fs::File::open(file).expect("Cannot open CA file");
-            let mut reader = BufReader::new(certfile);
             root_store.add_parsable_certificates(
-                rustls_pemfile::certs(&mut reader).map(|result| result.unwrap()),
+                CertificateDer::pem_file_iter(file)
+                    .expect("Cannot open CA file")
+                    .map(|result| result.unwrap()),
             );
             root_store
         }
diff --git a/examples/src/bin/simple_0rtt_client.rs b/examples/src/bin/simple_0rtt_client.rs
index 57d1f8c4..0872e4a2 100644
--- a/examples/src/bin/simple_0rtt_client.rs
+++ b/examples/src/bin/simple_0rtt_client.rs
@@ -9,13 +9,14 @@
 //! Note that `unwrap()` is used to deal with networking errors; this is not something
 //! that is sensible outside of example code.
 
+use std::env;
 use std::io::{BufRead, BufReader, Write};
 use std::net::TcpStream;
 use std::str::FromStr;
 use std::sync::Arc;
-use std::{env, fs};
 
-use rustls::pki_types::ServerName;
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, ServerName};
 use rustls::RootCertStore;
 
 fn start_connection(config: &Arc<rustls::ClientConfig>, domain_name: &str, port: u16) {
@@ -82,10 +83,10 @@ fn main() {
 
     let mut root_store = RootCertStore::empty();
     if let Some(cafile) = args.next() {
-        let certfile = fs::File::open(cafile).expect("Cannot open CA file");
-        let mut reader = BufReader::new(certfile);
         root_store.add_parsable_certificates(
-            rustls_pemfile::certs(&mut reader).map(|result| result.unwrap()),
+            CertificateDer::pem_file_iter(cafile)
+                .expect("Cannot open CA file")
+                .map(|result| result.unwrap()),
         );
     } else {
         root_store.extend(
diff --git a/examples/src/bin/simple_0rtt_server.rs b/examples/src/bin/simple_0rtt_server.rs
index 1d606d74..1256c57f 100644
--- a/examples/src/bin/simple_0rtt_server.rs
+++ b/examples/src/bin/simple_0rtt_server.rs
@@ -13,12 +13,14 @@
 //! that is sensible outside of example code.
 
 use std::error::Error as StdError;
-use std::fs::File;
-use std::io::{BufReader, Read, Write};
+use std::io::{Read, Write};
 use std::net::TcpListener;
 use std::sync::Arc;
 use std::{env, io};
 
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+
 fn main() -> Result<(), Box<dyn StdError>> {
     let mut args = env::args();
     args.next();
@@ -29,11 +31,12 @@ fn main() -> Result<(), Box<dyn StdError>> {
         .next()
         .expect("missing private key file argument");
 
-    let certs = rustls_pemfile::certs(&mut BufReader::new(&mut File::open(cert_file)?))
-        .collect::<Result<Vec<_>, _>>()?;
+    let certs = CertificateDer::pem_file_iter(cert_file)
+        .expect("cannot open certificate file")
+        .map(|cert| cert.unwrap())
+        .collect::<Vec<_>>();
     let private_key =
-        rustls_pemfile::private_key(&mut BufReader::new(&mut File::open(private_key_file)?))?
-            .unwrap();
+        PrivateKeyDer::from_pem_file(private_key_file).expect("cannot open private key file");
 
     let mut config = rustls::ServerConfig::builder()
         .with_no_client_auth()
diff --git a/examples/src/bin/simpleserver.rs b/examples/src/bin/simpleserver.rs
index 3a8130b1..f3fa54a1 100644
--- a/examples/src/bin/simpleserver.rs
+++ b/examples/src/bin/simpleserver.rs
@@ -9,11 +9,13 @@
 
 use std::env;
 use std::error::Error as StdError;
-use std::fs::File;
-use std::io::{BufReader, Read, Write};
+use std::io::{Read, Write};
 use std::net::TcpListener;
 use std::sync::Arc;
 
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+
 fn main() -> Result<(), Box<dyn StdError>> {
     let mut args = env::args();
     args.next();
@@ -24,11 +26,11 @@ fn main() -> Result<(), Box<dyn StdError>> {
         .next()
         .expect("missing private key file argument");
 
-    let certs = rustls_pemfile::certs(&mut BufReader::new(&mut File::open(cert_file)?))
-        .collect::<Result<Vec<_>, _>>()?;
-    let private_key =
-        rustls_pemfile::private_key(&mut BufReader::new(&mut File::open(private_key_file)?))?
-            .unwrap();
+    let certs = CertificateDer::pem_file_iter(cert_file)
+        .unwrap()
+        .map(|cert| cert.unwrap())
+        .collect();
+    let private_key = PrivateKeyDer::from_pem_file(private_key_file).unwrap();
     let config = rustls::ServerConfig::builder()
         .with_no_client_auth()
         .with_single_cert(certs, private_key)?;
diff --git a/examples/src/bin/tlsclient-mio.rs b/examples/src/bin/tlsclient-mio.rs
index 55325073..4f727da2 100644
--- a/examples/src/bin/tlsclient-mio.rs
+++ b/examples/src/bin/tlsclient-mio.rs
@@ -19,14 +19,15 @@
 //!
 //! [mio]: https://docs.rs/mio/latest/mio/
 
-use std::io::{self, BufReader, Read, Write};
+use std::io::{self, Read, Write};
 use std::net::ToSocketAddrs;
 use std::sync::Arc;
-use std::{fs, process, str};
+use std::{process, str};
 
 use clap::Parser;
 use mio::net::TcpStream;
 use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
+use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
 use rustls::RootCertStore;
 
@@ -317,31 +318,14 @@ fn lookup_versions(versions: &[String]) -> Vec<&'static rustls::SupportedProtoco
 }
 
 fn load_certs(filename: &str) -> Vec<CertificateDer<'static>> {
-    let certfile = fs::File::open(filename).expect("cannot open certificate file");
-    let mut reader = BufReader::new(certfile);
-    rustls_pemfile::certs(&mut reader)
+    CertificateDer::pem_file_iter(filename)
+        .expect("cannot open certificate file")
         .map(|result| result.unwrap())
         .collect()
 }
 
 fn load_private_key(filename: &str) -> PrivateKeyDer<'static> {
-    let keyfile = fs::File::open(filename).expect("cannot open private key file");
-    let mut reader = BufReader::new(keyfile);
-
-    loop {
-        match rustls_pemfile::read_one(&mut reader).expect("cannot parse private key .pem file") {
-            Some(rustls_pemfile::Item::Pkcs1Key(key)) => return key.into(),
-            Some(rustls_pemfile::Item::Pkcs8Key(key)) => return key.into(),
-            Some(rustls_pemfile::Item::Sec1Key(key)) => return key.into(),
-            None => break,
-            _ => {}
-        }
-    }
-
-    panic!(
-        "no keys found in {:?} (encrypted keys not supported)",
-        filename
-    );
+    PrivateKeyDer::from_pem_file(filename).expect("cannot read private key file")
 }
 
 mod danger {
@@ -412,10 +396,10 @@ fn make_config(args: &Args) -> Arc<rustls::ClientConfig> {
     let mut root_store = RootCertStore::empty();
 
     if let Some(cafile) = args.cafile.as_ref() {
-        let certfile = fs::File::open(cafile).expect("Cannot open CA file");
-        let mut reader = BufReader::new(certfile);
         root_store.add_parsable_certificates(
-            rustls_pemfile::certs(&mut reader).map(|result| result.unwrap()),
+            CertificateDer::pem_file_iter(cafile)
+                .expect("Cannot open CA file")
+                .map(|result| result.unwrap()),
         );
     } else {
         root_store.extend(
diff --git a/examples/src/bin/tlsserver-mio.rs b/examples/src/bin/tlsserver-mio.rs
index ba5f46f5..4358ae2e 100644
--- a/examples/src/bin/tlsserver-mio.rs
+++ b/examples/src/bin/tlsserver-mio.rs
@@ -20,7 +20,7 @@
 //! [mio]: https://docs.rs/mio/latest/mio/
 
 use std::collections::HashMap;
-use std::io::{self, BufReader, Read, Write};
+use std::io::{self, Read, Write};
 use std::path::{Path, PathBuf};
 use std::sync::Arc;
 use std::{fs, net};
@@ -29,6 +29,7 @@ use clap::{Parser, Subcommand};
 use log::{debug, error};
 use mio::net::{TcpListener, TcpStream};
 use rustls::crypto::{aws_lc_rs as provider, CryptoProvider};
+use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, CertificateRevocationListDer, PrivateKeyDer};
 use rustls::server::WebPkiClientVerifier;
 use rustls::RootCertStore;
@@ -520,31 +521,14 @@ fn lookup_versions(versions: &[String]) -> Vec<&'static rustls::SupportedProtoco
 }
 
 fn load_certs(filename: &Path) -> Vec<CertificateDer<'static>> {
-    let certfile = fs::File::open(filename).expect("cannot open certificate file");
-    let mut reader = BufReader::new(certfile);
-    rustls_pemfile::certs(&mut reader)
+    CertificateDer::pem_file_iter(filename)
+        .expect("cannot open certificate file")
         .map(|result| result.unwrap())
         .collect()
 }
 
 fn load_private_key(filename: &Path) -> PrivateKeyDer<'static> {
-    let keyfile = fs::File::open(filename).expect("cannot open private key file");
-    let mut reader = BufReader::new(keyfile);
-
-    loop {
-        match rustls_pemfile::read_one(&mut reader).expect("cannot parse private key .pem file") {
-            Some(rustls_pemfile::Item::Pkcs1Key(key)) => return key.into(),
-            Some(rustls_pemfile::Item::Pkcs8Key(key)) => return key.into(),
-            Some(rustls_pemfile::Item::Sec1Key(key)) => return key.into(),
-            None => break,
-            _ => {}
-        }
-    }
-
-    panic!(
-        "no keys found in {:?} (encrypted keys not supported)",
-        filename
-    );
+    PrivateKeyDer::from_pem_file(filename).expect("cannot read private key file")
 }
 
 fn load_ocsp(filename: Option<&Path>) -> Vec<u8> {
@@ -565,12 +549,7 @@ fn load_crls(
 ) -> Vec<CertificateRevocationListDer<'static>> {
     filenames
         .map(|filename| {
-            let mut der = Vec::new();
-            fs::File::open(filename)
-                .expect("cannot open CRL file")
-                .read_to_end(&mut der)
-                .unwrap();
-            CertificateRevocationListDer::from(der)
+            CertificateRevocationListDer::from_pem_file(filename).expect("cannot read CRL file")
         })
         .collect()
 }
diff --git a/examples/src/bin/unbuffered-server.rs b/examples/src/bin/unbuffered-server.rs
index b5a35d8b..8e0fe339 100644
--- a/examples/src/bin/unbuffered-server.rs
+++ b/examples/src/bin/unbuffered-server.rs
@@ -3,12 +3,12 @@
 
 use std::env;
 use std::error::Error;
-use std::fs::File;
-use std::io::{self, BufReader, Read, Write};
+use std::io::{self, Read, Write};
 use std::net::{TcpListener, TcpStream};
 use std::path::Path;
 use std::sync::Arc;
 
+use pki_types::pem::PemObject;
 use pki_types::{CertificateDer, PrivateKeyDer};
 use rustls::server::UnbufferedServerConnection;
 use rustls::unbuffered::{
@@ -16,7 +16,6 @@ use rustls::unbuffered::{
     UnbufferedStatus,
 };
 use rustls::ServerConfig;
-use rustls_pemfile::Item;
 
 fn main() -> Result<(), Box<dyn Error>> {
     let mut args = env::args();
@@ -248,24 +247,14 @@ fn send_tls(
 }
 
 fn load_certs(path: impl AsRef<Path>) -> Result<Vec<CertificateDer<'static>>, io::Error> {
-    let mut reader = BufReader::new(File::open(path)?);
-    rustls_pemfile::certs(&mut reader).collect()
+    Ok(CertificateDer::pem_file_iter(path)
+        .expect("cannot open certificate file")
+        .map(|cert| cert.unwrap())
+        .collect())
 }
 
 fn load_private_key(path: impl AsRef<Path>) -> Result<PrivateKeyDer<'static>, io::Error> {
-    let mut reader = BufReader::new(File::open(&path)?);
-
-    loop {
-        match rustls_pemfile::read_one(&mut reader)? {
-            Some(Item::Pkcs1Key(key)) => return Ok(key.into()),
-            Some(Item::Pkcs8Key(key)) => return Ok(key.into()),
-            Some(Item::Sec1Key(key)) => return Ok(key.into()),
-            None => break,
-            _ => continue,
-        }
-    }
-
-    panic!("no keys found in {}", path.as_ref().display())
+    Ok(PrivateKeyDer::from_pem_file(path).expect("cannot open private key file"))
 }
 
 const KB: usize = 1024;
author	Joe Birr-Pixton <jpixton@gmail.com>	2024-09-30 12:26:01 +0100
committer	Joe Birr-Pixton <jpixton@gmail.com>	2024-10-01 17:09:38 +0000
commit	ce10e59bb5add6b6856ed7462f82cc8bd6d9f59e (patch)
tree	03356490b874e566dc942438f1dcd0828cc114e6
parent	5a04f5e4b491129550196cd8bc1b8119c646e661 (diff)