actix · robjtede · Apr 4, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -112,7 +112,6 @@ rand = "0.9"
 redis = { version = "0.27" }
 reqwest = { version = "0.12", features = ["json", "stream"] }
 rustls = "0.23"
-rustls-pemfile = "2"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 time = "0.3"

diff --git a/https-tls/acme-letsencrypt/Cargo.toml b/https-tls/acme-letsencrypt/Cargo.toml
@@ -12,5 +12,4 @@ env_logger.workspace = true
 eyre.workspace = true
 log.workspace = true
 rustls.workspace = true
-rustls-pemfile.workspace = true
 tokio = { workspace = true, features = ["fs"] }
diff --git a/https-tls/acme-letsencrypt/src/main.rs b/https-tls/acme-letsencrypt/src/main.rs
@@ -4,7 +4,7 @@ use acme::{Certificate, Directory, DirectoryUrl, create_p256_key};
 use actix_files::Files;
 use actix_web::{App, HttpRequest, HttpServer, Responder, rt, web};
 use eyre::eyre;
-use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject};
 use tokio::fs;
 
 const CHALLENGE_DIR: &str = "./acme-challenges";
@@ -188,10 +188,9 @@ fn load_rustls_config(cert: Certificate) -> eyre::Result<rustls::ServerConfig> {
     let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.private_key_der()?));
 
     // convert ACME-obtained certificate chain
-    let cert_chain =
-        rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes()))
-            .collect::<Result<Vec<_>, _>>()
-            .unwrap();
+    let cert_chain = CertificateDer::pem_slice_iter(cert.certificate().as_bytes())
+        .flatten()
+        .collect();
 
     Ok(config.with_single_cert(cert_chain, private_key)?)
 }
diff --git a/https-tls/cert-watch/Cargo.toml b/https-tls/cert-watch/Cargo.toml
@@ -11,5 +11,4 @@ eyre.workspace = true
 log.workspace = true
 notify = "6"
 rustls.workspace = true
-rustls-pemfile.workspace = true
 tokio = { workspace = true, features = ["time", "rt", "macros"] }
diff --git a/https-tls/cert-watch/src/main.rs b/https-tls/cert-watch/src/main.rs
@@ -1,12 +1,14 @@
-use std::{fs::File, io::BufReader, path::Path};
+use std::path::Path;
 
 use actix_web::{
     App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
 };
 use log::debug;
 use notify::{Event, RecursiveMode, Watcher as _};
-use rustls::{ServerConfig, pki_types::PrivateKeyDer};
-use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls::{
+    ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
+};
 use tokio::sync::mpsc;
 
 #[derive(Debug)]
@@ -27,6 +29,11 @@ async fn main() -> eyre::Result<()> {
     color_eyre::install()?;
     env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));
 
+    // Load default provider, to be done once for the process
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .unwrap();
+
     // signal channel used to notify main event loop of cert/key file changes
     let (reload_tx, mut reload_rx) = mpsc::channel(1);
 
@@ -100,29 +107,16 @@ async fn main() -> eyre::Result<()> {
 }
 
 fn load_rustls_config() -> eyre::Result<rustls::ServerConfig> {
-    rustls::crypto::aws_lc_rs::default_provider()
-        .install_default()
-        .unwrap();
-
-    // init server config builder with safe defaults
-    let config = ServerConfig::builder().with_no_client_auth();
-
     // load TLS key/cert files
-    let cert_file = &mut BufReader::new(File::open("cert.pem")?);
-    let key_file = &mut BufReader::new(File::open("key.pem")?);
-
-    // convert files to key/cert objects
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
-        .unwrap();
+    let cert_chain = CertificateDer::pem_file_iter("cert.pem")
+        .unwrap()
+        .flatten()
+        .collect();
 
-    // exit if no keys could be parsed
-    if keys.is_empty() {
-        eprintln!("Could not locate PKCS 8 private keys.");
-        std::process::exit(1);
-    }
+    let key_der =
+        PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
 
-    Ok(config.with_single_cert(cert_chain, keys.remove(0))?)
+    Ok(ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key_der)?)
 }
diff --git a/https-tls/rustls-client-cert/Cargo.toml b/https-tls/rustls-client-cert/Cargo.toml
@@ -9,4 +9,3 @@ actix-web = { workspace = true, features = ["rustls-0_23"] }
 env_logger.workspace = true
 log.workspace = true
 rustls.workspace = true
-rustls-pemfile.workspace = true
diff --git a/https-tls/rustls-client-cert/src/main.rs b/https-tls/rustls-client-cert/src/main.rs
@@ -1,7 +1,7 @@
 //! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates
 //! pass them to a handler through connection-local data.
 
-use std::{any::Any, fs::File, io::BufReader, net::SocketAddr, sync::Arc};
+use std::{any::Any, net::SocketAddr, sync::Arc};
 
 use actix_tls::accept::rustls_0_23::TlsStream;
 use actix_web::{
@@ -10,10 +10,9 @@ use actix_web::{
 use log::info;
 use rustls::{
     RootCertStore, ServerConfig,
-    pki_types::{CertificateDer, PrivateKeyDer},
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
     server::WebPkiClientVerifier,
 };
-use rustls_pemfile::{certs, pkcs8_private_keys};
 
 const CA_CERT: &str = "certs/rootCA.pem";
 const SERVER_CERT: &str = "certs/server-cert.pem";
@@ -80,29 +79,27 @@ async fn main() -> std::io::Result<()> {
     let mut cert_store = RootCertStore::empty();
 
     // import CA cert
-    let ca_cert = &mut BufReader::new(File::open(CA_CERT)?);
-    let ca_cert = certs(ca_cert).collect::<Result<Vec<_>, _>>().unwrap();
-
-    for cert in ca_cert {
-        cert_store.add(cert).expect("root CA not added to store");
-    }
+    CertificateDer::pem_file_iter(CA_CERT)
+        .unwrap()
+        .flatten()
+        .for_each(|der| cert_store.add(der).unwrap());
 
     // set up client authentication requirements
     let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store))
         .build()
         .unwrap();
-    let config = ServerConfig::builder().with_client_cert_verifier(client_auth);
 
     // import server cert and key
-    let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?);
-    let key_file = &mut BufReader::new(File::open(SERVER_KEY)?);
-
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
+    let key_der = PrivateKeyDer::from_pem_file(SERVER_KEY).unwrap();
+    let cert_chain = CertificateDer::pem_file_iter(SERVER_CERT)
+        .unwrap()
+        .flatten()
+        .collect();
+
+    let config = ServerConfig::builder()
+        .with_client_cert_verifier(client_auth)
+        .with_single_cert(cert_chain, key_der)
         .unwrap();
-    let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();
 
     log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443");
 

diff --git a/https-tls/rustls/Cargo.toml b/https-tls/rustls/Cargo.toml
@@ -10,4 +10,3 @@ actix-files.workspace = true
 env_logger.workspace = true
 log.workspace = true
 rustls.workspace = true
-rustls-pemfile.workspace = true
diff --git a/https-tls/rustls/src/main.rs b/https-tls/rustls/src/main.rs
@@ -1,12 +1,12 @@
-use std::{fs::File, io::BufReader};
-
 use actix_files::Files;
 use actix_web::{
     App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
 };
 use log::debug;
-use rustls::{ServerConfig, pki_types::PrivateKeyDer};
-use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls::{
+    ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
+};
 
 /// simple handle
 async fn index(req: HttpRequest) -> HttpResponse {
@@ -46,25 +46,17 @@ fn load_rustls_config() -> rustls::ServerConfig {
         .install_default()
         .unwrap();
 
-    // init server config builder with safe defaults
-    let config = ServerConfig::builder().with_no_client_auth();
-
     // load TLS key/cert files
-    let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap());
-    let key_file = &mut BufReader::new(File::open("key.pem").unwrap());
-
-    // convert files to key/cert objects
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
-        .unwrap();
-
-    // exit if no keys could be parsed
-    if keys.is_empty() {
-        eprintln!("Could not locate PKCS 8 private keys.");
-        std::process::exit(1);
-    }
-
-    config.with_single_cert(cert_chain, keys.remove(0)).unwrap()
+    let cert_chain = CertificateDer::pem_file_iter("cert.pem")
+        .unwrap()
+        .flatten()
+        .collect();
+
+    let key_der =
+        PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
+
+    ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key_der)
+        .unwrap()
 }
diff --git a/middleware/http-to-https/Cargo.toml b/middleware/http-to-https/Cargo.toml
@@ -9,4 +9,3 @@ env_logger.workspace = true
 futures-util.workspace = true
 log.workspace = true
 rustls.workspace = true
-rustls-pemfile.workspace = true
diff --git a/middleware/http-to-https/src/main.rs b/middleware/http-to-https/src/main.rs
@@ -1,9 +1,9 @@
-use std::{fs::File, io::BufReader};
-
 use actix_web::{App, HttpResponse, HttpServer, dev::Service, get, http};
 use futures_util::future::{self, Either, FutureExt};
-use rustls::{ServerConfig, pki_types::PrivateKeyDer};
-use rustls_pemfile::{certs, pkcs8_private_keys};
+use rustls::{
+    ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
+};
 
 #[get("/")]
 async fn index() -> String {
@@ -18,18 +18,17 @@ async fn main() -> std::io::Result<()> {
         .install_default()
         .unwrap();
 
-    let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap());
-    let key_file = &mut BufReader::new(File::open("key.pem").unwrap());
+    let cert_chain = CertificateDer::pem_file_iter("cert.pem")
+        .unwrap()
+        .flatten()
+        .collect();
 
-    let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap();
-    let mut keys = pkcs8_private_keys(key_file)
-        .map(|key| key.map(PrivateKeyDer::Pkcs8))
-        .collect::<Result<Vec<_>, _>>()
-        .unwrap();
+    let key_der =
+        PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
 
     let config = ServerConfig::builder()
         .with_no_client_auth()
-        .with_single_cert(cert_chain, keys.remove(0))
+        .with_single_cert(cert_chain, key_der)
         .unwrap();
 
     log::info!(