rustls · cpu · Mar 4, 2025 · Mar 4, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,5 +14,4 @@ env_logger = "0.10"
 log = "0.4"
 openssl-probe = "0.1"
 openssl-sys = "0.9"
-rustls = "0.23"
-rustls-pemfile = "2"
+rustls = "0.23.14"
diff --git a/src/entry.rs b/src/entry.rs
@@ -14,7 +14,8 @@ use openssl_sys::{
     OPENSSL_malloc, TLSEXT_NAMETYPE_host_name, BIGNUM, EVP_CIPHER_CTX, EVP_PKEY, HMAC_CTX,
     OPENSSL_NPN_NEGOTIATED, OPENSSL_NPN_NO_OVERLAP, X509, X509_STORE, X509_STORE_CTX,
 };
-use rustls::pki_types::{CertificateDer, PrivatePkcs8KeyDer};
+use rustls::pki_types::pem::PemObject;
+use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
 
 use crate::bio::{Bio, BIO, BIO_METHOD};
 use crate::callbacks::SslCallbackContext;
@@ -462,12 +463,12 @@ pub(crate) fn use_cert_chain_file(file_name: &str) -> Result<Vec<CertificateDer<
     };
 
     let mut chain = Vec::new();
-    for cert in rustls_pemfile::certs(&mut file_reader) {
+    for cert in CertificateDer::pem_reader_iter(&mut file_reader) {
         let cert = match cert {
             Ok(cert) => cert,
             Err(err) => {
                 log::trace!("Failed to parse {file_name:?}: {err:?}");
-                return Err(Error::from_io(err));
+                return Err(Error::from_pem(err));
             }
         };
 
@@ -507,15 +508,11 @@ pub(crate) fn use_private_key_file(file_name: &str, file_type: c_int) -> Result<
                 Err(err) => return Err(Error::from_io(err)),
             };
 
-            match rustls_pemfile::private_key(&mut file_reader) {
-                Ok(Some(key)) => key,
-                Ok(None) => {
-                    log::trace!("No keys found in {file_name:?}");
-                    return Err(Error::bad_data("pem file"));
-                }
+            match PrivateKeyDer::from_pem_reader(&mut file_reader) {
+                Ok(key) => key,
                 Err(err) => {
                     log::trace!("Failed to read {file_name:?}: {err:?}");
-                    return Err(Error::from_io(err));
+                    return Err(Error::from_pem(err));
                 }
             }
         }

diff --git a/src/error.rs b/src/error.rs
@@ -3,6 +3,7 @@ use core::ptr;
 use std::ffi::CString;
 
 use openssl_sys::{ERR_new, ERR_set_error, ERR_RFLAGS_OFFSET, ERR_RFLAG_FATAL};
+use rustls::pki_types::pem;
 use rustls::AlertDescription;
 
 // See openssl/err.h for the source of these magic numbers.
@@ -100,6 +101,14 @@ impl Error {
         }
     }
 
+    pub fn from_pem(err: pem::Error) -> Self {
+        Self {
+            lib: Lib::User,
+            reason: Reason::OperationFailed,
+            string: Some(err.to_string()),
+        }
+    }
+
     pub fn from_io(err: std::io::Error) -> Self {
         match err.kind() {
             std::io::ErrorKind::WouldBlock => Self {

diff --git a/src/evp_pkey.rs b/src/evp_pkey.rs
@@ -329,11 +329,13 @@ mod tests {
     use super::*;
     use std::io::Cursor;
 
+    use rustls::pki_types::pem::PemObject;
+    use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+
     #[test]
     fn supports_rsaencryption_keys() {
         let der =
-            rustls_pemfile::private_key(&mut &include_bytes!("../test-ca/rsa/server.key")[..])
-                .unwrap()
+            PrivateKeyDer::from_pem_reader(&mut &include_bytes!("../test-ca/rsa/server.key")[..])
                 .unwrap();
         let key = EvpPkey::new_from_der_bytes(der).unwrap();
         println!("{key:?}");
@@ -391,15 +393,10 @@ mod tests {
             let key_der = std::fs::read(key_path).unwrap();
             let cert_der = std::fs::read(cert_path).unwrap();
 
-            let key_der = rustls_pemfile::private_key(&mut Cursor::new(key_der))
-                .unwrap()
-                .unwrap();
+            let key_der = PrivateKeyDer::from_pem_reader(&mut Cursor::new(&key_der)).unwrap();
             let key = EvpPkey::new_from_der_bytes(key_der).unwrap();
 
-            let cert_der = rustls_pemfile::certs(&mut Cursor::new(cert_der))
-                .next()
-                .unwrap()
-                .unwrap();
+            let cert_der = CertificateDer::from_pem_reader(&mut Cursor::new(cert_der)).unwrap();
             let parsed_cert = rustls::server::ParsedCertificate::try_from(&cert_der).unwrap();
 
             let cert_spki = parsed_cert.subject_public_key_info();

diff --git a/src/x509.rs b/src/x509.rs
@@ -8,6 +8,7 @@ use openssl_sys::{
     OPENSSL_sk_push, OPENSSL_sk_value, X509_STORE_free, X509_STORE_new, X509_free, OPENSSL_STACK,
     X509, X509_STORE,
 };
+use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::CertificateDer;
 
 use crate::error::Error;
@@ -273,12 +274,12 @@ pub(crate) fn load_certs<'a>(
             Err(err) => return Err(Error::from_io(err).raise()),
         };
 
-        for cert in rustls_pemfile::certs(&mut file_reader) {
+        for cert in CertificateDer::pem_reader_iter(&mut file_reader) {
             match cert {
                 Ok(cert) => certs.push(cert),
                 Err(err) => {
                     log::trace!("Failed to parse {file_name:?}: {err:?}");
-                    return Err(Error::from_io(err).raise());
+                    return Err(Error::from_pem(err).raise());
                 }
             };
         }