update rustls-pemfile to 2.0

poem/Cargo.toml

@@ -99,7 +99,7 @@ sync_wrapper = { version = "0.1.2", features = ["futures"] }
 multer = { version = "3.0.0", features = ["tokio"], optional = true }
 tokio-tungstenite = { version = "0.21.0", optional = true }
 tokio-rustls = { workspace = true, optional = true }
-rustls-pemfile = { version = "1.0.0", optional = true }
+rustls-pemfile = { version = "2.0.0", optional = true }
 async-compression = { version = "0.4.0", optional = true, features = [
     "tokio",
     "gzip",

poem/src/listener/acme/listener.rs

@@ -109,11 +109,14 @@ impl<T: Listener> Listener for AutoCertListener<T> {
         .await?;
 
         let (cache_certs, cert_key) = {
-            let mut certs = None;
+            let mut certs: Option<Vec<_>> = None;
             let mut key = None;
 
             if let Some(cache_cert) = &self.auto_cert.cache_cert {
-                match rustls_pemfile::certs(&mut cache_cert.as_slice()) {
+                match rustls_pemfile::certs(&mut cache_cert.as_slice())
+                    .collect::<Result<_, _>>()
+                    .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}")))
+                {
                     Ok(c) => certs = Some(c),
                     Err(err) => {
                         tracing::warn!("failed to parse cached tls certificates: {}", err)
@@ -122,7 +125,9 @@ impl<T: Listener> Listener for AutoCertListener<T> {
             }
 
             if let Some(cache_key) = &self.auto_cert.cache_key {
-                match rustls_pemfile::pkcs8_private_keys(&mut cache_key.as_slice()) {
+                match rustls_pemfile::pkcs8_private_keys(&mut cache_key.as_slice())
+                    .collect::<Result<Vec<_>, _>>()
+                {
                     Ok(k) => key = k.into_iter().next(),
                     Err(err) => {
                         tracing::warn!("failed to parse cached private key: {}", err)
@@ -157,7 +162,7 @@ impl<T: Listener> Listener for AutoCertListener<T> {
             );
             *cert_resolver.cert.write() = Some(Arc::new(CertifiedKey::new(
                 certs,
-                any_ecdsa_type(&PrivateKeyDer::Pkcs8(key.into())).unwrap(),
+                any_ecdsa_type(&PrivateKeyDer::Pkcs8(key)).unwrap(),
             )));
         }
 
@@ -403,10 +408,8 @@ pub async fn issue_cert<T: AsRef<str>>(
         .await?;
     let pkey_pem = cert.serialize_private_key_pem();
     let cert_chain = rustls_pemfile::certs(&mut acme_cert_pem.as_slice())
-        .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}")))?
-        .into_iter()
-        .map(CertificateDer::from)
-        .collect();
+        .collect::<Result<_, _>>()
+        .map_err(|err| IoError::new(ErrorKind::Other, format!("invalid pem: {err}")))?;
     let cert_key = CertifiedKey::new(cert_chain, pk);
 
     tracing::debug!("certificate obtained");

poem/src/listener/rustls.rs

@@ -10,7 +10,6 @@ use tokio::io::{Error as IoError, ErrorKind, Result as IoResult};
 use tokio_rustls::{
     rustls::{
         crypto::ring::sign::any_supported_type,
-        pki_types::{CertificateDer, PrivateKeyDer},
         server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier},
         sign::CertifiedKey,
         RootCertStore, ServerConfig,
@@ -71,26 +70,21 @@ impl RustlsCertificate {
 impl RustlsCertificate {
     fn create_certificate_key(&self) -> IoResult<CertifiedKey> {
         let cert = rustls_pemfile::certs(&mut self.cert.as_slice())
-            .map(|mut certs| certs.drain(..).map(CertificateDer::from).collect())
+            .collect::<Result<_, _>>()
             .map_err(|_| IoError::new(ErrorKind::Other, "failed to parse tls certificates"))?;
 
-        let priv_key = {
-            loop {
-                let key = match rustls_pemfile::read_one(&mut self.key.as_slice())? {
-                    Some(Item::RSAKey(key)) => key,
-                    Some(Item::PKCS8Key(key)) => key,
-                    Some(Item::ECKey(key)) => key,
-                    None => {
-                        return Err(IoError::new(
-                            ErrorKind::Other,
-                            "failed to parse tls private keys",
-                        ))
-                    }
-                    _ => continue,
-                };
-                if !key.is_empty() {
-                    break PrivateKeyDer::Pkcs8(key.into());
+        let priv_key = loop {
+            match rustls_pemfile::read_one(&mut self.key.as_slice())? {
+                Some(Item::Pkcs1Key(key)) => break key.into(),
+                Some(Item::Pkcs8Key(key)) => break key.into(),
+                Some(Item::Sec1Key(key)) => break key.into(),
+                None => {
+                    return Err(IoError::new(
+                        ErrorKind::Other,
+                        "failed to parse tls private keys",
+                    ))
                 }
+                _ => continue,
             }
         };
 
@@ -269,10 +263,11 @@ impl RustlsConfig {
 
 fn read_trust_anchor(mut trust_anchor: &[u8]) -> IoResult<RootCertStore> {
     let mut store = RootCertStore::empty();
-    let ders = rustls_pemfile::certs(&mut trust_anchor)?;
+    let ders = rustls_pemfile::certs(&mut trust_anchor);
     for der in ders {
+        let der = der.map_err(|err| IoError::new(ErrorKind::Other, err.to_string()))?;
         store
-            .add(CertificateDer::from(der))
+            .add(der)
             .map_err(|err| IoError::new(ErrorKind::Other, err.to_string()))?;
     }
     Ok(store)

poem/src/listener/unix.rs

@@ -46,7 +46,7 @@ impl<T> UnixListener<T> {
     /// Provides owner to be set on actual bind
     pub fn with_owner(self, uid: Option<u32>, gid: Option<u32>) -> Self {
         Self {
-            owner: Some((uid.map(|v| Uid::from_raw(v)), gid.map(|v| Gid::from_raw(v)))),
+            owner: Some((uid.map(Uid::from_raw), gid.map(Gid::from_raw))),
             ..self
         }
     }
@@ -61,7 +61,7 @@ impl<T: AsRef<Path> + Send + Clone> Listener for UnixListener<T> {
             (Some(permissions), Some((uid, gid))) => {
                 let listener = TokioUnixListener::bind(self.path.clone())?;
                 set_permissions(self.path.clone(), permissions)?;
-                chown(self.path.as_ref().as_os_str().into(), uid, gid)?;
+                chown(self.path.as_ref().as_os_str(), uid, gid)?;
                 listener
             }
             (Some(permissions), None) => {
@@ -71,7 +71,7 @@ impl<T: AsRef<Path> + Send + Clone> Listener for UnixListener<T> {
             }
             (None, Some((uid, gid))) => {
                 let listener = TokioUnixListener::bind(self.path.clone())?;
-                chown(self.path.as_ref().as_os_str().into(), uid, gid)?;
+                chown(self.path.as_ref().as_os_str(), uid, gid)?;
                 listener
             }
             (None, None) => TokioUnixListener::bind(self.path)?,