chore: migrate from rustls-pemfile to rustls-pki-types (#4487)

cratelyn · web-flow · commit a8e58d6769a2 · 2026-04-13T19:33:25.000+02:00
see rustls/pemfile#61, and [RUSTSEC-2025-0134](https://rustsec.org/advisories/RUSTSEC-2025-0134). see also, olix0r/kubert#432. this branch updates the place where we invoke `rustls_pemfile::certs` inside of `linkerd-meshtls` and `linkerd-app-integration`. see <https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93> for a link to the original `certs()` function being replaced here: ```rust // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93 pub fn certs( rd: &mut dyn io::BufRead, ) -> impl Iterator<Item = Result<CertificateDer<'static>, io::Error>> + '_ { iter::from_fn(move || read_one(rd).transpose()).filter_map(|item| match item { Ok(Item::X509Certificate(cert)) => Some(Ok(cert)), Err(err) => Some(Err(err)), _ => None, }) } // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/pemfile.rs.html /// Extract and decode the next PEM section from `rd`. /// /// - Ok(None) is returned if there is no PEM section read from `rd`. /// - Underlying IO errors produce a `Err(...)` /// - Otherwise each decoded section is returned with a `Ok(Some(Item::...))` /// /// You can use this function to build an iterator, for example: /// `for item in iter::from_fn(|| read_one(rd).transpose()) { ... }` #[cfg(feature = "std")] pub fn read_one(rd: &mut dyn io::BufRead) -> Result<Option<Item>, io::Error> { Item::from_buf(rd).map_err(|err| match err { pem::Error::Io(io) => io, other => Error::from(other).into(), }) } ``` in `rustls_pki_types`, we do this using the `PemObject` trait. this provides facilities to read PEM files through various interfaces, but `pem_slice_iter()` feels like the most natural fit here. this takes an in-memory `&'a [u8]` byte slice representing the contents of a PEM file, and returns an iterator yielding `CertificateDer` deserialized certificates. that closely follows the same interface that `certs()` (above) presented us. <https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html#method.pem_slice_iter> --- * refactor: `rustls-pemfile` is a workspace dependency Signed-off-by: katelyn martin <kate@buoyant.io> * refactor: replace `rustls-pemfile` with `rustls-pki-types` NB: code is not update here, only package manifests. Signed-off-by: katelyn martin <kate@buoyant.io> * chore(meshtls): update `rustls_pemfile::certs` call this commit updates the place where we invoke `rustls_pemfile::certs` inside of `linkerd-meshtls`. see <https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93> for a link to the original `certs()` function being replaced here: ```rust // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/lib.rs.html#85-93 pub fn certs( rd: &mut dyn io::BufRead, ) -> impl Iterator<Item = Result<CertificateDer<'static>, io::Error>> + '_ { iter::from_fn(move || read_one(rd).transpose()).filter_map(|item| match item { Ok(Item::X509Certificate(cert)) => Some(Ok(cert)), Err(err) => Some(Err(err)), _ => None, }) } // https://docs.rs/rustls-pemfile/latest/src/rustls_pemfile/pemfile.rs.html /// Extract and decode the next PEM section from `rd`. /// /// - Ok(None) is returned if there is no PEM section read from `rd`. /// - Underlying IO errors produce a `Err(...)` /// - Otherwise each decoded section is returned with a `Ok(Some(Item::...))` /// /// You can use this function to build an iterator, for example: /// `for item in iter::from_fn(|| read_one(rd).transpose()) { ... }` #[cfg(feature = "std")] pub fn read_one(rd: &mut dyn io::BufRead) -> Result<Option<Item>, io::Error> { Item::from_buf(rd).map_err(|err| match err { pem::Error::Io(io) => io, other => Error::from(other).into(), }) } ``` in `rustls_pki_types`, we do this using the `PemObject` trait. this provides facilities to read PEM files through various interfaces, but `pem_slice_iter()` feels like the most natural fit here. this takes an in-memory `&'a [u8]` byte slice representing the contents of a PEM file, and returns an iterator yielding `CertificateDer` deserialized certificates. that closely follows the same interface that `certs()` (above) presented us. <https://docs.rs/rustls-pki-types/latest/rustls_pki_types/pem/trait.PemObject.html#method.pem_slice_iter> Signed-off-by: katelyn martin <kate@buoyant.io> * chore(app/integration): update `rustls_pemfile::certs` calls as with the previous commit, we update calls to `rustls_pemfile::certs`. Signed-off-by: katelyn martin <kate@buoyant.io> * refactor: use `AsRef<[u8]>` for byte slices this polishes some type signatures. `CertificateDer::pem_slice_iter` accepts a slice of bytes. we must, for various reasons such as dealing with our `TestEnv` system, sometimes hold our PEM data in the form of a UTF-8 string. this commit uses `AsRef` to coerce types to a slice of bytes rather than presenting these parameters as `&str` string slices, which is needlessly specific. Signed-off-by: katelyn martin <kate@buoyant.io> * refactor: `rustls-webpki` is a workspace dependency this crate is related to rustls-pki-types, and the feature flags we set on rustls-webpki affects which flags are enabled on rustls-pki-types. defining both as workspace dependencies should help make this relationship slightly more discoverable. Signed-off-by: katelyn martin <kate@buoyant.io> * nit(app/integration): add `rustls-pki-typess/std` flag strictly speaking, we need this feature flag. it's enabled for us already as part of `linkerd-meshtls`'s dependency on the `rustls-webpki/alloc` flag, which `linkerd-app-integration` in turns depends on. that said, it's nice to be extra clear that we depend upon the `std` flag should that change in the future. Signed-off-by: katelyn martin <kate@buoyant.io> --------- Signed-off-by: katelyn martin <kate@buoyant.io>
diff --git a/Cargo.lock b/Cargo.lock
@@ -1512,7 +1512,7 @@ dependencies = [
  "maplit",
  "parking_lot",
  "regex",
- "rustls-pemfile",
+ "rustls-pki-types",
  "serde_json",
  "socket2 0.6.2",
  "tokio",
@@ -1980,7 +1980,7 @@ dependencies = [
  "linkerd-tls-test-util",
  "linkerd-tracing",
  "rcgen",
- "rustls-pemfile",
+ "rustls-pki-types",
  "rustls-webpki",
  "thiserror",
  "tokio",
@@ -3498,15 +3498,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
diff --git a/Cargo.toml b/Cargo.toml
@@ -110,6 +110,8 @@ prometheus-client = { version = "0.23" }
 prost = { version = "0.14" }
 prost-build = { version = "0.14", default-features = false }
 prost-types = { version = "0.14" }
+rustls-pki-types = { version = "1.14" }
+rustls-webpki = { version = "0.103.11", default-features = false }
 tokio-rustls = { version = "0.26", default-features = false, features = [
     "logging",
 ] }
diff --git a/linkerd/app/integration/Cargo.toml b/linkerd/app/integration/Cargo.toml
@@ -35,7 +35,7 @@ linkerd-tracing = { path = "../../tracing" }
 maplit = "1"
 parking_lot = "0.12"
 regex = "1"
-rustls-pemfile = "2.2"
+rustls-pki-types = { workspace = true, features = ["std"] }
 socket2 = "0.6"
 tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
 tokio-rustls = { workspace = true }
diff --git a/linkerd/app/integration/src/identity.rs b/linkerd/app/integration/src/identity.rs
@@ -41,13 +41,13 @@ struct Certificates {
 }
 
 impl Certificates {
-    pub fn load<P>(p: P) -> Result<Certificates, io::Error>
+    pub fn load<P>(p: P) -> Result<Certificates, crate::Error>
     where
         P: AsRef<Path>,
     {
-        let f = fs::File::open(p)?;
-        let mut r = io::BufReader::new(f);
-        let mut certs = rustls_pemfile::certs(&mut r);
+        use rustls_pki_types::{pem::PemObject as _, CertificateDer};
+
+        let mut certs = CertificateDer::pem_file_iter(p)?;
         let leaf = certs
             .next()
             .expect("no leaf cert in pemfile")
@@ -94,13 +94,14 @@ impl Identity {
     }
 
     fn configs(
-        trust_anchors: &str,
+        trust_anchors: impl AsRef<[u8]>,
         certs: &Certificates,
         key: rustls::pki_types::PrivateKeyDer<'static>,
     ) -> (Arc<rustls::ClientConfig>, Arc<rustls::ServerConfig>) {
-        use std::io::Cursor;
+        use rustls_pki_types::{pem::PemObject as _, CertificateDer};
+
         let mut roots = rustls::RootCertStore::empty();
-        let trust_anchors = rustls_pemfile::certs(&mut Cursor::new(trust_anchors))
+        let trust_anchors = CertificateDer::pem_slice_iter(trust_anchors.as_ref())
             .collect::<Result<Vec<_>, _>>()
             .expect("error parsing pemfile");
         let (added, skipped) = roots.add_parsable_certificates(trust_anchors);
diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml
@@ -12,8 +12,8 @@ test-util = ["linkerd-tls-test-util"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
-rustls-pemfile = "2.2"
-rustls-webpki = { version = "0.103.11", default-features = false, features = ["std", "aws-lc-rs"] }
+rustls-pki-types = { workspace = true, features = ["alloc"] }
+rustls-webpki = { workspace = true, features = ["std", "aws-lc-rs"] }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "rt", "sync"] }
 tokio-rustls = { workspace = true, features = ["aws-lc-rs"] }
@@ -37,4 +37,4 @@ rcgen = { version = "0.14.7", default-features = false, features = ["crypto", "p
 linkerd-conditional = { path = "../conditional" }
 linkerd-proxy-transport = { path = "../proxy/transport" }
 linkerd-tls-test-util = { path = "../tls/test-util" }
-linkerd-tracing = { path = "../tracing", features = ["ansi"] }
+linkerd-tracing = { path = "../tracing", features = ["ansi"] }
diff --git a/linkerd/meshtls/src/creds.rs b/linkerd/meshtls/src/creds.rs
@@ -6,10 +6,11 @@ pub use self::{receiver::Receiver, store::Store};
 use linkerd_dns_name as dns;
 use linkerd_error::Result;
 use linkerd_identity as id;
+use rustls_pki_types::{pem::PemObject as _, CertificateDer};
 use std::sync::Arc;
 use thiserror::Error;
 use tokio::sync::watch;
-use tokio_rustls::rustls::{self};
+use tokio_rustls::rustls;
 use tracing::warn;
 
 #[derive(Debug, Error)]
@@ -19,22 +20,22 @@ pub struct InvalidTrustRoots(());
 pub fn watch(
     local_id: id::Id,
     server_name: dns::Name,
-    roots_pem: &str,
+    roots_pem: impl AsRef<[u8]>,
 ) -> Result<(Store, Receiver)> {
     let mut roots = rustls::RootCertStore::empty();
-    let certs = match rustls_pemfile::certs(&mut std::io::Cursor::new(roots_pem))
-        .collect::<Result<Vec<_>, _>>()
-    {
-        Err(error) => {
-            warn!(%error, "invalid trust anchors file");
-            return Err(error.into());
-        }
-        Ok(certs) if certs.is_empty() => {
-            warn!("no valid certs in trust anchors file");
-            return Err("no trust roots in PEM file".into());
-        }
-        Ok(certs) => certs,
-    };
+
+    let certs =
+        match CertificateDer::pem_slice_iter(roots_pem.as_ref()).collect::<Result<Vec<_>, _>>() {
+            Err(error) => {
+                warn!(%error, "invalid trust anchors file");
+                return Err(error.into());
+            }
+            Ok(certs) if certs.is_empty() => {
+                warn!("no valid certs in trust anchors file");
+                return Err("no trust roots in PEM file".into());
+            }
+            Ok(certs) => certs,
+        };
 
     let (added, skipped) = roots.add_parsable_certificates(certs);
     if skipped != 0 {
