chore(tls): Use rustls-pki-types crate pem api

examples/Cargo.toml

@@ -276,7 +276,7 @@ tower = ["dep:hyper", "dep:hyper-util", "dep:tower", "tower?/timeout", "dep:http
 json-codec = ["dep:serde", "dep:serde_json", "dep:bytes"]
 compression = ["tonic/gzip"]
 tls = ["tonic/tls"]
-tls-rustls = ["dep:http", "dep:hyper", "dep:hyper-util", "dep:hyper-rustls", "dep:tower", "tower-http/util", "tower-http/add-extension", "dep:rustls-pemfile", "dep:tokio-rustls", "dep:pin-project", "dep:http-body-util"]
+tls-rustls = ["dep:http", "dep:hyper", "dep:hyper-util", "dep:hyper-rustls", "dep:tower", "tower-http/util", "tower-http/add-extension", "dep:rustls-pki-types", "dep:tokio-rustls", "dep:pin-project", "dep:http-body-util"]
 dynamic-load-balance = ["dep:tower"]
 timeout = ["tokio/time", "dep:tower", "tower?/timeout"]
 tls-client-auth = ["tonic/tls"]
@@ -317,7 +317,7 @@ bytes = { version = "1", optional = true }
 h2 = { version = "0.4", optional = true }
 tokio-rustls = { version = "0.26", optional = true, features = ["ring", "tls12"], default-features = false }
 hyper-rustls = { version = "0.27.0", features = ["http2", "ring", "tls12"], optional = true, default-features = false }
-rustls-pemfile = { version = "2.0.0", optional = true }
+rustls-pki-types = { version = "1.10", optional = true }
 tower-http = { version = "0.5", optional = true }
 pin-project = { version = "1.0.11", optional = true }
 

examples/src/tls_rustls/client.rs

@@ -8,6 +8,7 @@ pub mod pb {
 use hyper::Uri;
 use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor};
 use pb::{echo_client::EchoClient, EchoRequest};
+use rustls_pki_types::{pem::PemObject, CertificateDer};
 use tokio_rustls::rustls::{ClientConfig, RootCertStore};
 
 #[tokio::main]
@@ -18,7 +19,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     let mut roots = RootCertStore::empty();
 
     let mut buf = std::io::BufReader::new(&fd);
-    let certs = rustls_pemfile::certs(&mut buf).collect::<Result<Vec<_>, _>>()?;
+    let certs = CertificateDer::pem_reader_iter(&mut buf).collect::<Result<Vec<_>, _>>()?;
     roots.add_parsable_certificates(certs.into_iter());
 
     let tls = ClientConfig::builder()

examples/src/tls_rustls/server.rs

@@ -8,12 +8,10 @@ use hyper_util::{
     service::TowerToHyperService,
 };
 use pb::{EchoRequest, EchoResponse};
+use rustls_pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 use std::sync::Arc;
 use tokio::net::TcpListener;
-use tokio_rustls::{
-    rustls::{pki_types::CertificateDer, ServerConfig},
-    TlsAcceptor,
-};
+use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
 use tonic::{body::boxed, service::Routes, Request, Response, Status};
 use tower::ServiceExt;
 use tower_http::ServiceBuilderExt;
@@ -24,12 +22,12 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     let certs = {
         let fd = std::fs::File::open(data_dir.join("tls/server.pem"))?;
         let mut buf = std::io::BufReader::new(&fd);
-        rustls_pemfile::certs(&mut buf).collect::<Result<Vec<_>, _>>()?
+        CertificateDer::pem_reader_iter(&mut buf).collect::<Result<Vec<_>, _>>()?
     };
     let key = {
         let fd = std::fs::File::open(data_dir.join("tls/server.key"))?;
         let mut buf = std::io::BufReader::new(&fd);
-        rustls_pemfile::private_key(&mut buf)?.unwrap()
+        PrivateKeyDer::from_pem_reader(&mut buf)?
     };
 
     let mut tls = ServerConfig::builder()

examples/src/tracing/server.rs

@@ -21,7 +21,7 @@ impl Greeter for MyGreeter {
     ) -> Result<Response<HelloReply>, Status> {
         tracing::info!("received request");
 
-        let reply = hello_world::HelloReply {
+        let reply = HelloReply {
             message: format!("Hello {}!", request.into_inner().name),
         };
 

tonic/Cargo.toml

@@ -28,7 +28,7 @@ gzip = ["dep:flate2"]
 zstd = ["dep:zstd"]
 default = ["transport", "codegen", "prost"]
 prost = ["dep:prost"]
-tls = ["dep:rustls-pemfile", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "tokio?/macros"]
+tls = ["dep:rustls-pki-types", "dep:tokio-rustls", "dep:tokio", "tokio?/rt", "tokio?/macros"]
 tls-roots = ["tls-native-roots"] # Deprecated. Please use `tls-native-roots` instead.
 tls-native-roots = ["tls", "channel", "dep:rustls-native-certs"]
 tls-webpki-roots = ["tls", "channel", "dep:webpki-roots"]
@@ -88,7 +88,7 @@ tower = {version = "0.4.7", default-features = false, optional = true}
 axum = {version = "0.7", default-features = false, optional = true}
 
 # rustls
-rustls-pemfile = { version = "2.0", optional = true }
+rustls-pki-types = { version = "1.9", features = ["std"], optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
 tokio-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
 webpki-roots = { version = "0.26", optional = true }

tonic/src/request.rs

@@ -4,13 +4,13 @@ use crate::transport::server::TcpConnectInfo;
 #[cfg(all(feature = "server", feature = "tls"))]
 use crate::transport::server::TlsConnectInfo;
 use http::Extensions;
+#[cfg(all(feature = "server", feature = "tls"))]
+use rustls_pki_types::CertificateDer;
 #[cfg(feature = "server")]
 use std::net::SocketAddr;
 #[cfg(all(feature = "server", feature = "tls"))]
 use std::sync::Arc;
 use std::time::Duration;
-#[cfg(all(feature = "server", feature = "tls"))]
-use tokio_rustls::rustls::pki_types::CertificateDer;
 use tokio_stream::Stream;
 
 /// A gRPC request and metadata from an RPC call.

tonic/src/transport/channel/service/tls.rs

@@ -2,12 +2,10 @@ use std::fmt;
 use std::sync::Arc;
 
 use hyper_util::rt::TokioIo;
+use rustls_pki_types::{ServerName, TrustAnchor};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::{
-    rustls::{
-        pki_types::{ServerName, TrustAnchor},
-        ClientConfig, RootCertStore,
-    },
+    rustls::{ClientConfig, RootCertStore},
     TlsConnector as RustlsConnector,
 };
 

tonic/src/transport/channel/tls.rs

@@ -4,7 +4,7 @@ use crate::transport::{
     Error,
 };
 use http::Uri;
-use tokio_rustls::rustls::pki_types::TrustAnchor;
+use rustls_pki_types::TrustAnchor;
 
 /// Configures TLS settings for endpoints.
 #[derive(Debug, Clone, Default)]

tonic/src/transport/mod.rs

@@ -113,7 +113,7 @@ pub use crate::status::TimeoutExpired;
 pub use self::tls::Certificate;
 pub use hyper::{body::Body, Uri};
 #[cfg(feature = "tls")]
-pub use tokio_rustls::rustls::pki_types::CertificateDer;
+pub use rustls_pki_types::CertificateDer;
 
 #[cfg(all(feature = "channel", feature = "tls"))]
 pub use self::channel::ClientTlsConfig;

tonic/src/transport/server/conn.rs

@@ -2,9 +2,9 @@ use std::net::SocketAddr;
 use tokio::net::TcpStream;
 
 #[cfg(feature = "tls")]
-use std::sync::Arc;
+use rustls_pki_types::CertificateDer;
 #[cfg(feature = "tls")]
-use tokio_rustls::rustls::pki_types::CertificateDer;
+use std::sync::Arc;
 #[cfg(feature = "tls")]
 use tokio_rustls::server::TlsStream;
 

tonic/src/transport/service/tls.rs

@@ -1,6 +1,6 @@
 use std::{fmt, io::Cursor};
 
-use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls_pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 
 use crate::transport::{Certificate, Identity};
 
@@ -38,7 +38,7 @@ impl std::error::Error for TlsError {}
 pub(crate) fn convert_certificate_to_pki_types(
     certificate: &Certificate,
 ) -> Result<Vec<CertificateDer<'static>>, TlsError> {
-    rustls_pemfile::certs(&mut Cursor::new(certificate))
+    CertificateDer::pem_reader_iter(&mut Cursor::new(certificate))
         .collect::<Result<Vec<_>, _>>()
         .map_err(|_| TlsError::CertificateParseError)
 }
@@ -47,8 +47,7 @@ pub(crate) fn convert_identity_to_pki_types(
     identity: &Identity,
 ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), TlsError> {
     let cert = convert_certificate_to_pki_types(&identity.cert)?;
-    let Ok(Some(key)) = rustls_pemfile::private_key(&mut Cursor::new(&identity.key)) else {
-        return Err(TlsError::PrivateKeyParseError);
-    };
+    let key = PrivateKeyDer::from_pem_reader(&mut Cursor::new(&identity.key))
+        .map_err(|_| TlsError::PrivateKeyParseError)?;
     Ok((cert, key))
 }