Skip to content

Commit 97644c4

Browse files
sbernauersbernauer
authored
chore: Switch to rustls-pki-types to resolve RUSTSEC-2025-0134 (#796)
1 parent b57b926 commit 97644c4

File tree

5 files changed

+12
-36
lines changed

5 files changed

+12
-36
lines changed

Cargo.lock

Lines changed: 1 addition & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.nix

Lines changed: 2 additions & 21 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ moka = { version = "0.12", features = ["future"] }
3131
native-tls = "0.2.12"
3232
pin-project = "1.1"
3333
reqwest = { version = "0.12", features = ["json"] }
34-
rustls-pemfile = "2.1"
34+
rustls-pki-types = "1.13"
3535
semver = "1.0"
3636
serde = { version = "1.0", features = ["derive"] }
3737
serde_json = "1.0"

rust/user-info-fetcher/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ moka.workspace = true
2424
native-tls.workspace = true
2525
pin-project.workspace = true
2626
reqwest.workspace = true
27-
rustls-pemfile.workspace = true
27+
rustls-pki-types.workspace = true
2828
semver.workspace = true
2929
serde.workspace = true
3030
serde_json.workspace = true

rust/user-info-fetcher/src/utils/tls.rs

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
use std::{io::Cursor, path::Path};
22

3+
use rustls_pki_types::{CertificateDer, pem::PemObject};
34
use snafu::{ResultExt as _, Snafu};
45
use stackable_operator::commons::tls_verification::TlsClientDetails;
56
use tokio::{fs::File, io::AsyncReadExt};
@@ -13,7 +14,9 @@ pub enum Error {
1314
ParseCaBundleReqwest { source: reqwest::Error },
1415

1516
#[snafu(display("failed to split ca certificate bundle"))]
16-
SplitCaBundle { source: std::io::Error },
17+
SplitCaBundle {
18+
source: rustls_pki_types::pem::Error,
19+
},
1720

1821
#[snafu(display("failed to parse ca certificate (via native_tls)"))]
1922
ParseCaCertNativeTls { source: native_tls::Error },
@@ -58,11 +61,12 @@ pub async fn configure_native_tls(
5861
} else if let Some(tls_ca_cert_mount_path) = tls.tls_ca_cert_mount_path() {
5962
builder.disable_built_in_roots(true);
6063
// native-tls doesn't support parsing CA *bundles*, so split them using rustls first
61-
for ca_cert in rustls_pemfile::certs(&mut Cursor::new(
64+
let mut pem_bytes = Cursor::new(
6265
read_file(&tls_ca_cert_mount_path)
6366
.await
6467
.context(ReadCaBundleSnafu)?,
65-
)) {
68+
);
69+
for ca_cert in CertificateDer::pem_reader_iter(&mut pem_bytes) {
6670
builder.add_root_certificate(
6771
native_tls::Certificate::from_der(&ca_cert.context(SplitCaBundleSnafu)?)
6872
.context(ParseCaCertNativeTlsSnafu)?,

0 commit comments

Comments
 (0)