RSCBC-265: Replace rustls-pemfile with rustls-pki-types

Author: chvck

sdk/couchbase/Cargo.toml

@@ -20,7 +20,7 @@ futures = "0.3.32"
 hdrhistogram = "7.5"
 http = "1.4"
 lazy_static = "1.5"
-rustls-pemfile = { version = "2.2", optional = true }
+rustls-pki-types = { version = "1.14", optional = true }
 serde = "1.0"
 serde_json = { version = "1.0", features = ["preserve_order"] }
 uuid = { version = "1.22", features = ["v4"] }
@@ -48,7 +48,7 @@ tracing-subscriber = { version = "0.3.22", features = ["env-filter"] }
 [features]
 default = ["default-tls"]
 default-tls = ["rustls-tls"]
-rustls-tls = ["dep:tokio-rustls", "couchbase-core/rustls-tls", "dep:rustls-pemfile"]
+rustls-tls = ["dep:tokio-rustls", "couchbase-core/rustls-tls", "dep:rustls-pki-types"]
 native-tls = ["dep:tokio-native-tls", "couchbase-core/native-tls"]
 # Note that we do not use feature flags to indicate API stability level.
 # Instead, unstable features are marked with comments indicating uncommitted or volatile stability levels.

sdk/couchbase/src/authenticator.rs

@@ -158,15 +158,16 @@ impl From<Authenticator> for couchbase_core::authenticator::Authenticator {
 /// ```rust,no_run
 /// use couchbase::authenticator::CertificateAuthenticator;
 /// use std::fs;
+/// use rustls_pki_types::{CertificateDer, PrivateKeyDer};
 ///
 /// // Load PEM-encoded certificate chain and private key from disk.
 /// let cert_pem = fs::read("client.crt").expect("read cert");
 /// let key_pem = fs::read("client.key").expect("read key");
 ///
-/// let certs: Vec<_> = rustls_pemfile::certs(&mut &cert_pem[..])
+/// let certs: Vec<_> = CertificateDer::pem_reader_iter(&mut &cert_pem[..])
 ///     .collect::<Result<_, _>>()
 ///     .expect("parse certs");
-/// let key = rustls_pemfile::private_key(&mut &key_pem[..])
+/// let key = PrivateKeyDer::from_pem(&mut &key_pem[..])
 ///     .expect("parse key")
 ///     .expect("no key found");
 ///

sdk/couchbase/src/options/cluster_options.rs

@@ -26,7 +26,6 @@ use crate::authenticator::Authenticator;
 use crate::capella_ca::CAPELLA_CERT;
 use crate::error;
 use std::fmt::{Debug, Display, Formatter, Result as FmtResult};
-use std::io::Cursor;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
@@ -38,7 +37,6 @@ use tokio_native_tls::native_tls::Identity;
 #[cfg(all(feature = "rustls-tls", not(feature = "native-tls")))]
 use {
     couchbase_core::insecure_certverfier::InsecureCertVerifier,
-    rustls_pemfile::read_all,
     tokio_rustls::rustls::crypto::aws_lc_rs::default_provider,
     tokio_rustls::rustls::pki_types::pem::{PemObject, SectionKind},
     tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer},
@@ -568,16 +566,11 @@ impl TlsOptions {
                 };
 
                 debug!("Adding Capella root CA to trust store");
-                let mut cursor = Cursor::new(CAPELLA_CERT);
-                let certs = rustls_pemfile::certs(&mut cursor)
-                    .map(|item| {
-                        item.map_err(|e| {
-                            error::Error::other_failure(format!("failed to add capella cert: {e}"))
-                        })
-                    })
-                    .collect::<error::Result<Vec<CertificateDer>>>()?;
+                let certs = CertificateDer::from_slice(CAPELLA_CERT.as_bytes());
 
-                store.add_parsable_certificates(certs);
+                store.add(certs).map_err(|e| {
+                    error::Error::other_failure(format!("failed to add capella cert: {e}"))
+                })?;
                 store
             }
         };