use rustls-pki-types pem api (#1690)

Signed-off-by: tottoto <[email protected]>

Author: tottoto

Cargo.toml

@@ -70,7 +70,6 @@ proc-macro2 = "1.0.29"
 quote = "1.0.10"
 rand = "0.9.0"
 rustls = { version = "0.23.16", default-features = false }
-rustls-pemfile = "2.0.0"
 schemars = "0.8.6"
 secrecy = "0.10.2"
 serde = "1.0.130"

kube-client/Cargo.toml

@@ -13,7 +13,7 @@ categories = ["web-programming::http-client", "network-programming", "api-bindin
 
 [features]
 default = ["client"]
-rustls-tls = ["rustls", "rustls-pemfile", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
+rustls-tls = ["rustls", "hyper-rustls", "hyper-http-proxy?/rustls-tls-native-roots"]
 webpki-roots = ["hyper-rustls/webpki-roots"]
 aws-lc-rs = ["rustls?/aws-lc-rs"]
 openssl-tls = ["openssl", "hyper-openssl"]
@@ -57,7 +57,6 @@ futures = { workspace = true, optional = true, features = ["std"] }
 pem = { workspace = true, optional = true }
 openssl = { workspace = true, optional = true }
 rustls = { workspace = true, optional = true }
-rustls-pemfile = { workspace = true, optional = true }
 bytes = { workspace = true, optional = true }
 tokio = { workspace = true, features = ["time", "signal", "sync"], optional = true }
 kube-core = { path = "../kube-core", version = "=0.98.0" }

kube-client/src/client/tls.rs

@@ -14,7 +14,7 @@ pub mod rustls_tls {
     pub enum Error {
         /// Identity PEM is invalid
         #[error("identity PEM is invalid: {0}")]
-        InvalidIdentityPem(#[source] std::io::Error),
+        InvalidIdentityPem(#[source] rustls::pki_types::pem::Error),
 
         /// Identity PEM is missing a private key: the key must be PKCS8 or RSA/PKCS1
         #[error("identity PEM is missing a private key: the key must be PKCS8 or RSA/PKCS1")]
@@ -96,22 +96,19 @@ pub mod rustls_tls {
     }
 
     fn client_auth(data: &[u8]) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), Error> {
-        use rustls_pemfile::Item;
+        use rustls::pki_types::pem::{self, SectionKind};
 
         let mut cert_chain = Vec::new();
         let mut pkcs8_key = None;
         let mut pkcs1_key = None;
         let mut sec1_key = None;
         let mut reader = std::io::Cursor::new(data);
-        for item in rustls_pemfile::read_all(&mut reader)
-            .collect::<Result<Vec<_>, _>>()
-            .map_err(Error::InvalidIdentityPem)?
-        {
-            match item {
-                Item::X509Certificate(cert) => cert_chain.push(cert),
-                Item::Pkcs8Key(key) => pkcs8_key = Some(PrivateKeyDer::Pkcs8(key)),
-                Item::Pkcs1Key(key) => pkcs1_key = Some(PrivateKeyDer::from(key)),
-                Item::Sec1Key(key) => sec1_key = Some(PrivateKeyDer::from(key)),
+        while let Some((kind, der)) = pem::from_buf(&mut reader).map_err(Error::InvalidIdentityPem)? {
+            match kind {
+                SectionKind::Certificate => cert_chain.push(der.into()),
+                SectionKind::PrivateKey => pkcs8_key = Some(PrivateKeyDer::Pkcs8(der.into())),
+                SectionKind::RsaPrivateKey => pkcs1_key = Some(PrivateKeyDer::Pkcs1(der.into())),
+                SectionKind::EcPrivateKey => sec1_key = Some(PrivateKeyDer::Sec1(der.into())),
                 _ => return Err(Error::UnknownPrivateKeyFormat),
             }
         }