From 7a4d7c74029c105929b3869cccef0d8a5ae84a6d Mon Sep 17 00:00:00 2001
From: Jun Kurihara <junkurihara@users.noreply.github.com>
Date: Wed, 8 Oct 2025 15:55:32 +0900
Subject: [PATCH] rustls_pemfile is deprecated. use rustls-pki-types
 (rustls::pki_types) instead

---
 Cargo.lock                      |  1 -
 rpxy-certs/Cargo.toml           |  1 -
 rpxy-certs/src/crypto_source.rs | 21 ++++++++++++++-------
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 07a441a..9011dcc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2122,7 +2122,6 @@ dependencies = [
  "derive_builder",
  "hot_reload",
  "rustls",
- "rustls-pemfile",
  "rustls-post-quantum",
  "rustls-webpki",
  "thiserror 2.0.16",
diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml
index 652dbcd..520755a 100644
--- a/rpxy-certs/Cargo.toml
+++ b/rpxy-certs/Cargo.toml
@@ -26,7 +26,6 @@ rustls = { version = "0.23.32", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
-rustls-pemfile = { version = "2.2.0" }
 rustls-webpki = { version = "0.103.6", default-features = false, features = [
   "std",
   "aws-lc-rs",
diff --git a/rpxy-certs/src/crypto_source.rs b/rpxy-certs/src/crypto_source.rs
index 330b8bc..49fe152 100644
--- a/rpxy-certs/src/crypto_source.rs
+++ b/rpxy-certs/src/crypto_source.rs
@@ -1,6 +1,7 @@
 use crate::{certs::SingleServerCertsKeys, error::*, log::*};
 use async_trait::async_trait;
 use derive_builder::Builder;
+use rustls::pki_types::{self, pem::PemObject};
 use std::{
   fs::File,
   io::{self, BufReader, Cursor, Read},
@@ -88,7 +89,7 @@ fn read_certs_and_keys(
       format!("Unable to load the certificates [{}]: {e}", cert_path.display()),
     )
   })?);
-  let raw_certs = rustls_pemfile::certs(&mut reader)
+  let raw_certs = pki_types::CertificateDer::pem_reader_iter(&mut reader)
     .collect::<Result<Vec<_>, _>>()
     .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?;
 
@@ -104,8 +105,8 @@ fn read_certs_and_keys(
     })?
     .read_to_end(&mut encoded_keys)?;
   let mut reader = Cursor::new(encoded_keys);
-  let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
-    .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
+  let pkcs8_keys = pki_types::PrivatePkcs8KeyDer::pem_reader_iter(&mut reader)
+    .map(|v| v.map(pki_types::PrivateKeyDer::Pkcs8))
     .collect::<Result<Vec<_>, _>>()
     .map_err(|_| {
       io::Error::new(
@@ -114,9 +115,15 @@ fn read_certs_and_keys(
       )
     })?;
   reader.set_position(0);
-  let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
-    .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
-    .collect::<Result<Vec<_>, _>>()?;
+  let mut rsa_keys = pki_types::PrivatePkcs1KeyDer::pem_reader_iter(&mut reader)
+    .map(|v| v.map(pki_types::PrivateKeyDer::Pkcs1))
+    .collect::<Result<Vec<_>, _>>()
+    .map_err(|_| {
+      io::Error::new(
+        io::ErrorKind::InvalidInput,
+        "Unable to parse the certificates private keys (RSA)",
+      )
+    })?;
   let mut raw_cert_keys = pkcs8_keys;
   raw_cert_keys.append(&mut rsa_keys);
   if raw_cert_keys.is_empty() {
@@ -139,7 +146,7 @@ fn read_certs_and_keys(
         )
       })?;
       let mut reader = BufReader::new(inner);
-      rustls_pemfile::certs(&mut reader)
+      pki_types::CertificateDer::pem_reader_iter(&mut reader)
         .collect::<Result<Vec<_>, _>>()
         .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))
     })