diff --git a/Cargo.lock b/Cargo.lock index 38f6b538cf..cccf5b430b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5437,7 +5437,6 @@ dependencies = [ "op-alloy-rpc-types-engine", "reqwest", "rustls", - "rustls-pemfile", "serde", "serde_json", "thiserror 2.0.17", @@ -10111,15 +10110,6 @@ dependencies = [ "security-framework 3.5.1", ] -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - [[package]] name = "rustls-pki-types" version = "1.13.0" diff --git a/Cargo.toml b/Cargo.toml index 8d21ad4f47..78d141d1cf 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -202,7 +202,6 @@ jsonrpsee = "0.26.0" jsonrpsee-types = "0.26.0" tokio-util = "0.7.15" rustls = { version = "0.23", default-features = false } -rustls-pemfile = { version = "2.0", default-features = false } vergen-git2 = "1.0.7" async-trait = "0.1.88" tokio-stream = "0.1.17" diff --git a/crates/node/sources/Cargo.toml b/crates/node/sources/Cargo.toml index ee1336e471..ad122f922f 100644 --- a/crates/node/sources/Cargo.toml +++ b/crates/node/sources/Cargo.toml @@ -45,7 +45,6 @@ url.workspace = true serde.workspace = true serde_json.workspace = true rustls.workspace = true -rustls-pemfile = { workspace = true, features = ["std"] } tokio = { workspace = true, features = ["full"] } notify.workspace = true diff --git a/crates/node/sources/src/signer/remote/cert.rs b/crates/node/sources/src/signer/remote/cert.rs index 7400fd3dce..06ee259e79 100644 --- a/crates/node/sources/src/signer/remote/cert.rs +++ b/crates/node/sources/src/signer/remote/cert.rs @@ -1,9 +1,12 @@ -use std::{io::BufReader, sync::Arc}; +use std::sync::Arc; use alloy_rpc_client::{ClientBuilder, RpcClient}; use alloy_transport_http::Http; use notify::{Event, EventKind, RecommendedWatcher, RecursiveMode, Watcher}; -use rustls::{ClientConfig, RootCertStore}; +use rustls::{ + ClientConfig, RootCertStore, + pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject}, +}; use thiserror::Error; use tokio::sync::RwLock; @@ -18,15 +21,18 @@ pub struct ClientCert { pub key: std::path::PathBuf, } +/// PEM parsing error type alias +type PemError = rustls::pki_types::pem::Error; + /// Errors that can occur when handling certificates #[derive(Debug, Error)] pub enum CertificateError { /// Invalid CA certificate path #[error("Invalid CA certificate path: {0}")] - InvalidCACertificatePath(std::io::Error), + InvalidCACertificatePath(PemError), /// Invalid certificate error #[error("Invalid CA certificate: {0}")] - InvalidCACertificate(std::io::Error), + InvalidCACertificate(PemError), /// Failed to add CA certificate #[error("Failed to add CA certificate: {0}")] AddCACertificate(rustls::Error), @@ -35,19 +41,13 @@ pub enum CertificateError { ConfigureClientAuth(rustls::Error), /// Invalid client certificate path #[error("Invalid client certificate path: {0}")] - InvalidClientCertificatePath(std::io::Error), + InvalidClientCertificatePath(PemError), /// Invalid client certificate #[error("Invalid client certificate: {0}")] - InvalidClientCertificate(std::io::Error), - /// Invalid private key path - #[error("Invalid private key path: {0}")] - InvalidPrivateKeyPath(std::io::Error), + InvalidClientCertificate(PemError), /// Invalid private key #[error("Invalid private key: {0}")] - InvalidPrivateKey(std::io::Error), - /// No private key found while parsing the client certificate - #[error("No private key found while parsing the client certificate")] - NoPrivateKey, + InvalidPrivateKey(PemError), } impl RemoteSigner { @@ -57,14 +57,13 @@ impl RemoteSigner { // Add custom CA certificate if provided if let Some(ca_cert_path) = &self.ca_cert { - let ca_cert_file = std::fs::File::open(ca_cert_path) - .map_err(CertificateError::InvalidCACertificatePath)?; - let mut ca_cert_reader = BufReader::new(ca_cert_file); - let ca_cert = rustls_pemfile::certs(&mut ca_cert_reader) - .collect::, _>>() - .map_err(CertificateError::InvalidCACertificate)?; - - for cert in ca_cert { + let ca_certs: Vec> = + CertificateDer::pem_file_iter(ca_cert_path) + .map_err(CertificateError::InvalidCACertificatePath)? + .collect::, _>>() + .map_err(CertificateError::InvalidCACertificate)?; + + for cert in ca_certs { root_store.add(cert).map_err(CertificateError::AddCACertificate)?; } } @@ -75,22 +74,16 @@ impl RemoteSigner { match &self.client_cert { None => Ok(tls_config.with_no_client_auth()), Some(ClientCert { cert, key }) => { - let cert_file = std::fs::File::open(cert) - .map_err(CertificateError::InvalidClientCertificatePath)?; - let mut cert_reader = BufReader::new(cert_file); - let certs = rustls_pemfile::certs(&mut cert_reader) + let certs: Vec> = CertificateDer::pem_file_iter(cert) + .map_err(CertificateError::InvalidClientCertificatePath)? .collect::, _>>() .map_err(CertificateError::InvalidClientCertificate)?; - let key_file = - std::fs::File::open(key).map_err(CertificateError::InvalidPrivateKeyPath)?; - let mut key_reader = BufReader::new(key_file); - let key = rustls_pemfile::private_key(&mut key_reader) - .map_err(CertificateError::InvalidPrivateKey)? - .ok_or_else(|| CertificateError::NoPrivateKey)?; + let private_key = PrivateKeyDer::from_pem_file(key) + .map_err(CertificateError::InvalidPrivateKey)?; Ok(tls_config - .with_client_auth_cert(certs, key) + .with_client_auth_cert(certs, private_key) .map_err(CertificateError::ConfigureClientAuth)?) } }