From 03590f489c89f38a1debbe5a3a4edba96a6c8eb3 Mon Sep 17 00:00:00 2001
From: Sebastian Bernauer <sebastian.bernauer@stackable.tech>
Date: Wed, 14 Jan 2026 11:40:25 +0100
Subject: [PATCH] chore: Switch to rustls-pki-types to resolve
 RUSTSEC-2025-0134

---
 Cargo.lock                              | 11 +----------
 Cargo.nix                               | 23 ++---------------------
 Cargo.toml                              |  2 +-
 rust/user-info-fetcher/Cargo.toml       |  2 +-
 rust/user-info-fetcher/src/utils/tls.rs | 10 +++++++---
 5 files changed, 12 insertions(+), 36 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2fc95ca3..c86e2f52 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2466,15 +2466,6 @@ dependencies = [
  "security-framework 3.5.1",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.13.0"
@@ -2872,7 +2863,7 @@ dependencies = [
  "native-tls",
  "pin-project",
  "reqwest",
- "rustls-pemfile",
+ "rustls-pki-types",
  "semver",
  "serde",
  "serde_json",
diff --git a/Cargo.nix b/Cargo.nix
index c84e424b..183309fa 100644
--- a/Cargo.nix
+++ b/Cargo.nix
@@ -8226,25 +8226,6 @@ rec {
         ];
 
       };
-      "rustls-pemfile" = rec {
-        crateName = "rustls-pemfile";
-        version = "2.2.0";
-        edition = "2018";
-        sha256 = "0l3f3mrfkgdjrava7ibwzgwc4h3dljw3pdkbsi9rkwz3zvji9qyw";
-        libName = "rustls_pemfile";
-        dependencies = [
-          {
-            name = "rustls-pki-types";
-            packageId = "rustls-pki-types";
-            rename = "pki-types";
-          }
-        ];
-        features = {
-          "default" = [ "std" ];
-          "std" = [ "pki-types/std" ];
-        };
-        resolvedDefaultFeatures = [ "default" "std" ];
-      };
       "rustls-pki-types" = rec {
         crateName = "rustls-pki-types";
         version = "1.13.0";
@@ -9478,8 +9459,8 @@ rec {
             features = [ "json" ];
           }
           {
-            name = "rustls-pemfile";
-            packageId = "rustls-pemfile";
+            name = "rustls-pki-types";
+            packageId = "rustls-pki-types";
           }
           {
             name = "semver";
diff --git a/Cargo.toml b/Cargo.toml
index 1decf37b..0c71632b 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -31,7 +31,7 @@ moka = { version = "0.12", features = ["future"] }
 native-tls = "0.2.12"
 pin-project = "1.1"
 reqwest = { version = "0.12", features = ["json"] }
-rustls-pemfile = "2.1"
+rustls-pki-types = "1.13"
 semver = "1.0"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
diff --git a/rust/user-info-fetcher/Cargo.toml b/rust/user-info-fetcher/Cargo.toml
index 85ec4895..a8260c66 100644
--- a/rust/user-info-fetcher/Cargo.toml
+++ b/rust/user-info-fetcher/Cargo.toml
@@ -24,7 +24,7 @@ moka.workspace = true
 native-tls.workspace = true
 pin-project.workspace = true
 reqwest.workspace = true
-rustls-pemfile.workspace = true
+rustls-pki-types.workspace = true
 semver.workspace = true
 serde.workspace = true
 serde_json.workspace = true
diff --git a/rust/user-info-fetcher/src/utils/tls.rs b/rust/user-info-fetcher/src/utils/tls.rs
index 95d078f9..07561038 100644
--- a/rust/user-info-fetcher/src/utils/tls.rs
+++ b/rust/user-info-fetcher/src/utils/tls.rs
@@ -1,5 +1,6 @@
 use std::{io::Cursor, path::Path};
 
+use rustls_pki_types::{CertificateDer, pem::PemObject};
 use snafu::{ResultExt as _, Snafu};
 use stackable_operator::commons::tls_verification::TlsClientDetails;
 use tokio::{fs::File, io::AsyncReadExt};
@@ -13,7 +14,9 @@ pub enum Error {
     ParseCaBundleReqwest { source: reqwest::Error },
 
     #[snafu(display("failed to split ca certificate bundle"))]
-    SplitCaBundle { source: std::io::Error },
+    SplitCaBundle {
+        source: rustls_pki_types::pem::Error,
+    },
 
     #[snafu(display("failed to parse ca certificate (via native_tls)"))]
     ParseCaCertNativeTls { source: native_tls::Error },
@@ -58,11 +61,12 @@ pub async fn configure_native_tls(
     } else if let Some(tls_ca_cert_mount_path) = tls.tls_ca_cert_mount_path() {
         builder.disable_built_in_roots(true);
         // native-tls doesn't support parsing CA *bundles*, so split them using rustls first
-        for ca_cert in rustls_pemfile::certs(&mut Cursor::new(
+        let mut pem_bytes = Cursor::new(
             read_file(&tls_ca_cert_mount_path)
                 .await
                 .context(ReadCaBundleSnafu)?,
-        )) {
+        );
+        for ca_cert in CertificateDer::pem_reader_iter(&mut pem_bytes) {
             builder.add_root_certificate(
                 native_tls::Certificate::from_der(&ca_cert.context(SplitCaBundleSnafu)?)
                     .context(ParseCaCertNativeTlsSnafu)?,