From 993194f6c03f379488716180d5746cf86e4ebc4b Mon Sep 17 00:00:00 2001
From: WinterPancake <niedzielski-work@protonmail.com>
Date: Wed, 31 Dec 2025 15:52:41 -0600
Subject: [PATCH 1/5] replaced unmaintained rustls-pemfile with
 rustls-pki-types

---
 Cargo.lock               | 10 ----
 Cargo.toml               |  3 +-
 examples/client.rs       | 99 +++++++++++++++++-----------------------
 src/connector.rs         |  2 +-
 src/connector/builder.rs |  2 +-
 5 files changed, 45 insertions(+), 71 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 4b99f35e..0c672be4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -375,7 +375,6 @@ dependencies = [
  "log",
  "rustls",
  "rustls-native-certs",
- "rustls-pemfile",
  "rustls-pki-types",
  "rustls-platform-verifier",
  "tokio",
@@ -652,15 +651,6 @@ dependencies = [
  "security-framework",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.12.0"
diff --git a/Cargo.toml b/Cargo.toml
index cf10f44c..cb92b474 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,7 +27,7 @@ http = "1"
 hyper = { version = "1", default-features = false }
 hyper-util = { version = "0.1", default-features = false, features = ["client-legacy", "tokio"] }
 log = { version = "0.4.4", optional = true }
-pki-types = { package = "rustls-pki-types", version = "1" }
+rustls-pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
 rustls-native-certs = { version = "0.8", optional = true }
 rustls-platform-verifier = { version = "0.6", optional = true }
 rustls = { version = "0.23", default-features = false }
@@ -41,7 +41,6 @@ cfg-if = "1"
 http-body-util = "0.1"
 hyper-util = { version = "0.1", default-features = false, features = ["server-auto"] }
 rustls = { version = "0.23", default-features = false, features = ["tls12"] }
-rustls-pemfile = "2"
 tokio = { version = "1.0", features = ["io-std", "macros", "net", "rt-multi-thread"] }
 
 [[example]]
diff --git a/examples/client.rs b/examples/client.rs
index 71c68886..fac71be9 100644
--- a/examples/client.rs
+++ b/examples/client.rs
@@ -2,30 +2,24 @@
 //!
 //! First parameter is the mandatory URL to GET.
 //! Second parameter is an optional path to CA store.
+
 use http::Uri;
 use http_body_util::{BodyExt, Empty};
 use hyper::body::Bytes;
 use hyper_rustls::ConfigBuilderExt;
 use hyper_util::{client::legacy::Client, rt::TokioExecutor};
-use rustls::RootCertStore;
+use rustls::{ClientConfig, RootCertStore};
+use rustls::pki_types::{CertificateDer, pem::PemObject};
 
-use std::str::FromStr;
 use std::{env, fs, io};
-
-fn main() {
-    // Send GET request and inspect result, with proper error handling.
-    if let Err(e) = run_client() {
-        eprintln!("FAILED: {e}");
-        std::process::exit(1);
-    }
-}
+use std::str::FromStr;
 
 fn error(err: String) -> io::Error {
     io::Error::new(io::ErrorKind::Other, err)
 }
 
 #[tokio::main]
-async fn run_client() -> io::Result<()> {
+async fn main() -> io::Result<()> {
     // Set a process wide default crypto provider.
     #[cfg(feature = "ring")]
     let _ = rustls::crypto::ring::default_provider().install_default();
@@ -34,39 +28,30 @@ async fn run_client() -> io::Result<()> {
 
     // First parameter is target URL (mandatory).
     let url = match env::args().nth(1) {
-        Some(ref url) => Uri::from_str(url).map_err(|e| error(format!("{e}")))?,
-        None => {
-            println!("Usage: client <url> <ca_store>");
-            return Ok(());
-        }
-    };
-
-    // Second parameter is custom Root-CA store (optional, defaults to native cert store).
-    let mut ca = match env::args().nth(2) {
-        Some(ref path) => {
-            let f =
-                fs::File::open(path).map_err(|e| error(format!("failed to open {path}: {e}")))?;
-            let rd = io::BufReader::new(f);
-            Some(rd)
-        }
-        None => None,
+        Some(u) => Uri::from_str(&u).map_err(|e| error(e.to_string()))?,
+        None => return Ok(()),
     };
 
     // Prepare the TLS client config
-    let tls = match ca {
-        Some(ref mut rd) => {
-            // Read trust roots
-            let certs = rustls_pemfile::certs(rd).collect::<Result<Vec<_>, _>>()?;
+    let tls = match env::args().nth(2) {
+        Some(path) => {
+            let data = fs::read(&path)
+                .map_err(|e| error(format!("failed to open {path}: {e}")))?;
+
             let mut roots = RootCertStore::empty();
-            roots.add_parsable_certificates(certs);
-            // TLS client config using the custom CA store for lookups
-            rustls::ClientConfig::builder()
+            for cert in CertificateDer::pem_slice_iter(&data) {
+                let cert = cert.map_err(|e| error(format!("invalid PEM: {e}")))?;
+                roots.add_parsable_certificates([cert]);
+            }
+
+            ClientConfig::builder()
                 .with_root_certificates(roots)
                 .with_no_client_auth()
         }
         // Default TLS client config with native roots
-        None => rustls::ClientConfig::builder()
-            .with_native_roots()?
+        None => ClientConfig::builder()
+            .with_native_roots()
+            .map_err(|e| error(e.to_string()))?
             .with_no_client_auth(),
     };
     // Prepare the HTTPS connector
@@ -77,29 +62,29 @@ async fn run_client() -> io::Result<()> {
         .build();
 
     // Build the hyper client from the HTTPS connector.
-    let client: Client<_, Empty<Bytes>> = Client::builder(TokioExecutor::new()).build(https);
+    let client: Client<_, Empty<Bytes>> =
+        Client::builder(TokioExecutor::new()).build(https);
 
-    // Prepare a chain of futures which sends a GET request, inspects
-    // the returned headers, collects the whole body and prints it to
-    // stdout.
-    let fut = async move {
-        let res = client
-            .get(url)
-            .await
-            .map_err(|e| error(format!("Could not get: {e:?}")))?;
-        println!("Status:\n{}", res.status());
-        println!("Headers:\n{:#?}", res.headers());
+    // Send the request and print the response.
+    let res = client
+        .get(url)
+        .await
+        .map_err(|e| error(format!("request failed: {e:?}")))?;
 
-        let body = res
-            .into_body()
-            .collect()
-            .await
-            .map_err(|e| error(format!("Could not get body: {e:?}")))?
-            .to_bytes();
-        println!("Body:\n{}", String::from_utf8_lossy(&body));
+    let status = res.status();
+    let headers = res.headers().clone();
 
-        Ok(())
-    };
+    let body = res
+        .into_body()
+        .collect()
+        .await
+        .map_err(|e| error(format!("body error: {e:?}")))?
+        .to_bytes();
+
+    println!("Status:\n{status}");
+    println!("Headers:\n{headers:#?}");
+    println!("Body:\n{}", String::from_utf8_lossy(&body));
 
-    fut.await
+    Ok(())
 }
+
diff --git a/src/connector.rs b/src/connector.rs
index 7fb7addc..8740b622 100644
--- a/src/connector.rs
+++ b/src/connector.rs
@@ -8,7 +8,7 @@ use http::Uri;
 use hyper::rt;
 use hyper_util::client::legacy::connect::Connection;
 use hyper_util::rt::TokioIo;
-use pki_types::ServerName;
+use rustls::pki_types::ServerName;
 use tokio_rustls::TlsConnector;
 use tower_service::Service;
 
diff --git a/src/connector/builder.rs b/src/connector/builder.rs
index 417d1303..f1b31ed4 100644
--- a/src/connector/builder.rs
+++ b/src/connector/builder.rs
@@ -16,7 +16,7 @@ use super::{DefaultServerNameResolver, HttpsConnector, ResolveServerName};
     feature = "rustls-platform-verifier"
 ))]
 use crate::config::ConfigBuilderExt;
-use pki_types::ServerName;
+use rustls::pki_types::ServerName;
 
 /// A builder for an [`HttpsConnector`]
 ///

From 2a87d8769f9226d9ad754e9086f4b2afd0a080d9 Mon Sep 17 00:00:00 2001
From: WinterPancake <niedzielski-work@protonmail.com>
Date: Wed, 31 Dec 2025 20:26:05 -0600
Subject: [PATCH 2/5] fmt

---
 examples/client.rs | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/examples/client.rs b/examples/client.rs
index fac71be9..11e2ebd0 100644
--- a/examples/client.rs
+++ b/examples/client.rs
@@ -8,11 +8,11 @@ use http_body_util::{BodyExt, Empty};
 use hyper::body::Bytes;
 use hyper_rustls::ConfigBuilderExt;
 use hyper_util::{client::legacy::Client, rt::TokioExecutor};
+use rustls::pki_types::{pem::PemObject, CertificateDer};
 use rustls::{ClientConfig, RootCertStore};
-use rustls::pki_types::{CertificateDer, pem::PemObject};
 
-use std::{env, fs, io};
 use std::str::FromStr;
+use std::{env, fs, io};
 
 fn error(err: String) -> io::Error {
     io::Error::new(io::ErrorKind::Other, err)
@@ -35,8 +35,7 @@ async fn main() -> io::Result<()> {
     // Prepare the TLS client config
     let tls = match env::args().nth(2) {
         Some(path) => {
-            let data = fs::read(&path)
-                .map_err(|e| error(format!("failed to open {path}: {e}")))?;
+            let data = fs::read(&path).map_err(|e| error(format!("failed to open {path}: {e}")))?;
 
             let mut roots = RootCertStore::empty();
             for cert in CertificateDer::pem_slice_iter(&data) {
@@ -62,8 +61,7 @@ async fn main() -> io::Result<()> {
         .build();
 
     // Build the hyper client from the HTTPS connector.
-    let client: Client<_, Empty<Bytes>> =
-        Client::builder(TokioExecutor::new()).build(https);
+    let client: Client<_, Empty<Bytes>> = Client::builder(TokioExecutor::new()).build(https);
 
     // Send the request and print the response.
     let res = client
@@ -87,4 +85,3 @@ async fn main() -> io::Result<()> {
 
     Ok(())
 }
-

From 481dc4bb7693b1a17bd86893fc0080edb7211ffd Mon Sep 17 00:00:00 2001
From: WinterPancake <niedzielski-work@protonmail.com>
Date: Wed, 31 Dec 2025 21:05:28 -0600
Subject: [PATCH 3/5] Replaced rustls-pemfile usage in examples/server.rs with
 rustls::pki_types{CertificateDer, PrivateKeyDer} helpers

---
 examples/server.rs | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/examples/server.rs b/examples/server.rs
index 6cbcf45e..5f9cf71f 100644
--- a/examples/server.rs
+++ b/examples/server.rs
@@ -15,7 +15,7 @@ use hyper::body::{Bytes, Incoming};
 use hyper::service::service_fn;
 use hyper_util::rt::{TokioExecutor, TokioIo};
 use hyper_util::server::conn::auto::Builder;
-use pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 use rustls::ServerConfig;
 use tokio::net::TcpListener;
 use tokio_rustls::TlsAcceptor;
@@ -114,25 +114,26 @@ async fn echo(req: Request<Incoming>) -> Result<Response<Full<Bytes>>, hyper::Er
     };
     Ok(response)
 }
-
 // Load public certificate from file.
 fn load_certs(filename: &str) -> io::Result<Vec<CertificateDer<'static>>> {
     // Open certificate file.
-    let certfile =
-        fs::File::open(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
-    let mut reader = io::BufReader::new(certfile);
+    let data =
+        fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
 
     // Load and return certificate.
-    rustls_pemfile::certs(&mut reader).collect()
+    CertificateDer::pem_slice_iter(&data)
+        .map(|cert| cert.map_err(|e| error(format!("invalid PEM in {filename}: {e}"))))
+        .collect()
 }
 
 // Load private key from file.
 fn load_private_key(filename: &str) -> io::Result<PrivateKeyDer<'static>> {
     // Open keyfile.
-    let keyfile =
-        fs::File::open(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
-    let mut reader = io::BufReader::new(keyfile);
+    let data =
+        fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
 
     // Load and return a single private key.
-    rustls_pemfile::private_key(&mut reader).map(|key| key.unwrap())
+    PrivateKeyDer::from_pem_slice(&data)
+        .map_err(|e| error(format!("invalid private key in {filename}: {e}")))
 }
+

From fe5d783c204845e604827fd497903eaecaf7ba85 Mon Sep 17 00:00:00 2001
From: WinterPancake <niedzielski-work@protonmail.com>
Date: Wed, 31 Dec 2025 22:55:40 -0600
Subject: [PATCH 4/5] fmt

---
 examples/server.rs | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/examples/server.rs b/examples/server.rs
index 5f9cf71f..972d699d 100644
--- a/examples/server.rs
+++ b/examples/server.rs
@@ -117,8 +117,7 @@ async fn echo(req: Request<Incoming>) -> Result<Response<Full<Bytes>>, hyper::Er
 // Load public certificate from file.
 fn load_certs(filename: &str) -> io::Result<Vec<CertificateDer<'static>>> {
     // Open certificate file.
-    let data =
-        fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
+    let data = fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
 
     // Load and return certificate.
     CertificateDer::pem_slice_iter(&data)
@@ -129,11 +128,9 @@ fn load_certs(filename: &str) -> io::Result<Vec<CertificateDer<'static>>> {
 // Load private key from file.
 fn load_private_key(filename: &str) -> io::Result<PrivateKeyDer<'static>> {
     // Open keyfile.
-    let data =
-        fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
+    let data = fs::read(filename).map_err(|e| error(format!("failed to open {filename}: {e}")))?;
 
     // Load and return a single private key.
     PrivateKeyDer::from_pem_slice(&data)
         .map_err(|e| error(format!("invalid private key in {filename}: {e}")))
 }
-

From f053919a97d2a02ee030b03bf7affd8d62a6a8d9 Mon Sep 17 00:00:00 2001
From: WinterPancake <niedzielski-work@protonmail.com>
Date: Wed, 31 Dec 2025 23:09:59 -0600
Subject: [PATCH 5/5] removed unnecessary alias to dependency rustls-pki-types
 in Cargo.toml and uses

---
 Cargo.toml               | 2 +-
 examples/client.rs       | 2 +-
 examples/server.rs       | 2 +-
 src/connector.rs         | 2 +-
 src/connector/builder.rs | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index cb92b474..cf9972c5 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -27,7 +27,7 @@ http = "1"
 hyper = { version = "1", default-features = false }
 hyper-util = { version = "0.1", default-features = false, features = ["client-legacy", "tokio"] }
 log = { version = "0.4.4", optional = true }
-rustls-pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
+pki-types = { package = "rustls-pki-types", version = "1", features = ["std"] }
 rustls-native-certs = { version = "0.8", optional = true }
 rustls-platform-verifier = { version = "0.6", optional = true }
 rustls = { version = "0.23", default-features = false }
diff --git a/examples/client.rs b/examples/client.rs
index 11e2ebd0..764ed612 100644
--- a/examples/client.rs
+++ b/examples/client.rs
@@ -8,7 +8,7 @@ use http_body_util::{BodyExt, Empty};
 use hyper::body::Bytes;
 use hyper_rustls::ConfigBuilderExt;
 use hyper_util::{client::legacy::Client, rt::TokioExecutor};
-use rustls::pki_types::{pem::PemObject, CertificateDer};
+use pki_types::{pem::PemObject, CertificateDer};
 use rustls::{ClientConfig, RootCertStore};
 
 use std::str::FromStr;
diff --git a/examples/server.rs b/examples/server.rs
index 972d699d..84714d5f 100644
--- a/examples/server.rs
+++ b/examples/server.rs
@@ -15,7 +15,7 @@ use hyper::body::{Bytes, Incoming};
 use hyper::service::service_fn;
 use hyper_util::rt::{TokioExecutor, TokioIo};
 use hyper_util::server::conn::auto::Builder;
-use rustls::pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
+use pki_types::{pem::PemObject, CertificateDer, PrivateKeyDer};
 use rustls::ServerConfig;
 use tokio::net::TcpListener;
 use tokio_rustls::TlsAcceptor;
diff --git a/src/connector.rs b/src/connector.rs
index 8740b622..7fb7addc 100644
--- a/src/connector.rs
+++ b/src/connector.rs
@@ -8,7 +8,7 @@ use http::Uri;
 use hyper::rt;
 use hyper_util::client::legacy::connect::Connection;
 use hyper_util::rt::TokioIo;
-use rustls::pki_types::ServerName;
+use pki_types::ServerName;
 use tokio_rustls::TlsConnector;
 use tower_service::Service;
 
diff --git a/src/connector/builder.rs b/src/connector/builder.rs
index f1b31ed4..417d1303 100644
--- a/src/connector/builder.rs
+++ b/src/connector/builder.rs
@@ -16,7 +16,7 @@ use super::{DefaultServerNameResolver, HttpsConnector, ResolveServerName};
     feature = "rustls-platform-verifier"
 ))]
 use crate::config::ConfigBuilderExt;
-use rustls::pki_types::ServerName;
+use pki_types::ServerName;
 
 /// A builder for an [`HttpsConnector`]
 ///