From 4a0b3a51f6e8db4ed378771878b98883c7cd197b Mon Sep 17 00:00:00 2001
From: divybot <divybot@users.noreply.github.com>
Date: Fri, 5 Jun 2026 20:28:43 +0000
Subject: [PATCH] chore(examples): refresh TLS dev dependencies

Bumps the TLS example/dev dependency stack to maintained current
rustls-family crates:

  - tokio-rustls 0.24 -> 0.26
  - rustls-pemfile 1.0 -> 2.2 (RUSTSEC-2025-0134, 1.x unmaintained)
  - webpki-roots 0.23 -> 1.0

This drops the old ring 0.16 line that came through webpki-roots 0.23 /
rustls-webpki 0.100 and pulls in rustls 0.23 with rustls-pki-types.

Migrates the TLS examples to the new APIs:

  - ServerName now lives in rustls::pki_types
  - RootCertStore is populated directly from webpki_roots::TLS_SERVER_ROOTS
    (OwnedTrustAnchor / from_subject_spki_name_constraints removed)
  - ClientConfig/ServerConfig builders no longer expose with_safe_defaults
  - rustls_pemfile::{pkcs8_private_keys, certs} now return iterators of
    Result<CertificateDer<'static>> / Result<PrivatePkcs8KeyDer<'static>>
  - Certificate/PrivateKey newtypes replaced by CertificateDer and
    PrivateKeyDer::Pkcs8

Co-Authored-By: Divy Srivastava <me@littledivy.com>
---
 Cargo.lock             | 156 ++++++++++++++++++++++++-----------------
 Cargo.toml             |   6 +-
 examples/tls_client.rs |  25 +++----
 examples/tls_server.rs |  18 ++---
 4 files changed, 109 insertions(+), 96 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b109aa9..d6d0801 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -80,6 +80,28 @@ version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f2032f911046de80f0a198e0901378627c33f59ea0ac00e363d481118bd70a53"
 
+[[package]]
+name = "aws-lc-rs"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00"
+dependencies = [
+ "aws-lc-sys",
+ "zeroize",
+]
+
+[[package]]
+name = "aws-lc-sys"
+version = "0.41.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a2f9779ce85b93ab6170dd940ad0169b5766ff848247aff13bb788b832fe3f4"
+dependencies = [
+ "cc",
+ "cmake",
+ "dunce",
+ "fs_extra",
+]
+
 [[package]]
 name = "axum"
 version = "0.8.9"
@@ -132,12 +154,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "base64"
-version = "0.21.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567"
-
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -190,6 +206,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "556e016178bb5662a08681bbe0f00f8e17631781a4dfc8c45e466e4b185ec27f"
 dependencies = [
  "find-msvc-tools",
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -247,6 +265,15 @@ dependencies = [
  "os_str_bytes",
 ]
 
+[[package]]
+name = "cmake"
+version = "0.1.58"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c0f78a02292a74a88ac736019ab962ece0bc380e3f977bf72e376c5d78ff0678"
+dependencies = [
+ "cc",
+]
+
 [[package]]
 name = "cpufeatures"
 version = "0.2.17"
@@ -349,6 +376,12 @@ dependencies = [
  "crypto-common",
 ]
 
+[[package]]
+name = "dunce"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
+
 [[package]]
 name = "either"
 version = "1.16.0"
@@ -380,7 +413,7 @@ dependencies = [
  "async-trait",
  "axum",
  "axum-core",
- "base64 0.22.1",
+ "base64",
  "bytes",
  "criterion",
  "http",
@@ -415,6 +448,12 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "fs_extra"
+version = "1.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42703706b716c37f96a77aea830392ad231f44c9e9a67872fa5548707e11b11c"
+
 [[package]]
 name = "futures-channel"
 version = "0.3.32"
@@ -635,6 +674,16 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682"
 
+[[package]]
+name = "jobserver"
+version = "0.1.34"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9afb3de4395d6b3e67a780b6de64b51c978ecf11cb9a462c66be7d4ca9039d33"
+dependencies = [
+ "getrandom 0.3.4",
+ "libc",
+]
+
 [[package]]
 name = "js-sys"
 version = "0.3.99"
@@ -933,21 +982,6 @@ version = "0.8.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
 
-[[package]]
-name = "ring"
-version = "0.16.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
-dependencies = [
- "cc",
- "libc",
- "once_cell",
- "spin",
- "untrusted 0.7.1",
- "web-sys",
- "winapi",
-]
-
 [[package]]
 name = "ring"
 version = "0.17.14"
@@ -958,7 +992,7 @@ dependencies = [
  "cfg-if",
  "getrandom 0.2.17",
  "libc",
- "untrusted 0.9.0",
+ "untrusted",
  "windows-sys 0.52.0",
 ]
 
@@ -973,43 +1007,47 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.21.12"
+version = "0.23.40"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e"
+checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b"
 dependencies = [
+ "aws-lc-rs",
  "log",
- "ring 0.17.14",
- "rustls-webpki 0.101.7",
- "sct",
+ "once_cell",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
 ]
 
 [[package]]
 name = "rustls-pemfile"
-version = "1.0.4"
+version = "2.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
 dependencies = [
- "base64 0.21.7",
+ "rustls-pki-types",
 ]
 
 [[package]]
-name = "rustls-webpki"
-version = "0.100.3"
+name = "rustls-pki-types"
+version = "1.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f6a5fc258f1c1276dfe3016516945546e2d5383911efc0fc4f1cdc5df3a4ae3"
+checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9"
 dependencies = [
- "ring 0.16.20",
- "untrusted 0.7.1",
+ "zeroize",
 ]
 
 [[package]]
 name = "rustls-webpki"
-version = "0.101.7"
+version = "0.103.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
+checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e"
 dependencies = [
- "ring 0.17.14",
- "untrusted 0.9.0",
+ "aws-lc-rs",
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
 ]
 
 [[package]]
@@ -1039,16 +1077,6 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
-[[package]]
-name = "sct"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
-dependencies = [
- "ring 0.17.14",
- "untrusted 0.9.0",
-]
-
 [[package]]
 name = "semver"
 version = "1.0.28"
@@ -1186,10 +1214,10 @@ dependencies = [
 ]
 
 [[package]]
-name = "spin"
-version = "0.5.2"
+name = "subtle"
+version = "2.6.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
 
 [[package]]
 name = "syn"
@@ -1289,9 +1317,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.24.1"
+version = "0.26.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
+checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
 dependencies = [
  "rustls",
  "tokio",
@@ -1417,12 +1445,6 @@ version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
 
-[[package]]
-name = "untrusted"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
-
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -1532,11 +1554,11 @@ dependencies = [
 
 [[package]]
 name = "webpki-roots"
-version = "0.23.1"
+version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b03058f88386e5ff5310d9111d53f48b17d732b401aeb83a8d5190f2ac459338"
+checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d"
 dependencies = [
- "rustls-webpki 0.100.3",
+ "rustls-pki-types",
 ]
 
 [[package]]
@@ -1696,6 +1718,12 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "zeroize"
+version = "1.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
+
 [[package]]
 name = "zmij"
 version = "1.0.21"
diff --git a/Cargo.toml b/Cargo.toml
index c6b2f5a..49b81a6 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -77,8 +77,8 @@ with_axum = ["axum-core", "http", "async-trait"]
 
 [dev-dependencies]
 tokio = { version = "1.25.0", features = ["full", "macros"] }
-tokio-rustls = "0.24.0"
-rustls-pemfile = "1.0"
+tokio-rustls = "0.26.0"
+rustls-pemfile = "2.2"
 hyper-util = { version = "0.1.0", features = ["tokio"] }
 http-body-util = { version = "0.1.0" }
 hyper = { version = "1", features = ["http1", "server", "client"] }
@@ -86,7 +86,7 @@ assert2 = "0.3.4"
 trybuild = "1.0.80"
 criterion = "0.4.0"
 anyhow = "1.0.71"
-webpki-roots = "0.23.0"
+webpki-roots = "1.0"
 bytes = "1.4.0"
 axum = "0.8.1"
 
diff --git a/examples/tls_client.rs b/examples/tls_client.rs
index 66bd7db..d9a7d8d 100644
--- a/examples/tls_client.rs
+++ b/examples/tls_client.rs
@@ -13,8 +13,9 @@ use hyper::upgrade::Upgraded;
 use hyper::Request;
 use hyper_util::rt::TokioIo;
 use tokio::net::TcpStream;
+use tokio_rustls::rustls::pki_types::ServerName;
 use tokio_rustls::rustls::ClientConfig;
-use tokio_rustls::rustls::OwnedTrustAnchor;
+use tokio_rustls::rustls::RootCertStore;
 use tokio_rustls::TlsConnector;
 
 struct SpawnExecutor;
@@ -30,20 +31,11 @@ where
 }
 
 fn tls_connector() -> Result<TlsConnector> {
-  let mut root_store = tokio_rustls::rustls::RootCertStore::empty();
-
-  root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.0.iter().map(
-    |ta| {
-      OwnedTrustAnchor::from_subject_spki_name_constraints(
-        ta.subject,
-        ta.spki,
-        ta.name_constraints,
-      )
-    },
-  ));
+  let root_store = RootCertStore {
+    roots: webpki_roots::TLS_SERVER_ROOTS.to_vec(),
+  };
 
   let config = ClientConfig::builder()
-    .with_safe_defaults()
     .with_root_certificates(root_store)
     .with_no_client_auth();
 
@@ -56,10 +48,9 @@ async fn connect(domain: &str) -> Result<FragmentCollector<TokioIo<Upgraded>>> {
 
   let tcp_stream = TcpStream::connect(&addr).await?;
   let tls_connector = tls_connector().unwrap();
-  let domain =
-    tokio_rustls::rustls::ServerName::try_from(domain).map_err(|_| {
-      std::io::Error::new(std::io::ErrorKind::InvalidInput, "invalid dnsname")
-    })?;
+  let domain = ServerName::try_from(domain.to_string()).map_err(|_| {
+    std::io::Error::new(std::io::ErrorKind::InvalidInput, "invalid dnsname")
+  })?;
 
   let tls_stream = tls_connector.connect(domain, tcp_stream).await?;
 
diff --git a/examples/tls_server.rs b/examples/tls_server.rs
index 4772ff2..5ffec8e 100644
--- a/examples/tls_server.rs
+++ b/examples/tls_server.rs
@@ -25,8 +25,7 @@ use hyper::Response;
 use std::sync::Arc;
 use tokio::net::TcpListener;
 use tokio_rustls::rustls;
-use tokio_rustls::rustls::Certificate;
-use tokio_rustls::rustls::PrivateKey;
+use tokio_rustls::rustls::pki_types::PrivateKeyDer;
 use tokio_rustls::TlsAcceptor;
 
 async fn handle_client(fut: upgrade::UpgradeFut) -> Result<()> {
@@ -66,18 +65,13 @@ fn tls_acceptor() -> Result<TlsAcceptor> {
   static KEY: &[u8] = include_bytes!("./localhost.key");
   static CERT: &[u8] = include_bytes!("./localhost.crt");
 
-  let mut keys: Vec<PrivateKey> =
-    rustls_pemfile::pkcs8_private_keys(&mut &*KEY)
-      .map(|mut certs| certs.drain(..).map(PrivateKey).collect())
-      .unwrap();
-  let certs = rustls_pemfile::certs(&mut &*CERT)
-    .map(|mut certs| certs.drain(..).map(Certificate).collect())
-    .unwrap();
-  dbg!(&certs);
+  let mut keys = rustls_pemfile::pkcs8_private_keys(&mut &*KEY)
+    .collect::<std::io::Result<Vec<_>>>()?;
+  let certs =
+    rustls_pemfile::certs(&mut &*CERT).collect::<std::io::Result<Vec<_>>>()?;
   let config = rustls::ServerConfig::builder()
-    .with_safe_defaults()
     .with_no_client_auth()
-    .with_single_cert(certs, keys.remove(0))?;
+    .with_single_cert(certs, PrivateKeyDer::Pkcs8(keys.remove(0)))?;
   Ok(TlsAcceptor::from(Arc::new(config)))
 }