Direct support for PEM-decoding of this crate's types

.github/workflows/ci.yml

@@ -40,6 +40,10 @@ jobs:
         with:
           toolchain: ${{ matrix.rust }}
 
+      - name: Install valgrind
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y valgrind
+
       - name: cargo test (debug; default features)
         run: cargo test
         env:
@@ -166,3 +170,27 @@ jobs:
           for target in $(cargo fuzz list) ; do
             cargo fuzz run $target -- -max_total_time=10
           done
+
+  valgrind:
+    name: Check side-channels on base64 decoder
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install stable toolchain
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install valgrind
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y valgrind
+
+      - name: Build and run test
+        run: |
+          cargo test --all-features --lib
+          exe=$(cargo test --all-features --no-run --message-format json | \
+                jq --slurp --raw-output '.[] | select(.reason == "compiler-artifact") | select(.target.name == "rustls_pki_types") | select(.profile.test) | .executable')
+          valgrind --error-exitcode=99 --exit-on-first-error=yes $exe
+

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rustls-pki-types"
-version = "1.8.0"
+version = "1.9.0"
 edition = "2021"
 rust-version = "1.60"
 license = "MIT OR Apache-2.0"
@@ -16,6 +16,9 @@ alloc = []
 std = ["alloc"]
 web = ["web-time"]
 
+[target.'cfg(all(target_os = "linux", target_arch = "x86_64"))'.dev-dependencies]
+crabgrind = "=0.1.9" # compatible with valgrind package on GHA ubuntu-latest
+
 [target.'cfg(all(target_family = "wasm", target_os = "unknown"))'.dependencies]
 web-time = { version = "1", optional = true }
 

README.md

@@ -8,7 +8,7 @@ This crate provides types for representing X.509 certificates, keys and other ty
 used in the rustls ecosystem. It is intended to be used by crates that need to work with such X.509
 types, such as [rustls](https://crates.io/crates/rustls),
 [rustls-webpki](https://crates.io/crates/rustls-webpki),
-[rustls-pemfile](https://crates.io/crates/rustls-pemfile), and others.
+and others.
 
 Some of these crates used to define their own trivial wrappers around DER-encoded bytes.
 However, in order to avoid inconvenient dependency edges, these were all disconnected. By
@@ -32,7 +32,7 @@ many tools and protocols use a ASCII-based encoding of DER, called PEM. In addit
 base64-encoded DER, PEM objects are delimited by header and footer lines which indicate the type
 of object contained in the PEM blob.
 
-The [rustls-pemfile](https://docs.rs/rustls-pemfile) crate can be used to parse PEM files.
+This crate's types can be created from both DER and PEM encodings.
 
 ## Creating new certificates and keys
 

fuzz/Cargo.toml

@@ -12,6 +12,7 @@ libfuzzer-sys = "0.4"
 
 [dependencies.rustls-pki-types]
 path = ".."
+features = ["std"]
 
 # Prevent this from interfering with workspaces
 [workspace]
@@ -25,3 +26,9 @@ name = "private_key"
 path = "fuzz_targets/private_key.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "pem"
+path = "fuzz_targets/pem.rs"
+test = false
+doc = false

fuzz/corpus/pem/zen.pem

@@ -0,0 +1 @@
+../../../tests/data/zen.pem

fuzz/fuzz_targets/pem.rs

@@ -0,0 +1,26 @@
+#![no_main]
+
+use std::io::Cursor;
+
+use libfuzzer_sys::fuzz_target;
+
+use rustls_pki_types::pem::PemObject;
+use rustls_pki_types::{CertificateDer, PrivateKeyDer};
+
+fuzz_target!(|data: &[u8]| {
+    // cover the code paths that use std::io
+    for x in CertificateDer::pem_reader_iter(&mut Cursor::new(data)) {
+        match x {
+            Ok(_item) => (),
+            Err(_err) => break,
+        }
+    }
+
+    // cover the code paths that use slices
+    for x in PrivateKeyDer::pem_slice_iter(data) {
+        match x {
+            Ok(_item) => (),
+            Err(_err) => break,
+        }
+    }
+});