Update the tls based dependencies to match the payjoin msrv

benalleng · benalleng · commit 9ef328090c25 · 2025-08-27T14:54:08.000-04:00
This commit updates the tls related dependencies to mathc the new
payjoin msrv to 1.85.0&gt;

All these crates have these changes together as the crates are all
interdependent on each other.

As well there are some significant api changes that come with these new
dep bumps.

payjoin-cli and payjoin-directory both use tokio-rustls which has an
internal rustls module accesible so I removed their direct rustls deps
in hopes that it could prevent some divergent changes in the future.
diff --git a/Cargo-minimal.lock b/Cargo-minimal.lock
diff --git a/Cargo-recent.lock b/Cargo-recent.lock
diff --git a/payjoin-cli/Cargo.toml b/payjoin-cli/Cargo.toml
@@ -21,7 +21,7 @@ path = "src/main.rs"
 [features]
 default = ["v2"]
 native-certs = ["reqwest/rustls-tls-native-roots"]
-_manual-tls = ["rcgen", "reqwest/rustls-tls", "rustls", "hyper-rustls", "payjoin/_manual-tls", "tokio-rustls"]
+_manual-tls = ["rcgen", "reqwest/rustls-tls", "hyper-rustls", "payjoin/_manual-tls", "tokio-rustls"]
 v1 = ["payjoin/v1","hyper", "hyper-util", "http-body-util"]
 v2 = ["payjoin/v2", "payjoin/io"]
 
@@ -35,21 +35,20 @@ env_logger = "0.11.8"
 futures = "0.3.31"
 http-body-util = { version = "0.1.3", optional = true }
 hyper = { version = "1.6.0", features = ["http1", "server"], optional = true }
-hyper-rustls = { version = "0.26", optional = true }
+hyper-rustls = { version = "0.27.7", default-features=false, features = ["ring"], optional = true }
 hyper-util = { version = "0.1.16", optional = true }
 log = "0.4.27"
 payjoin = { version = "0.24.0", default-features = false }
 r2d2 = "0.8.10"
 r2d2_sqlite = "0.22.0"
-rcgen = { version = "0.11.1", optional = true }
-reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
+rcgen = { version = "0.14.3", optional = true }
+reqwest = { version = "0.12.23", default-features = false, features = ["json", "rustls-tls"] }
 rusqlite = { version = "0.29.0", features = ["bundled"] }
-rustls = { version = "0.22.4", optional = true }
 serde_json = "1.0.142"
 serde = { version = "1.0.219", features = ["derive"] }
 sled = "0.34.7"
 tokio = { version = "1.47.1", features = ["full"] }
-tokio-rustls = { version = "0.25", features = ["ring"], default-features = false, optional = true }
+tokio-rustls = { version = "0.26.2", features = ["ring"], default-features = false, optional = true }
 url = { version = "2.5.4", features = ["serde"] }
 dirs = "6.0.0"
 
diff --git a/payjoin-cli/src/app/v1.rs b/payjoin-cli/src/app/v1.rs
@@ -180,8 +180,10 @@ impl App {
 
     #[cfg(feature = "_manual-tls")]
     fn init_tls_acceptor(&self) -> Result<tokio_rustls::TlsAcceptor> {
-        use rustls::pki_types::{CertificateDer, PrivateKeyDer};
-        use rustls::ServerConfig;
+        use std::sync::Arc;
+
+        use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
+        use tokio_rustls::rustls::ServerConfig;
         use tokio_rustls::TlsAcceptor;
 
         let key_der = std::fs::read(
diff --git a/payjoin-cli/tests/e2e.rs b/payjoin-cli/tests/e2e.rs
@@ -83,15 +83,12 @@ mod e2e {
 
             let cert = local_cert_key();
             let cert_path = &temp_dir.path().join("localhost.crt");
-            tokio::fs::write(
-                cert_path,
-                cert.serialize_der().expect("must be able to serialize self signed certificate"),
-            )
-            .await
-            .expect("must be able to write self signed certificate");
+            tokio::fs::write(cert_path, cert.cert.der().to_vec())
+                .await
+                .expect("must be able to write self signed certificate");
 
             let key_path = &temp_dir.path().join("localhost.key");
-            tokio::fs::write(key_path, cert.serialize_private_key_der())
+            tokio::fs::write(key_path, cert.signing_key.serialize_der())
                 .await
                 .expect("must be able to write self signed certificate");
 
@@ -450,15 +447,12 @@ mod e2e {
             // Set up certificates for v1 receiver (needs local HTTPS server)
             let cert = local_cert_key();
             let cert_path = &temp_dir.path().join("localhost.crt");
-            tokio::fs::write(
-                cert_path,
-                cert.serialize_der().expect("must be able to serialize self signed certificate"),
-            )
-            .await
-            .expect("must be able to write self signed certificate");
+            tokio::fs::write(cert_path, cert.cert.der().to_vec())
+                .await
+                .expect("must be able to write self signed certificate");
 
             let key_path = &temp_dir.path().join("localhost.key");
-            tokio::fs::write(key_path, cert.serialize_private_key_der())
+            tokio::fs::write(key_path, cert.signing_key.serialize_der())
                 .await
                 .expect("must be able to write self signed certificate");
 
diff --git a/payjoin-directory/Cargo.toml b/payjoin-directory/Cargo.toml
@@ -15,7 +15,7 @@ resolver = "2"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-_manual-tls = ["hyper-rustls", "rustls", "tokio-rustls"]
+_manual-tls = ["hyper-rustls", "tokio-rustls"]
 
 [dependencies]
 anyhow = "1.0.99"
@@ -24,14 +24,13 @@ bhttp = { version = "0.6.1", features = ["http"] }
 futures = "0.3.31"
 http-body-util = "0.1.3"
 hyper = { version = "1.6.0", features = ["http1", "server"] }
-hyper-rustls = { version = "0.26", optional = true }
+hyper-rustls = { version = "0.27.7", default-features=false, features = ["webpki-roots", "http1", "ring"], optional=true }
 hyper-util = { version = "0.1.16", features = ["tokio"] }
 ohttp = { package = "bitcoin-ohttp", version = "0.6.0"}
 payjoin = { version = "0.24.0", features = ["directory"], default-features = false }
 redis = { version = "0.32.5", features = ["aio", "tokio-comp"] }
-rustls = { version = "0.22.4", optional = true }
 tokio = { version = "1.23.31", features = ["full"] }
-tokio-rustls = { version = "0.25", features = ["ring"], default-features = false, optional = true }
+tokio-rustls = { version = "0.26.2", features = ["ring"], default-features = false, optional = true }
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 prometheus = "0.13.4"
diff --git a/payjoin-directory/src/lib.rs b/payjoin-directory/src/lib.rs
@@ -39,8 +39,8 @@ pub type BoxError = Box<dyn std::error::Error + Send + Sync>;
 
 #[cfg(feature = "_manual-tls")]
 fn init_tls_acceptor(cert_key: (Vec<u8>, Vec<u8>)) -> Result<tokio_rustls::TlsAcceptor> {
-    use rustls::pki_types::{CertificateDer, PrivateKeyDer};
-    use rustls::ServerConfig;
+    use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
+    use tokio_rustls::rustls::ServerConfig;
     use tokio_rustls::TlsAcceptor;
     let (cert, key) = cert_key;
     let cert = CertificateDer::from(cert);
diff --git a/payjoin-test-utils/Cargo.toml b/payjoin-test-utils/Cargo.toml
@@ -15,13 +15,13 @@ bitcoind = { version = "0.36.1", features = ["0_21_2"] }
 http = "1.3.1"
 log = "0.4.27"
 ohttp = { package = "bitcoin-ohttp", version = "0.6.0" }
-ohttp-relay = { version = "0.0.10", features = ["_test-util"] }
+ohttp-relay = { version = "0.0.11", features = ["_test-util"] }
 once_cell = "1.21.3"
 payjoin = { version = "0.24.0", features = ["io", "_manual-tls", "_test-utils"] }
 payjoin-directory = { version = "0.0.3", features = ["_manual-tls"] }
-rcgen = "0.11"
-rustls = "0.22"
-reqwest = { version = "0.12", default-features = false, features = ["rustls-tls"] }
+rcgen = "0.14.3"
+rustls = { version = "0.23.31", default-features=false, features = ["ring"] }
+reqwest = { version = "0.12.23", default-features = false, features = ["rustls-tls"] }
 testcontainers-modules = { version = "0.12.1", features = ["redis"]}
 tokio = { version = "1.47.1", features = ["full"] }
 tracing = "0.1.41"
diff --git a/payjoin-test-utils/src/lib.rs b/payjoin-test-utils/src/lib.rs
@@ -61,31 +61,31 @@ impl TestServices {
     pub async fn initialize() -> Result<Self, BoxSendSyncError> {
         // TODO add a UUID, and cleanup guard to delete after on successful run
         let cert = local_cert_key();
-        let cert_der = cert.serialize_der().expect("Failed to serialize cert");
-        let key_der = cert.serialize_private_key_der();
-        let cert_key = (cert_der.clone(), key_der.clone());
+        let cert_der = cert.cert.der().to_vec();
+        let key_der = cert.signing_key.serialize_der();
+        let cert_key = (cert_der.clone(), key_der);
 
         let mut root_store = RootCertStore::empty();
-        root_store.add(CertificateDer::from(cert.serialize_der().unwrap())).unwrap();
+        root_store.add(CertificateDer::from(cert.cert.der().to_vec())).unwrap();
 
         let redis = init_redis().await;
         let db_host = format!("127.0.0.1:{}", redis.0);
-        let directory = init_directory(db_host, cert_key.clone()).await?;
+        let directory = init_directory(db_host, cert_key).await?;
         let gateway_origin =
             ohttp_relay::GatewayUri::from_str(&format!("https://localhost:{}", directory.0))?;
         let ohttp_relay = ohttp_relay::listen_tcp_on_free_port(gateway_origin, root_store).await?;
         let http_agent: Arc<Client> = Arc::new(http_agent(cert_der)?);
 
         Ok(Self {
-            cert,
+            cert: cert.cert,
             redis,
             directory: (directory.0, Some(directory.1)),
             ohttp_relay: (ohttp_relay.0, Some(ohttp_relay.1)),
             http_agent,
         })
     }
 
-    pub fn cert(&self) -> Vec<u8> { self.cert.serialize_der().expect("Failed to serialize cert") }
+    pub fn cert(&self) -> Vec<u8> { self.cert.der().to_vec() }
 
     pub fn directory_url(&self) -> Url {
         Url::parse(&format!("https://localhost:{}", self.directory.0)).expect("invalid URL")
@@ -159,7 +159,7 @@ async fn bind_free_port() -> Result<tokio::net::TcpListener, std::io::Error> {
 }
 
 /// generate or get a DER encoded localhost cert and key.
-pub fn local_cert_key() -> rcgen::Certificate {
+pub fn local_cert_key() -> rcgen::CertifiedKey<rcgen::KeyPair> {
     rcgen::generate_simple_self_signed(vec!["0.0.0.0".to_string(), "localhost".to_string()])
         .expect("Failed to generate cert")
 }
diff --git a/payjoin/Cargo.toml b/payjoin/Cargo.toml
@@ -35,11 +35,11 @@ log = { version = "0.4.27"}
 http = { version = "1.3.1", optional = true }
 bhttp = { version = "0.6.1", optional = true }
 ohttp = { package = "bitcoin-ohttp", version = "0.6.0", optional = true }
-reqwest = { version = "0.12", default-features = false, optional = true }
-rustls = { version = "0.22.4", optional = true }
 serde = { version = "1.0.219", default-features = false, optional = true }
-serde_json = { version = "1.0.142", optional = true }
+reqwest = { version = "0.12.23", default-features = false, optional = true }
+rustls = { version = "0.23.31", optional = true, default-features=false, features = ["ring"] }
 url = { version = "2.5.4", optional = true }
+serde_json = { version = "1.0.142", optional = true }
 
 [dev-dependencies]
 bitcoind = { version = "0.36.1", features = ["0_21_2"] }
