Thanks for working on this! I would propose doing a smaller increment which preserves the use of the pem crate for parsing (but still uses the pki-types for DER-containing types in the public API).

I also think it would be okay to add CertificateSigningRequestDer to pki-types, do you want to submit a PR for that?

What do you think?

Yes sure, let's do this step by step!
I've kept the dependency to the pem crate, and submit a PR to pki_types to add the CertificateSigningRequestDer type (rustls/pki-types#33)

ci / Validate external types appearing in public API (pull_request) Failing after 1m

To fix this task you'll need to update the cargo-check-external-types metadata to add rustls_pki_types to the allow-list:

The intent of pki-types is to be a stable API and so it's also ignored for this task in the other various rustls repos.

To fix this task you'll need to update the cargo-check-external-types metadata to add rustls_pki_types to the allow-list:

I see, thank you for the tip!

We're going to cut a pki-types release with the CSR type: rustls/pki-types#34 If you want to take a Cargo patch and switch this branch over we can probably have that release published before this PR is done with review saving a follow-up for that.

I've used a patch while waiting for the release 👍

I wonder if CeritificateSigningRequest::from_der should take ownership or a reference to CeritificateSigningRequestDer

I've used a patch while waiting for the release 👍

pki-types v1.3.0 is now available.

@est31 Do you think you'll have bandwidth to review this soon? Should we continue to hold merging?

It needs a rebase, right?

I've always felt down when using these special types with crates like ring for example (the rust crypto ecosystem also uses them heavily), because you have to import an additional type to use the API, and maybe even an additional crate. Actually you don't but you need to first look up if there is a from impl, etc. You also need to figure out how to convert it into bytes again in the output. This makes interaction with such APIs way more expensive for developers.

I do sympathize with these concerns, however in this case:

• I think it substantially helps users of different experience levels to be clear about PEM vs DER. Although rcgen already does a great job of making this clear in the function names, I think the type-level distinctions can help.
• It is very easy to convert a &[u8] or Vec<u8> to one of these new types.

(I myself recently got confused and passed DER into an API that expected a Vec<u8> containing PEM. This was an SDK wrapping tonic, which does clearly mark the underlying fields as PEM.)

The main advantage I see in DER specific types would be that it could take care of conversion to PEM, you'd just call a function .pem() on it. But when I look at the rustdocs of PrivatePkcs8KeyDer I don't see any explanation how to convert it to pem, nor is there an easy pem() that returns a string (or another wrapper).

Yes, there is no PEM encoding code in the rustls project. I think we might want to change that going forward, and it would definitely make the case for this stronger.

I myself recently got confused and passed DER into an API that expected a Vec<u8> containing PEM. This was an SDK wrapping tonic, which does clearly mark the underlying fields as PEM.

Fair point, and I personally also had some confusing experiences where one Rust crypto library provided a key in one format and the other library was reading the key in the other format. In these instances, the chosen format has always been underdocumented (it's already over a year ago and I don't remember the exact details any more).

I think we can eventually merge this PR, if it documents the new API well, and by that I mean at each location where the new types are being used.

You are right that it's very easy to convert these types to/from byte buffers but it needs to be documented how, one shouldn't need the docs of the interface crate for that.

I've rebased on the latest main and add some comments as suggested in the review.

Thanks for working on this, I'll just merge this now and might follow up with a PR with some nits.

Nice work @Tudyx 👏