feat(network): switch TLS backend to rustls for PKCS#1 + EC key support

[zkochan]

Closes #499.

Summary

Switches reqwest's TLS backend from native-tls-vendored to rustls. The single observable contract change: pacquet now accepts PKCS#1, PKCS#8, and EC private keys from .npmrc's key= / :key= / :keyfile= entries — the same set Node's tls.createSecureContext exposes to pnpm via undici. Native-tls's Identity::from_pkcs8_pem accepted only -----BEGIN PRIVATE KEY----- (PKCS#8); the doc comment in #490 flagged this as a parity gap.

PKCS#12 (.pfx) stays out of scope — pnpm's .npmrc allow-list doesn't expose a pfx= option so pacquet doesn't either.

What changed

• Cargo.toml: drop native-tls-vendored, add rustls. Reqwest's rustls feature uses aws-lc-rs for crypto and rustls-platform-verifier for OS trust roots — closest behavioral match to native-tls's "consult the platform trust store" default.
• crates/network/src/lib.rs: apply_tls swaps Identity::from_pkcs8_pem(cert, key) for Identity::from_pem over the concatenated cert\nkey PEM buffer. Adds a new looks_like_pem_cert syntactic check before Certificate::from_pem because rustls's from_pem stores the bytes verbatim and validates lazily at Client::build() time — a garbage CA entry would otherwise slip through silently and the install would proceed against an unknown trust root. The existing InvalidCa { index, .. } error contract is preserved.
• crates/network/src/tls.rs: updated doc comments on TlsConfig::key, RegistryTls::key, TlsError::InvalidClientIdentity to describe the new surface and drop the PKCS#8-only caveat.
• deny.toml: allow CDLA-Permissive-2.0 for webpki-root-certs (pulled in by reqwest's rustls feature through rustls-platform-verifier's fallback chain).
• New fixtures: crates/network/tests/fixtures/test-client-pkcs1.{crt,key} (PKCS#1 RSA, self-signed, 100-year expiry). Loaded via include_str!. Regenerable with openssl genrsa -traditional + openssl req -new -x509 per the constant comment.

Reviewer flags

• Cert store behavior changes. rustls-platform-verifier reads the OS trust store on macOS / Windows / Linux, but it's a different syscall path from native-tls's. Corporate CAs that worked under native-tls and don't show up in rustls-platform-verifier's enumeration would now silently fail. Users hitting this should add the CA explicitly via cafile= in .npmrc.
• Performance. CI's integrated-benchmark will run on this PR. Expected impact: comparable on warm installs (TLS handshake is on the cold path, connection pool reuse is unchanged), possibly slightly faster cold-install due to rustls's lighter handshake. If the warm-install path regresses materially we'd consider the preprocessing approach (PKCS#1 → PKCS#8 conversion via the pkcs1 / pkcs8 RustCrypto crates) as a fallback that keeps native-tls.
• Different crypto stack from pnpm. Pnpm runs on Node which uses OpenSSL. Pacquet on rustls means a different TLS implementation than upstream — same observable behavior on the wire, but if pnpm sees a corporate CA issue and rustls rejects something OpenSSL would accept (or vice versa) we'd have a parity edge case. The cardinal rule is about behavior not implementation, so this is acceptable, but worth being aware of.
• License surface. One new allowance (CDLA-Permissive-2.0) for webpki-root-certs. No new advisory surface beyond what reqwest's rustls feature already pulls through aws-lc-rs / rustls / rustls-platform-verifier.

Test plan

• for_installs_with_pkcs1_client_key_builds pins the new PKCS#1-accepted contract
• All existing InvalidCa / InvalidClientIdentity tests still surface their errors with the right index / reason
• cargo nextest run --workspace — 1175 tests pass
• just ready clean
• taplo format --check clean
• RUSTDOCFLAGS=-D warnings cargo doc --no-deps --workspace --document-private-items clean
• just dylint clean
• cargo deny check clean (one new license allowance added in deny.toml)
• CI integrated-benchmark: warm-install perf vs main

References

• Closes feat(network): support PKCS#1 client keys (currently PKCS#8 only) #499
• Builds on feat(config,network,cli): TLS keys + local-address from .npmrc #490 (top-level TLS keys) and feat(config,network,tarball,registry): per-registry TLS overrides #502 (per-registry TLS)

---

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

• Improvements
  • Switched TLS backend to rustls for enhanced cross-platform compatibility.
  • Added stricter validation for CA certificates with clearer error messages when certificates are invalid.
  • Extended support for additional private key formats (PKCS#1, PKCS#8, and EC keys).
  • Improved TLS configuration documentation.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR migrates the network crate from OpenSSL-based native-tls-vendored to rustls TLS backend and refactors client identity handling to accept PKCS#1 and PKCS#8 private keys. The key change replaces separate PKCS#8 identity construction with a concatenated PEM buffer approach, adding early validation of CA certificate armor markers.

Changes

TLS rustls migration and PKCS#1 support

Layer / File(s)	Summary
Dependency and license configuration Cargo.toml, deny.toml	Reqwest switched from native-tls-vendored to rustls feature; CDLA-Permissive-2.0 license added to allowlist.
TLS API documentation updates crates/network/src/tls.rs	TlsConfig and RegistryTls key documentation updated to reflect Identity::from_pem single-buffer semantics and expanded formats (PKCS#1, PKCS#8, EC).
Client identity and CA validation refactoring crates/network/src/lib.rs	Private looks_like_pem_cert helper added for syntactic PEM armor checks; apply_tls refactored to validate CA certificates eagerly and construct client identity via Identity::from_pem using concatenated cert+key buffer.
PKCS#1 support testing and fixtures crates/network/src/tests.rs, crates/network/tests/fixtures/test-client-pkcs1.*	Regression test with PKCS#1 certificate and RSA private key fixtures verifies ThrottledClient::for_installs builds with PKCS#1 client credentials.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• pnpm/pacquet#499: Both address rustls migration and PKCS#1 key support in TLS client identity handling via Identity::from_pem with concatenated cert+key.
• pnpm/pacquet#482: Related to TLS wiring updates in ThrottledClient and reqwest Identity/Certificate handling in the network crate.

Possibly related PRs

• pnpm/pacquet#490: Both PRs refactor the TLS pipeline in ThrottledClient::for_installs and apply_tls, with this PR's identity construction and validation changes building directly on that TLS/client-cert wiring foundation.

Poem

A rabbit hops through TLS paths so bright,
With rustls now steering the cryptographic light,
PKCS#1 keys no longer need to hide,
For concatenated PEM buffers open the door wide. 🐰🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically captures the main change: switching the TLS backend to rustls and gaining PKCS#1 + EC key support, which is the primary purpose of the PR.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering summary, linked issue (#499), detailed changelog, reviewer flags, and test plan. It provides clear context for the changes and follows the repository guidelines.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/pkcs1-rustls

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[coderabbitai]

🧹 Nitpick comments (1)

crates/network/src/tests.rs (1)

519-551: ⚡ Quick win

Add an EC-key regression test to pin the full supported-key contract.

This new hunk validates PKCS#1, but the documented/behavioral surface now includes EC keys too. Add one EC cert+key fixture case so that support is locked by tests, not just docs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/network/src/tests.rs` around lines 519 - 551, Add a parallel EC-key
fixture and test to lock the documented support for EC client keys: create
constants similar to TEST_CLIENT_PKCS1_CERT and TEST_CLIENT_PKCS1_KEY (e.g.
TEST_CLIENT_EC_CERT and TEST_CLIENT_EC_KEY) that include an EC cert and EC
private key PEM, then add a new #[test] (mirroring
for_installs_with_pkcs1_client_key_builds) which constructs a TlsConfig with
those EC constants and calls
ThrottledClient::for_installs(&ProxyConfig::default(), &tls,
&PerRegistryTls::default()).expect(...) to assert EC keys build successfully;
this pins support for EC keys alongside the existing PKCS#1 test.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@crates/network/src/tests.rs`:
- Around line 519-551: Add a parallel EC-key fixture and test to lock the
documented support for EC client keys: create constants similar to
TEST_CLIENT_PKCS1_CERT and TEST_CLIENT_PKCS1_KEY (e.g. TEST_CLIENT_EC_CERT and
TEST_CLIENT_EC_KEY) that include an EC cert and EC private key PEM, then add a
new #[test] (mirroring for_installs_with_pkcs1_client_key_builds) which
constructs a TlsConfig with those EC constants and calls
ThrottledClient::for_installs(&ProxyConfig::default(), &tls,
&PerRegistryTls::default()).expect(...) to assert EC keys build successfully;
this pins support for EC keys alongside the existing PKCS#1 test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 367697c6-5bed-4d9f-8a66-a6642d4482ba

📥 Commits

Reviewing files that changed from the base of the PR and between 72fb61b and 57be1ac.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• Cargo.toml
• crates/network/src/lib.rs
• crates/network/src/tests.rs
• crates/network/src/tls.rs
• crates/network/tests/fixtures/test-client-pkcs1.crt
• crates/network/tests/fixtures/test-client-pkcs1.key
• deny.toml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: copilot-pull-request-reviewer
• GitHub Check: Dylint
• GitHub Check: Lint and Test (windows-latest)
• GitHub Check: Run benchmark on ubuntu-latest
• GitHub Check: Lint and Test (ubuntu-latest)
• GitHub Check: Doc
• GitHub Check: Run benchmark on ubuntu-latest
• GitHub Check: Code Coverage

🧰 Additional context used

📓 Path-based instructions (1)

**/*.rs

📄 CodeRabbit inference engine (AGENTS.md)

**/*.rs: Preserve existing method chains and pipe-trait chains; do not break them into intermediate let bindings unless there is a concrete justification such as a compilation failure, borrow checker rejection, meaningful performance improvement, or other technical necessity. Refactoring for style alone is not sufficient justification.
Choose owned vs. borrowed parameters to minimize copies; prefer borrowed types (&Path over &PathBuf, &str over &String) when it does not force extra copies.
Prefer Arc::clone(&x) and Rc::clone(&x) over x.clone() for reference-counted types to make the cost visible at the call site.
Do not use star imports inside module bodies. Write use super::{Foo, bar} instead of use super::*; for any glob whose target is a module you control. External-crate preludes (e.g., use rayon::prelude::*;) and root-of-module re-exports (e.g., pub use submodule::*; in lib.rs) are exceptions.
Follow Rust API Guidelines for naming, as documented in https://rust-lang.github.io/api-guidelines/naming.html.
Declare a newtype wrapper for any branded string type being ported from TypeScript pnpm. Do not collapse the brand into a plain String or &str; give the type its own struct so misuse is a type error.
When porting branded string types where upstream TypeScript always validates before construction, validate in the Rust port too. Construct the wrapper only via TryFrom<String> and/or FromStr; do not provide an infallible public constructor that takes an arbitrary string.
For branded string types where upstream TypeScript never validates (used purely for type-safety to prevent confusion between string slots), expose an infallible From<String> and From<&str> constructor in the Rust wrapper.
When upstream TypeScript occasionally constructs a branded type without validation (via bare as assertion), add a from_str_unchecked (or similarly named) constructor on the Rust side. Keep the validating constructor as well; `from_str_u...

Files:

• crates/network/src/tls.rs
• crates/network/src/lib.rs
• crates/network/src/tests.rs

🧠 Learnings (4)

📚 Learning: 2026-05-07T23:19:08.272Z

Learnt from: KSXGitHub
Repo: pnpm/pacquet PR: 401
File: tasks/integrated-benchmark/src/work_env.rs:343-344
Timestamp: 2026-05-07T23:19:08.272Z
Learning: When reviewing Rust code in pnpm/pacquet for deprecated API usage, do not automatically treat `serde_saphyr::to_string` as deprecated. In `serde-saphyr` v0.0.25, `serde_saphyr::to_string` has no `#[deprecated]` attribute (the `#[deprecated]` later in `serde-saphyr-0.0.25/src/lib.rs` applies to a different function). Only flag `serde_saphyr::to_string` as deprecated if the resolved dependency version’s source shows `#[deprecated]` on that specific function.

Applied to files:

• crates/network/src/tls.rs
• crates/network/src/lib.rs
• crates/network/src/tests.rs

📚 Learning: 2026-05-13T22:52:32.579Z

Learnt from: zkochan
Repo: pnpm/pacquet PR: 506
File: crates/package-manager/src/link_bins.rs:238-241
Timestamp: 2026-05-13T22:52:32.579Z
Learning: In Rust code using `matches!` (or `match`) on a borrowed value (e.g., `meta: &PackageMetadata` and a field access like `meta.resolution`), it is safe to use wildcard/OR patterns such as `LockfileResolution::Binary(_) | LockfileResolution::Variations(_)` when the pattern does not bind the inner payload by value. `_` wildcard patterns (and similar discriminant-only patterns) should not move non-`Copy` data; they only test the variant and avoid ownership transfer. Do not flag these patterns as move-out-of-borrow/ownership compile errors. Only patterns that bind the inner value by value (e.g., `LockfileResolution::Binary(b)`) would require ownership and may trigger move errors when matching on data behind a borrow.

Applied to files:

• crates/network/src/tls.rs
• crates/network/src/lib.rs
• crates/network/src/tests.rs

📚 Learning: 2026-05-01T10:01:33.766Z

Learnt from: zkochan
Repo: pnpm/pacquet PR: 349
File: crates/reporter/src/tests.rs:121-121
Timestamp: 2026-05-01T10:01:33.766Z
Learning: In Rust test code, follow the repo’s CODE_STYLE_GUIDE test-logging rule: add logging (e.g., `eprintln!`/`eprintln!(...)`) so that useful diagnostic values are printed when a test fails, unless the assertion is `assert_eq!` (where the differing values are already included). Concretely, if you use assertions like `assert!`, `assert_ne!`, etc., ensure the test logs the relevant actual/expected values (or context) before/around the assertion so failures can be diagnosed without rerunning.

Applied to files:

• crates/network/src/tests.rs

📚 Learning: 2026-05-01T10:01:33.766Z

Learnt from: zkochan
Repo: pnpm/pacquet PR: 349
File: crates/reporter/src/tests.rs:121-121
Timestamp: 2026-05-01T10:01:33.766Z
Learning: In this repo’s Rust tests (run via `cargo nextest`), stdout/stderr from passing tests is captured and is only shown when a test fails. As a result, `eprintln!` (and similar stderr logging) in these tests should generally not be flagged as CI “noise” on the happy path; CI output should only appear for failing tests.

Applied to files:

• crates/network/src/tests.rs

🪛 Betterleaks (1.2.0)

crates/network/tests/fixtures/test-client-pkcs1.key

[high] 1-27: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

crates/network/src/lib.rs

[high] 402-404: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

(private-key)

🔇 Additional comments (6)

Cargo.toml (1)

65-71: LGTM!

deny.toml (1)

63-63: LGTM!

crates/network/src/tls.rs (1)

51-54: LGTM!

Also applies to: 85-87, 98-102, 156-159

crates/network/src/lib.rs (1)

189-192: LGTM!

Also applies to: 353-366, 373-413

crates/network/tests/fixtures/test-client-pkcs1.key (1)

1-27: LGTM!

crates/network/tests/fixtures/test-client-pkcs1.crt (1)

1-19: LGTM!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.61%. Comparing base (fa41850) to head (57be1ac).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #509      +/-   ##
==========================================
- Coverage   88.74%   88.61%   -0.13%     
==========================================
  Files         124      125       +1     
  Lines       13429    13589     +160     
==========================================
+ Hits        11917    12042     +125     
- Misses       1512     1547      +35     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Micro-Benchmark Results

Linux

group                          main                                   pr
-----                          ----                                   --
tarball/download_dependency    2.15     16.6±0.87ms   260.7 KB/sec    1.00      7.7±0.04ms   561.2 KB/sec

[github-actions]

Integrated-Benchmark Report (Linux)

Scenario: Frozen Lockfile

Command	Mean [s]	Min [s]	Max [s]	Relative
pacquet@HEAD	2.581 ± 0.071	2.485	2.684	1.03 ± 0.04
pacquet@main	2.518 ± 0.054	2.457	2.632	1.00
pnpm	5.995 ± 0.048	5.899	6.079	2.38 ± 0.05

BENCHMARK_REPORT.json

{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.5806202082,
      "stddev": 0.07065578774603276,
      "median": 2.5776692602000004,
      "user": 2.5991813,
      "system": 3.62475382,
      "min": 2.4846546132,
      "max": 2.6842233232,
      "times": [
        2.6842233232,
        2.6064455162000004,
        2.6586850652000003,
        2.5868357932,
        2.5685027272000003,
        2.4846546132,
        2.6583040652000003,
        2.5201087302,
        2.4991648122,
        2.5392774362000003
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.5175855858,
      "stddev": 0.05373506890081997,
      "median": 2.5025447487,
      "user": 2.5597214999999998,
      "system": 3.6027440200000003,
      "min": 2.4571449462,
      "max": 2.6320824402,
      "times": [
        2.4957729952000003,
        2.6320824402,
        2.4673295862,
        2.4700351282,
        2.4571449462,
        2.5471237702000002,
        2.5010011882,
        2.5040883092,
        2.5655932022,
        2.5356842922
      ]
    },
    {
      "command": "pnpm",
      "mean": 5.994663356,
      "stddev": 0.04788516921613567,
      "median": 5.9948375317,
      "user": 8.8138824,
      "system": 4.44169252,
      "min": 5.8989813402,
      "max": 6.0791939282,
      "times": [
        5.9983694342,
        6.0791939282,
        6.0379419432,
        5.991305629199999,
        5.9741910082,
        6.0128520872,
        6.0117730242,
        5.959244240199999,
        5.9827809252,
        5.8989813402
      ]
    }
  ]
}

Scenario: Frozen Lockfile (Hot Cache)

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
pacquet@HEAD	733.7 ± 33.1	686.5	798.3	1.00
pacquet@main	811.1 ± 84.1	733.4	970.4	1.11 ± 0.12
pnpm	2540.2 ± 83.7	2464.9	2755.0	3.46 ± 0.19

BENCHMARK_REPORT.json

{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 0.733705106,
      "stddev": 0.033090255721194235,
      "median": 0.7336583256,
      "user": 0.35596908,
      "system": 1.5952151,
      "min": 0.6864764236,
      "max": 0.7982619556,
      "times": [
        0.7982619556,
        0.7455641476,
        0.6864764236,
        0.7623704256,
        0.7448435986,
        0.7491618416,
        0.6972934666,
        0.7143031316,
        0.7163030166000001,
        0.7224730526
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 0.8110906594000001,
      "stddev": 0.08407172561111158,
      "median": 0.7807923571000001,
      "user": 0.36850958000000006,
      "system": 1.6070752,
      "min": 0.7334071856000001,
      "max": 0.9704252736000001,
      "times": [
        0.8269118736000001,
        0.7642652966000001,
        0.9704252736000001,
        0.8053658116000001,
        0.7851923696,
        0.7526558196,
        0.9522585546000001,
        0.7440320646,
        0.7763923446000001,
        0.7334071856000001
      ]
    },
    {
      "command": "pnpm",
      "mean": 2.5401923541,
      "stddev": 0.08374228169910679,
      "median": 2.5190563126,
      "user": 3.0961219800000004,
      "system": 2.2138629,
      "min": 2.4649271115999998,
      "max": 2.7549929046,
      "times": [
        2.5422945585999996,
        2.4684011596,
        2.5232573406,
        2.5723930746,
        2.5148552846,
        2.5146487356,
        2.4846814856,
        2.4649271115999998,
        2.5614718856,
        2.7549929046
      ]
    }
  ]
}