Expand description
§spiffe-rustls
spiffe-rustls integrates rustls with SPIFFE/SPIRE using a live
spiffe::X509Source (SPIFFE Workload API).
It provides builders for rustls::ClientConfig and
rustls::ServerConfig that are backed by an X509Source. When the SPIRE
agent rotates X.509 SVIDs or trust bundles, new TLS handshakes automatically
use the updated material, without restarting the application.
The crate focuses on TLS authentication and connection-level authorization
via SPIFFE IDs, while delegating all cryptography and TLS mechanics to
rustls.
§Quick example (client)
use spiffe_rustls::{ClientConfigBuilder, ClientConfigOptions};
use std::sync::Arc;
let source = spiffe::X509Source::new().await?;
let opts = ClientConfigOptions {
trust_domain: "example.org".try_into()?,
authorize_server: Arc::new(|id: &str| {
id == "spiffe://example.org/myservice"
}),
};
let client_config = ClientConfigBuilder::new(source, opts)
.build()
.await?;The resulting ClientConfig can be used directly with rustls or integrated
into higher-level libraries such as tokio-rustls or tonic-rustls.
§Feature flags
Exactly one rustls crypto provider must be enabled:
ring(default)aws-lc-rs
Enabling more than one provider results in a compile-time error.
Structs§
- Client
Config Builder - Builds a
rustls::ClientConfigbacked by a live SPIFFEX509Source. - Client
Config Options - Configuration options for
ClientConfigBuilder. - Server
Config Builder - Builds a
rustls::ServerConfigbacked by a live SPIFFEX509Source. - Server
Config Options - Configuration options for
ServerConfigBuilder.
Enums§
- Error
- Errors returned by
spiffe-rustls.
Functions§
- authorize_
any - Returns an authorization hook that accepts any SPIFFE ID.
- authorize_
exact - Returns an authorization hook that only accepts the given SPIFFE IDs.
Type Aliases§
- Authorize
Spiffe Id - Authorization hook for peer SPIFFE IDs.
- Result
- Result type used by this crate.