Skip to main content

MtlsIdentity

stakpak_shared::cert_utils

Struct MtlsIdentity

pub struct MtlsIdentity { /* private fields */ }

Expand description

A single-sided mTLS identity: a CA that signs one leaf certificate.

Each side of the mTLS connection generates its own MtlsIdentity. Only the CA certificate (public) is shared with the peer — private keys never leave the process that generated them.

Host (client)                         Container (server)
─────────────────                     ─────────────────────
MtlsIdentity::generate_client()       MtlsIdentity::generate_server()
  ├─ client CA cert  ──────────────►  trusted by server (verifies client)
  ├─ client leaf cert (in memory)     ├─ server CA cert  ◄── output to stdout
  └─ client leaf key (in memory)      ├─ server leaf cert (in memory)
                                      └─ server leaf key (in memory)

host trusts server CA cert ◄──────── parsed from stdout

Implementations§

impl MtlsIdentity

pub fn generate_client() -> Result<Self>

Generate a client identity (CA + client leaf cert).

pub fn generate_server() -> Result<Self>

Generate a server identity (CA + server leaf cert with localhost SANs).

pub fn ca_cert_pem(&self) -> Result<String>

Get the CA certificate PEM (public, safe to share with the peer).

pub fn create_server_config( &self, trusted_client_ca_pem: &str, ) -> Result<ServerConfig>

Build a rustls::ServerConfig that serves with this identity’s leaf cert and trusts the given client CA PEM for client authentication.

pub fn create_client_config( &self, trusted_server_ca_pem: &str, ) -> Result<ClientConfig>

Build a rustls::ClientConfig that authenticates with this identity’s leaf cert and trusts the given server CA PEM.

Trait Implementations§

impl Debug for MtlsIdentity

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

impl Freeze for MtlsIdentity

impl !RefUnwindSafe for MtlsIdentity

impl Send for MtlsIdentity

impl Sync for MtlsIdentity

impl Unpin for MtlsIdentity

impl UnsafeUnpin for MtlsIdentity

impl !UnwindSafe for MtlsIdentity

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more