feat: introduce spiffe-rustls crate for rustls integration (#189)

Signed-off-by: Max Lambrecht <[email protected]>

Author: maxlambrecht

.github/workflows/ci.yml

@@ -62,8 +62,23 @@ jobs:
         with:
           shared-key: ${{ runner.os }}-cargo
 
-      - name: Build Rust project
-        run: cargo build --all-targets --all-features
+      - name: Build workspace (default features)
+        run: cargo build --workspace --all-targets
+
+      - name: Test workspace
+        run: cargo test --workspace
+
+      - name: Build spiffe-rustls (aws-lc-rs)
+        run: cargo build -p spiffe-rustls --no-default-features --features aws-lc-rs --all-targets
+
+      - name: Test spiffe-rustls (aws-lc-rs)
+        run: cargo test -p spiffe-rustls --no-default-features --features aws-lc-rs
+
+      - name: Build spiffe-rustls examples (tcp)
+        run: cargo build -p spiffe-rustls --features tcp-examples --examples
+
+      - name: Build spiffe-rustls examples (grpc)
+        run: cargo build -p spiffe-rustls --features grpc-examples --examples
 
       - name: Start SPIRE
         run: .github/workflows/scripts/run-spire.sh

Cargo.toml

@@ -2,5 +2,7 @@
 members = [
     "spiffe",
     "spire-api",
+    "spiffe-rustls",
 ]
+
 resolver = "2"

README.md

@@ -4,27 +4,45 @@
 [![Coverage](https://coveralls.io/repos/github/maxlambrecht/rust-spiffe/badge.svg?branch=main)](https://coveralls.io/github/maxlambrecht/rust-spiffe?branch=main)
 [![Docs](https://docs.rs/spiffe/badge.svg)](https://docs.rs/spiffe/)
 
-This repository contains two distinct Rust libraries focused on supporting SPIRE functionalities:
+This repository contains a set of Rust libraries focused on supporting SPIFFE and SPIRE
+functionality across different layers of the stack.
 
 ## [spiffe](./spiffe)
 
-The `spiffe` crate enables interaction with
-the [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md). It allows
-fetching of X.509 and JWT SVIDs, bundles, and supports watch/stream updates. The types in the library are in compliance
-with [SPIFFE standards](https://github.com/spiffe/spiffe/tree/main/standards). More about SPIFFE can be found
-at [spiffe.io](https://spiffe.io/).
+The `spiffe` crate enables interaction with the
+[SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md).
+It supports fetching X.509 and JWT SVIDs, trust bundles, and watch/stream updates.
 
-- [Read the README](./spiffe/README.md) for more information.
+The types and behaviors in this crate are compliant with
+[SPIFFE standards](https://github.com/spiffe/spiffe/tree/main/standards).
+More information about SPIFFE can be found at [spiffe.io](https://spiffe.io/).
+
+- [Read the README](./spiffe/README.md) for usage and API details.
 
 ## [spire-api](./spire-api)
 
-The `spire-api` crate provides support for SPIRE specific APIs, including the Delegated Identity API.
+The `spire-api` crate provides support for SPIRE-specific APIs, including the
+Delegated Identity API and related SPIRE extensions.
 
 - [Read the README](./spire-api/README.md) for more information.
 
+## [spiffe-rustls](./spiffe-rustls)
+
+The `spiffe-rustls` crate integrates SPIFFE identity with
+[`rustls`](https://crates.io/crates/rustls) using the `spiffe` crate’s `X509Source`
+(SPIRE Workload API).
+
+It provides builders for `rustls::ClientConfig` and `rustls::ServerConfig` backed by a
+live `X509Source`, enabling automatic use of rotated SVIDs and trust bundles in new TLS
+handshakes. The crate focuses on authentication and connection-level authorization via SPIFFE IDs, while
+delegating cryptography and TLS mechanics to `rustls`.
+
+- [Read the README](./spiffe-rustls/README.md) for details and examples.
+
 ## Getting Started
 
-Follow the links above to the individual README files for detailed information on how to use each library.
+Follow the links above to the individual README files for detailed information on how to
+use each library.
 
 ## License
 

spiffe-rustls/Cargo.toml

@@ -0,0 +1,105 @@
+[package]
+name = "spiffe-rustls"
+version = "0.1.0"
+edition = "2024"
+license = "Apache-2.0"
+description = "SPIFFE/SPIRE integration for rustls"
+repository = "https://github.com/maxlambrecht/rust-spiffe"
+readme = "README.md"
+keywords = ["spiffe", "spire", "rustls", "mtls", "tls"]
+categories = ["network-programming", "cryptography", "authentication"]
+
+# ----------------------------
+# Features
+# ----------------------------
+[features]
+default = ["ring"]
+
+# Crypto backend selection
+ring = ["rustls/ring"]
+aws-lc-rs = ["rustls/aws_lc_rs"]
+
+# Examples
+grpc-examples = [
+    "dep:tonic",
+    "dep:tonic-rustls",
+    "dep:tonic-prost",
+    "dep:prost",
+    "dep:prost-types",
+]
+tcp-examples = ["dep:tokio-rustls"]
+
+integration-tests = ["dep:tokio-rustls"]
+
+# ----------------------------
+# Library dependencies
+# ----------------------------
+[dependencies]
+spiffe = { version = "0.7.0", path = "../spiffe" }
+
+# rustls with std needed for builder APIs + Error impls
+rustls = { version = "0.23.35", default-features = false, features = ["std"] }
+
+# Minimal Tokio for the library itself
+tokio = { version = "1", default-features = false, features = ["rt", "sync"] }
+
+# Optional, enabled via ring/aws-lc-rs pull-in
+tokio-rustls = { version = "0.26.4", default-features = false, optional = true }
+
+log = "0.4"
+thiserror = "2"
+x509-parser = "0.18.0"
+tokio-util = "0.7.10"
+
+# gRPC stack, only when grpc-examples enabled
+tonic = { version = "0.14", optional = true, features = ["transport"] }
+tonic-rustls = { version = "0.3.0", optional = true }
+tonic-prost = { version = "0.14", optional = true }
+prost = { version = "0.14", optional = true }
+prost-types = { version = "0.14", optional = true }
+
+# ----------------------------
+# Build-time: proto generation
+# ----------------------------
+[build-dependencies]
+tonic-prost-build = "0.14"
+
+# ----------------------------
+# Dev deps (tests, examples)
+# ----------------------------
+[dev-dependencies]
+tokio = { version = "1", default-features = false, features = [
+    "macros",
+    "rt-multi-thread",
+    "signal",
+    "net",
+    "io-util",
+    "sync",
+] }
+
+anyhow = "1"
+env_logger = "0.11.8"
+
+# ----------------------------
+# Examples (feature-gated)
+# ----------------------------
+[[example]]
+name = "grpc_server_mtls"
+path = "examples/grpc_server_mtls.rs"
+required-features = ["grpc-examples"]
+
+[[example]]
+name = "grpc_client_mtls"
+path = "examples/grpc_client_mtls.rs"
+required-features = ["grpc-examples"]
+
+[[example]]
+name = "mtls_tcp_server"
+path = "examples/mtls_tcp_server.rs"
+required-features = ["tcp-examples"]
+
+[[example]]
+name = "mtls_tcp_client"
+path = "examples/mtls_tcp_client.rs"
+required-features = ["tcp-examples"]
+