Skip to content

refactor(spiffe-rustls): sync config builders, material generation, and verifier caching #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
maxlambrecht merged 1 commit into from
Dec 26, 2025
Merged

refactor(spiffe-rustls): sync config builders, material generation, and verifier caching #210

maxlambrecht merged 1 commit into from
Dec 26, 2025
+491 −218

Conversation

@maxlambrecht
Copy link
Owner

@maxlambrecht maxlambrecht commented Dec 26, 2025

This PR refactors spiffe-rustls to align with spiffe 0.8.0 and to simplify the library’s public surface while improving internal correctness and performance under rotation.

What changed

  • Update to spiffe 0.8.0

    • Bumps the dependency in spiffe-rustls and spiffe-rustls-grpc-examples.
    • Updates integrations to match the new spiffe APIs (notably the X509Source usage and return types).

  • Client/Server builders are now synchronous

    • ClientConfigBuilder::build() and ServerConfigBuilder::build() are now fn build(self) -> Result<_>.
    • This removes the .await requirement in examples and tests and better reflects the fact that building the rustls::*Config is fundamentally a synchronous operation (the config remains backed by a live X509Source for rotation).

  • Material watcher initialization is synchronous and explicit about runtime requirements

    • MaterialWatcher::new(...) is now synchronous and uses tokio::runtime::Handle::try_current() to spawn the update task.
    • If called outside a Tokio runtime, it returns a clear internal error (“no Tokio runtime available”).

  • Material pipeline cleanup

    • Replaces Vec<Vec<u8>> plumbing with rustls::pki_types::CertificateDer and helper constructors (certs_from_der_bytes, cert_chain_from_der_bytes).
    • Renames material helpers to better reflect their inputs (roots_from_certs, certified_key_from_chain_and_key).
    • Adds a generation counter to MaterialSnapshot to support cache invalidation.

  • Verifier refactor: decouple, document, and cache

    • Introduces MaterialProvider (replacing the previous “roots-only” abstraction) to allow verifiers to read both roots and generation.
    • Adds per-generation caching of WebPki*Verifier instances to avoid rebuilding verifiers on every handshake while still supporting trust bundle rotation.
    • Improves internal docs and test coverage (including a cache-by-generation test).

  • Crate hygiene improvements

    • Enables #![deny(missing_docs)], #![deny(unsafe_code)], and clippy (including pedantic), with targeted allows.
    • Adds Debug implementations for option structs that avoid printing authorization function internals.
    • Reorders the [features] section in Cargo.toml (no functional change).

User-facing impact

  • Breaking API change: build() is no longer async. Downstream code must remove .await from builder usage.
  • Runtime expectation is clearer: creating TLS configs requires being inside a Tokio runtime due to the background rotation watcher.

@maxlambrecht maxlambrecht merged commit 67013e0 into main Dec 26, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maxlambrecht