PEM and private-key parsing utilities for RA-TLS (Remote Attestation TLS) certificate handling with rustls.
ra-tls-parse removes the rustls-pemfile boilerplate that appears in every RA-TLS server and client setup. It exposes three focused public functions:
| Function | What it does |
|---|---|
parse_private_key |
Parse a PEM key (PKCS#8, SEC1/EC, or PKCS#1/RSA) into a PrivateKeyDer |
parse_certificates |
Parse a PEM cert chain into Vec<CertificateDer> |
build_root_store |
Build a rustls::RootCertStore using the last cert in a chain as the trust anchor |
Use this crate when you are setting up a rustls TLS stack for an RA-TLS workload, specifically when:
- Your server presents a self-signed X.509 certificate with a TDX (or other TEE) attestation quote embedded in a custom extension.
- Your client needs to verify that certificate against a known CA cert (e.g. the dstack KMS CA).
- You want a single-function call instead of manually iterating
rustls_pemfile::read_all.
[dependencies]
ra-tls-parse = "0.1"Or with cargo add:
cargo add ra-tls-parseuse ra_tls_parse::{parse_certificates, parse_private_key, build_root_store};
fn main() -> anyhow::Result<()> {
// Load PEM files from disk (e.g. generated by dstack KMS or rcgen in tests).
let key_pem = std::fs::read_to_string("server.key")?;
let cert_pem = std::fs::read_to_string("server.crt")?;
// Parse the private key (PKCS#8, SEC1, or PKCS#1 — auto-detected).
let key = parse_private_key(&key_pem)?;
// Parse the certificate chain (leaf first, CA last).
let certs = parse_certificates(&cert_pem)?;
// Build a RootCertStore that trusts the CA at the end of the chain.
let root_store = build_root_store(&certs)?;
// Pass key, certs, and root_store into your rustls ServerConfig / ClientConfig.
let _ = (key, certs, root_store);
Ok(())
}This library is a companion to ra-tls-proxy, which provides a full RA-TLS reverse-proxy sidecar built on top of these primitives.
Apache-2.0. See LICENSE.