packages/ak-common/tls: init (#21262)

Squashed commit of the following:

commit e1e6316
Merge: dec4bcd 095d38c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:13:10 2026 +0200

    Merge branch 'rust-config' into rust-lib-tls

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 095d38c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:11:52 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 7eb07d5
Merge: cb1f86b 507eb2f
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:11:08 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 507eb2f
Merge: 6968d59 0079984
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:10:37 2026 +0200

    Merge branch 'rust-lib-rename' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 0079984
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 17:08:07 2026 +0200

    packages/ak-common: rename from ak-lib

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit dec4bcd
Merge: b84b263 a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:54:07 2026 +0200

    Merge branch 'fix-rustfmt-config' into rust-lib-tls

commit cb1f86b
Merge: c8fa1b8 a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:53:19 2026 +0200

    Merge branch 'fix-rustfmt-config' into rust-config

commit 6968d59
Merge: 341c9cc a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:52:55 2026 +0200

    Merge branch 'fix-rustfmt-config' into rust-arbiter

commit a3fea5d
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Wed Apr 1 16:32:16 2026 +0200

    root: fix rustfmt config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit b84b263
Merge: 09d3b7d c8fa1b8
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Tue Mar 31 13:56:53 2026 +0200

    Merge branch 'rust-config' into rust-lib-tls

commit c8fa1b8
Merge: 48c833c 341c9cc
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Tue Mar 31 13:56:39 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 341c9cc
Merge: a1cf0a7 55e555c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Tue Mar 31 13:55:28 2026 +0200

    Merge branch 'main' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 09d3b7d
Merge: 73c449c 48c833c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:31:11 2026 +0200

    Merge branch 'rust-config' into rust-lib-tls

commit 48c833c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:31:04 2026 +0200

    lint

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 73c449c
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:28:30 2026 +0200

    packages/ak-lib/tls: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 681117d
Merge: 4c54511 a1cf0a7
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:03:49 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit a1cf0a7
Merge: 1ee6f11 524b788
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 20:03:01 2026 +0200

    Merge branch 'rust-lib' into rust-arbiter

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 524b788
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:57:51 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit dc65ab1
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:33:49 2026 +0200

    packages/ak-lib: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 4c54511
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:52:55 2026 +0200

    move into lib crate

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit d7141df
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:48:34 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 2bab7ed
Merge: 2bc79f1 1ee6f11
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:43:24 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

commit 1ee6f11
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:43:21 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 2bc79f1
Merge: e7d3704 27ff039
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:42:58 2026 +0200

    Merge branch 'rust-arbiter' into rust-config

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 27ff039
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:40:37 2026 +0200

    rename to ak-lib

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit e7d3704
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:32:59 2026 +0200

    packages/ak-config: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 1e5cb4b
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 19:32:18 2026 +0200

    sort out package versions

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 64b9391
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 17:49:16 2026 +0200

    lint

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 57edeec
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 17:48:51 2026 +0200

    add tests

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit 5294f8a
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:38:11 2026 +0200

    fixup

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

commit f1257d2
Author: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Date:   Mon Mar 30 16:33:49 2026 +0200

    packages/ak-arbiter: init

    Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

Author: rissson

Cargo.lock

@@ -16,12 +16,14 @@ proxy = []
 
 [dependencies]
 arc-swap.workspace = true
+aws-lc-rs.workspace = true
 axum-server.workspace = true
 config-rs.workspace = true
 eyre.workspace = true
 glob.workspace = true
 notify.workspace = true
 pin-project-lite.workspace = true
+rustls.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
@@ -36,3 +38,6 @@ tempfile.workspace = true
 
 [lints]
 workspace = true
+
+[package.metadata.cargo-machete]
+ignored = ["aws-lc-rs"]

packages/ak-common/Cargo.toml

@@ -5,6 +5,7 @@ pub use arbiter::{Arbiter, Event, Tasks};
 pub mod config;
 pub mod mode;
 pub use mode::Mode;
+pub mod tls;
 pub mod tokio;
 
 pub const VERSION: &str = env!("CARGO_PKG_VERSION");

packages/ak-common/src/lib.rs

@@ -0,0 +1,64 @@
+//! TLS utilities
+use std::sync::Arc;
+
+use eyre::{Result, eyre};
+use rustls::server::ResolvesServerCert;
+
+use crate::config;
+
+/// Dummy resolver for FIPS compliance check.
+#[derive(Debug)]
+struct EmptyCertResolver;
+
+#[expect(
+    clippy::missing_trait_methods,
+    reason = "this is just a dummy implementation to check FIPS compliance"
+)]
+impl ResolvesServerCert for EmptyCertResolver {
+    fn resolve(
+        &self,
+        _client_hello: rustls::server::ClientHello<'_>,
+    ) -> Option<Arc<rustls::sign::CertifiedKey>> {
+        None
+    }
+}
+
+/// Check if fips is enabled.
+fn is_fips_enabled() -> bool {
+    rustls::client::ClientConfig::builder()
+        .with_root_certificates(rustls::RootCertStore::empty())
+        .with_no_client_auth()
+        .fips()
+        && rustls::server::ServerConfig::builder()
+            .with_no_client_auth()
+            .with_cert_resolver(Arc::new(EmptyCertResolver {}))
+            .fips()
+}
+
+/// Initialize default [`rustls`] crypto provider, and check that FIPS is working correctly.
+pub fn init() -> Result<()> {
+    #[expect(
+        clippy::unwrap_in_result,
+        reason = "result type does not implement Error"
+    )]
+    rustls::crypto::aws_lc_rs::default_provider()
+        .install_default()
+        .expect("Failed to install rustls provider");
+
+    if config::get().compliance.fips.enabled && !is_fips_enabled() {
+        return Err(eyre!("A non fips crypto provider was installed"));
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    #[test]
+    fn init() {
+        crate::config::init().expect("failed to initialize config");
+
+        super::init().expect("failed to initialized rustls");
+        assert!(super::is_fips_enabled());
+    }
+}