rust-spiffe

License

Overview

This library provides functions to interact with the SPIFFE Workload API to fetch X.509 and JWT SVIDs and Bundles. It also provides types that comply with the SPIFFE standards.

Under development.

Examples

Create a WorkloadApiClient

Providing the endpoint socket path as parameter:

rust let client = WorkloadApiClient::new("unix:/tmp/spire-agent/api/public.sock")?;

Providing the endpoint socket path through the environment variable SPIFFE_ENDPOINT_SOCKET:

rust let client = WorkloadApiClient::default()?;

Fetching X.509 materials

```rust

// fetch the default X.509 SVID let x509svid: X509Svid = client.fetchx509_svid()?;

// fetch a set of X.509 bundles (X.509 public key authorities) let x509bundles: X509BundleSet = client.fetchx509_bundles()?;

// fetch all the X.509 materials (SVIDs and bundles) let x509context: X509Context = client.fetchx509_context()?;

// get the X.509 chain of certificates from the SVID let certchain: &Vec = x509svid.cert_chain();

// get the private key from the SVID let privatekey: &PrivateKey = x509svid.private_key();

// parse a SPIFFE trust domain let trustdomain = TrustDomain::tryfrom("example.org")?;

// get the X.509 bundle associated to the trust domain let x509bundle: &X509Bundle = x509bundles.getbundle(&trustdomain).unwrap();

// get the X.509 authorities (public keys) in the bundle let x509authorities: &Vec = x509bundle.authorities(); ```

Fetching JWT tokens and bundles and validating tokens

```rust

// parse a SPIFFE ID to ask a token for let spiffeid = SpiffeId::tryfrom("spiffe://example.org/my-service")?;

// fetch a jwt token for the provided SPIFFE-ID and with the target audience service1.com let jwttoken = client.fetchjwttoken(&["audience1", "audience2"], Some(&spiffeid))?;

// fetch the jwt token and parses it as a JwtSvid let jwtsvid = client.fetchjwtsvid(&["audience1", "audience2"], Some(&spiffeid))?;

// fetch a set of jwt bundles (public keys for validating jwt token) let jwtbundles = client.fetchjwt_bundles()?;

// parse a SPIFFE trust domain let trustdomain = TrustDomain::tryfrom("example.org")?;

// get the JWT bundle associated to the trust domain let jwtbundle: &JwtBundle = jwtbundles.getbundle(&trustdomain).unwrap();

// get the JWT authorities (public keys) in the bundle let jwtauthority: &JwtAuthority = jwtbundle.findjwtauthority("akeyid").unwrap();

// parse a JwtSvid validating the token signature with a JWT bundle source. let validatedjwtsvid = JwtSvid::parseandvalidate(&jwttoken, &jwtbundles_set, &["service1.com"])?; ```