Module spiffe 

SPIFFE (Secure Production Identity Framework for Everyone) implementation.

Provides SPIFFE ID parsing/validation and SVID (SPIFFE Verifiable Identity Document) verification for both X.509-SVID and JWT-SVID formats.

Architecture

• SPIFFE ID — a URI of the form spiffe://<trust-domain>/<workload-path>
• X.509-SVID — a SPIFFE identity bound to an X.509 certificate
• JWT-SVID — a SPIFFE identity bound to a JWT
• Trust Bundle — a set of CA certificates for a trust domain

References

• SPIFFE ID spec
• X509-SVID spec
• JWT-SVID spec

Structs

AttestationEvidence

Attestation evidence provided by a workload to prove its identity.

AttestationResult

The result of a successful workload attestation.

FederatedBundle

A federated trust bundle containing CA certificates for a remote trust domain.

FederatedTrustBundleManager

Manages federated trust bundles across trust domains.

JwtSvidClaims

JWT-SVID claims.

RegistrationEntry

A SPIRE registration entry that maps selectors to SPIFFE IDs.

RegistrationStore

In-memory registration entry store for SPIRE-style workload attestation.

SpiffeAuthzPolicy

Authorization policy entry for SPIFFE workloads.

SpiffeId

A parsed and validated SPIFFE ID.

SpiffeTrustManager

SPIFFE Trust Manager: maintains trust bundles and validates SVIDs.

ValidatedJwtSvid

JWT-SVID validation result.

WorkloadApiClient

A Workload API client that manages SVID lifecycle.

WorkloadApiConfig

Configuration for the SPIFFE Workload API client.

WorkloadSelector

A selector that identifies a workload property (used in SPIRE registration entries).

X509SvidInfo

Parsed X.509-SVID metadata (from certificate fields).

Enums

SvidResponse

SVID type returned by the Workload API.

Functions

extract_spiffe_id_from_der

Extract and validate a SPIFFE ID from DER-encoded certificate bytes.

validate_jwt_svid

Validate a JWT-SVID token (structural + expiration + audience check).