est-ca 0.2.0

RFC 7030 Enrollment over Secure Transport (EST) — client, server, and an internal X.509 CA in pure Rust.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

//! # est-ca — RFC 7030 EST + internal X.509 CA, in pure Rust.
//!
//! This crate packages three things commonly needed together when
//! running an internal PKI that issues short-lived client certificates
//! to programmatic callers (devices, services, tenants, CI runners):
//!
//! 1. **An internal X.509 CA** (`ca` feature) — load a signing key+cert,
//!    apply a strict profile, and issue leaves from PKCS#10 CSRs using
//!    [`rcgen`](https://docs.rs/rcgen).
//! 2. **An [EST](https://datatracker.ietf.org/doc/html/rfc7030) server**
//!    (`server` feature) — `axum` handlers for `/cacerts`,
//!    `/simpleenroll`, and `/simplereenroll`, with pluggable auth via
//!    [`auth::AuthBackend`].
//! 3. **An EST client** (`client` feature, default) — generate a CSR and
//!    enroll via `POST /simpleenroll`; renew via `/simplereenroll` over
//!    mTLS.
//!
//! PKCS#7/CMS encoding and decoding (EST's wire format) live in [`cms`]
//! and are always compiled in.
//!
//! # Feature flags
//!
//! | Feature | Purpose                                           | Pulls in                         |
//! |---------|---------------------------------------------------|----------------------------------|
//! | `client` | EST client (default)                             | `rcgen`, `reqwest`, `base64`     |
//! | `server` | EST server handlers (implies `ca`)               | `axum`, `tokio`                  |
//! | `ca`     | Internal CA primitives (issuer, profile, serial) | `rcgen`, `rand`, `parking_lot`   |
//! | `full`   | All of the above                                 | —                                |
//!
//! # Transport
//!
//! RFC 7030 mandates TLS. This crate provides the *protocol* layer only
//! — the consumer is responsible for putting a TLS listener in front of
//! the [`est::server::EstServer`] router and, for `/simplereenroll`,
//! configuring client-cert verification and forwarding the verified CN
//! to the handler via the `x-est-principal` request header.
//!
//! # Non-goals
//!
//! - Public-web CA compliance (CA/B Forum Baseline Requirements, WebTrust
//!   audit criteria). This crate targets internal PKI.
//! - CRL or OCSP publication. Short-lived certificates are the intended
//!   revocation story.
//! - EST's optional endpoints (`/fullcmc`, `/serverkeygen`, `/csrattrs`).
//!   Only the three mandatory endpoints from RFC 7030 §4.1–§4.2 are
//!   implemented.

#![warn(missing_docs)]
#![cfg_attr(docsrs, feature(doc_cfg))]
#![cfg_attr(docsrs, feature(doc_auto_cfg))]

pub mod cms;
pub mod error;

#[cfg(feature = "ca")]
pub mod ca;

#[cfg(any(feature = "client", feature = "server"))]
pub mod auth;

#[cfg(any(feature = "client", feature = "server"))]
pub mod est;

pub use error::{Error, Result};