spiffe-rs 0.1.1

Rust port of spiffe-go with SPIFFE IDs, bundles, SVIDs, Workload API client, federation helpers, and rustls-based SPIFFE TLS utilities.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

# spiffe-rs

[![Crates.io](https://img.shields.io/crates/v/spiffe-rs.svg)](https://crates.io/crates/spiffe-rs)

`spiffe-rs` is a Rust port of the `spiffe-go` library, and all credit for the
design, API surface, and semantics belongs to the original `spiffe-go`
maintainers and contributors. This repository is an automated port: the current
codebase was generated by an agent that translated `spiffe-go` into Rust and
wired the APIs to match the Go surface.

It provides core SPIFFE types and helpers for working with SPIFFE IDs, bundles,
and SVIDs, plus Workload API and SPIFFE TLS helpers.

## What It Includes

- SPIFFE ID parsing, validation, and matchers.
- X.509 and JWT bundle parsing/manipulation.
- X.509 and JWT SVID parsing/verification helpers.
- Workload API client scaffolding with streaming watch support.
- SPIFFE TLS helpers on rustls (dial/listen, modes, authorizers).
- Federation helpers (bundle fetch, watch, and handler).

## Examples

See `examples/README.md` for full standalone examples that mirror the go-spiffe examples.

Parse and validate a SPIFFE ID:

```rust
use spiffe_rs::spiffeid;

let id = spiffeid::require_from_string("spiffe://example.org/service");
assert_eq!(id.trust_domain().to_string(), "example.org");
```

Parse an X.509 SVID from PEM:

```rust
use spiffe_rs::svid::x509svid;

let cert_pem = std::fs::read("tests/testdata/x509svid/good-cert-and-key.pem").unwrap();
let key_pem = std::fs::read("tests/testdata/x509svid/key-pkcs8-rsa.pem").unwrap();
let svid = x509svid::SVID::parse(&cert_pem, &key_pem).unwrap();
assert!(svid.id.to_string().starts_with("spiffe://"));
```

Fetch a bundle from an HTTP endpoint:

```rust
use spiffe_rs::federation;
use spiffe_rs::spiffeid;

let trust_domain = spiffeid::require_trust_domain_from_string("domain.test");
let bundle = federation::fetch_bundle(trust_domain, "http://localhost:8080/bundle", &[]).unwrap();
```

## Feature Matrix (vs spiffe-go)

| Feature | spiffe-go | spiffe-rs |
| --- | --- | --- |
| SPIFFE ID parsing/validation/matchers | Yes | Yes |
| X.509 bundle parsing & set | Yes | Yes |
| JWT bundle parsing & set | Yes | Yes |
| X.509 SVID parse/verify | Yes | Yes |
| JWT SVID parse/verify | Yes | Yes |
| Workload API client | Yes | Yes |
| Workload API sources (X509/JWT/Bundle) | Yes | Yes |
| Workload API watch/backoff | Yes | Yes |
| SPIFFE TLS helpers | Yes | Yes |
| Federation fetch/watch/handler | Yes | Yes |

## Status

The goal is feature parity with `spiffe-go`. If you find a mismatch or missing
capability, please open an issue with the expected Go behavior and a minimal
repro.

Interoperability with Go is exercised via optional compatibility tests (enabled
with `SPIFFE_RS_GO_COMPAT=1`). These include JSON bundle parity, Workload API
interop against a Go server, and SPIFFE TLS interop where a Go-issued SVID is
accepted by Rustls via the `spiffetls` helpers.

## Development

Run tests:

```bash
cargo test
```

Run Go compatibility tests:

```bash
SPIFFE_RS_GO_COMPAT=1 cargo test --test compat_spiffebundle_go --test compat_workloadapi_go --test compat_spiffetls_go
```