Crate trifid_pki
source ·Expand description
trifid-pki
trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula. It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.
This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.
Examples
Load a certificate from PEM
use trifid_pki::cert::deserialize_nebula_certificate_from_pem;
let cert_bytes = b"-----BEGIN NEBULA CERTIFICATE-----
CmUKCGNvcmUtdHdyEgmBhMRQgID4/w8orp+/nAYwlIXEqwY6IDBOYnnYci8P2Nlm
+qcK2u7AjEZJ1IZFe7A4viQ3U6dHSiBWhg3tPRS387d8oqBi7l1oPdBrNfh0RtjW
p+kjtqd4PRJA611raI7aDTbpJSGcCY/yeZ5CIHoJP32bfYdYI8oFsuDTp0ndL8nO
yBHtmihl1xxNU8/f0b9+bVBYvZ7NOI3fDQ==
-----END NEBULA CERTIFICATE-----";
let cert = deserialize_nebula_certificate_from_pem(cert_bytes).unwrap();
println!("{}", cert);
// NebulaCertificate {
// Details {
// Name: core-twr
// Ips: [10.17.2.1/15]
// Subnets: []
// Gruops: []
// Not before: SystemTime { tv_sec: 1670369198, tv_nsec: 0 }
// Not after: SystemTime { tv_sec: 1701905044, tv_nsec: 0 }
// Is CA: false
// Issuer: 56860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d
// Public key: 304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a747
// }
// Fingerprint: c1a723acf8a1c8a438eb1f8efb756eb9e1a3c529d5b93cd143d282ca87e549b4
// Signature: eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d
// }Re-exports
pub use ed25519_dalek;pub use rand_core;pub use x25519_dalek;
Modules
- Structs to represent a pool of CA’s and blacklisted certificates
- Manage Nebula PKI Certificates This is pretty much a direct port of nebula/cert/cert.go
Constants
- Get the compiled version of trifid-pki.