Struct FulcioClient 

pub struct FulcioClient { /* private fields */ }

Fulcio client for obtaining short-lived certificates

Fulcio is a WebPKI certificate authority that issues short-lived certificates based on OIDC identity tokens. These certificates are used for keyless signing.

Implementations

impl FulcioClient

pub fn new() -> Self

Create client with default Fulcio server

Uses the public Sigstore Fulcio instance at https://fulcio.sigstore.dev

Certificate Pinning

Certificate pinning is ENFORCED by default using embedded pins for Sigstore production infrastructure. Custom pins can be set via WSC_FULCIO_PINS. Set WSC_REQUIRE_CERT_PINNING=1 to fail if pinning cannot be configured.

pub fn with_url(base_url: String) -> Self

Create client with custom Fulcio server

Arguments

• base_url - Base URL of the Fulcio server (without trailing slash)

Certificate Pinning

Certificate pinning is now ENFORCED when configured via WSC_FULCIO_PINS. Set WSC_REQUIRE_CERT_PINNING=1 to fail if pinning cannot be configured.

pub fn get_certificate( &self, oidc_token: &OidcToken, public_key: &[u8], proof_of_possession: &[u8], ) -> Result<FulcioCertificate, WSError>

Request a certificate from Fulcio

Arguments

• oidc_token - OIDC identity token from a supported provider
• public_key - Raw ECDSA P-256 public key in uncompressed form (65 bytes: 0x04 || x || y)
• proof_of_possession - Signature proving key ownership (DER-encoded ECDSA signature)

Returns

A FulcioCertificate containing the certificate chain and public key

Errors

Returns WSError::FulcioError if:

• The HTTP request fails
• The response cannot be parsed
• The certificate chain is invalid
• The public key cannot be extracted

Trait Implementations

impl Default for FulcioClient

fn default() -> Self

Returns the “default value” for a type.