#x509 #jwt #spiffe


Rust client library implementation for SPIFFE

4 releases

0.2.1 Apr 22, 2022
0.2.0 Jul 7, 2021
0.1.1 Jun 19, 2021
0.1.0 Jun 15, 2021

#312 in Cryptography

Download history 97/week @ 2022-08-13 160/week @ 2022-08-20 63/week @ 2022-08-27 539/week @ 2022-09-03 171/week @ 2022-09-10 26/week @ 2022-09-17 83/week @ 2022-09-24 41/week @ 2022-10-01 48/week @ 2022-10-08 145/week @ 2022-10-15 37/week @ 2022-10-22 55/week @ 2022-10-29 52/week @ 2022-11-05 35/week @ 2022-11-12 85/week @ 2022-11-19 40/week @ 2022-11-26

225 downloads per month
Used in 3 crates (2 directly)



Rust SPIFFE library

An utility library to interact with the SPIFFE Workload API to fetch X.509 and JWT SVIDs and Bundles. It also provides types that comply with the SPIFFE standards. See spiffe.io.

crates.io docs.rs CI License


To use spiffe, add this to your Cargo.toml:

spiffe = "0.2.1"


Create a WorkloadApiClient

Providing the endpoint socket path as parameter:

let client = WorkloadApiClient::new("unix:/tmp/spire-agent/api/public.sock")?;

Providing the endpoint socket path through the environment variable SPIFFE_ENDPOINT_SOCKET:

let client = WorkloadApiClient::default()?;

Fetching X.509 materials

// fetch the default X.509 SVID
let x509_svid: X509Svid = client.fetch_x509_svid()?;

// fetch a set of X.509 bundles (X.509 public key authorities)
let x509_bundles: X509BundleSet = client.fetch_x509_bundles()?;

// fetch all the X.509 materials (SVIDs and bundles)
let x509_context: X509Context = client.fetch_x509_context()?;

// get the X.509 chain of certificates from the SVID
let cert_chain: &Vec<Certificate> = x509_svid.cert_chain();

// get the private key from the SVID
let private_key: &PrivateKey = x509_svid.private_key();

// parse a SPIFFE trust domain
let trust_domain = TrustDomain::try_from("example.org")?;

// get the X.509 bundle associated to the trust domain
let x509_bundle: &X509Bundle = x509_bundles.get_bundle(&trust_domain).unwrap();

// get the X.509 authorities (public keys) in the bundle
let x509_authorities: &Vec<Certificate> = x509_bundle.authorities();

Fetching JWT tokens and bundles and validating tokens

// parse a SPIFFE ID to ask a token for
let spiffe_id = SpiffeId::try_from("spiffe://example.org/my-service")?;

// fetch a jwt token for the provided SPIFFE-ID and with the target audience `service1.com`
let jwt_token = client.fetch_jwt_token(&["audience1", "audience2"], Some(&spiffe_id))?;

// fetch the jwt token and parses it as a `JwtSvid`
let jwt_svid = client.fetch_jwt_svid(&["audience1", "audience2"], Some(&spiffe_id))?;

// fetch a set of jwt bundles (public keys for validating jwt token)
let jwt_bundles = client.fetch_jwt_bundles()?;

// parse a SPIFFE trust domain
let trust_domain = TrustDomain::try_from("example.org")?;

// get the JWT bundle associated to the trust domain
let jwt_bundle: &JwtBundle = jwt_bundles.get_bundle(&trust_domain).unwrap();

// get the JWT authorities (public keys) in the bundle
let jwt_authority: &JwtAuthority = jwt_bundle.find_jwt_authority("a_key_id").unwrap();

// parse a `JwtSvid` validating the token signature with a JWT bundle source.
let validated_jwt_svid = JwtSvid::parse_and_validate(&jwt_token, &jwt_bundles_set, &["service1.com"])?; 


~452K SLoC