Lib.rs

Cryptography
#pki #key-management #nebula #certificate #security #operations #system

trifid-pki

A rust implementation of the Nebula PKI system

Owned by c0repwn3r.

12 releases

0.1.11 Jun 22, 2023
0.1.10 Apr 7, 2023
0.1.9 Mar 30, 2023
0.1.4 Feb 28, 2023

#1198 in Cryptography


Used in 3 crates

AGPL-3.0-or-later

110KB
1.5K SLoC

trifid-pki

trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula. Is is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.

This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited, finding no major issues.

Examples

See the documentation for examples.

lib.rs:

trifid-pki

trifid-pki is a crate for interacting with the Nebula PKI system. It was created to prevent the need to make constant CLI calls for signing operations in Nebula. It is designed to be interoperable with the original Go implementation and as such has some oddities with key management to ensure compatability.

This crate has not received any formal security audits, however the underlying crates used for actual cryptographic operations (ed25519-dalek and curve25519-dalek) have been audited with no major issues.

Examples

Load a certificate from PEM

use trifid_pki::cert::deserialize_nebula_certificate_from_pem;
let cert_bytes = b"-----BEGIN NEBULA CERTIFICATE-----
CmUKCGNvcmUtdHdyEgmBhMRQgID4/w8orp+/nAYwlIXEqwY6IDBOYnnYci8P2Nlm
+qcK2u7AjEZJ1IZFe7A4viQ3U6dHSiBWhg3tPRS387d8oqBi7l1oPdBrNfh0RtjW
p+kjtqd4PRJA611raI7aDTbpJSGcCY/yeZ5CIHoJP32bfYdYI8oFsuDTp0ndL8nO
yBHtmihl1xxNU8/f0b9+bVBYvZ7NOI3fDQ==
-----END NEBULA CERTIFICATE-----";
let cert = deserialize_nebula_certificate_from_pem(cert_bytes).unwrap();
println!("{}", cert);
// NebulaCertificate {
//  Details {
//      Name: core-twr
//      Ips: [10.17.2.1/15]
//      Subnets: []
//      Gruops: []
//      Not before: SystemTime { tv_sec: 1670369198, tv_nsec: 0 }
//      Not after: SystemTime { tv_sec: 1701905044, tv_nsec: 0 }
//      Is CA: false
//      Issuer: 56860ded3d14b7f3b77ca2a062ee5d683dd06b35f87446d8d6a7e923b6a7783d
//      Public key: 304e6279d8722f0fd8d966faa70adaeec08c4649d486457bb038be243753a747
//  }
//  Fingerprint: c1a723acf8a1c8a438eb1f8efb756eb9e1a3c529d5b93cd143d282ca87e549b4
//  Signature: eb5d6b688eda0d36e925219c098ff2799e42207a093f7d9b7d875823ca05b2e0d3a749dd2fc9cec811ed9a2865d71c4d53cfdfd1bf7e6d5058bd9ecd388ddf0d
// }

Dependencies

~4–5MB
~104K SLoC