Skip to content
/ spiffe-rs Public

Rust port of spiffe-go, auto-generated by an agent, providing SPIFFE IDs, bundles, SVIDs, Workload API client, federation helpers, and rustls-based SPIFFE TLS utilities. Includes Go interoperability tests for parity and compatibility.

License

Apache-2.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

script3r/spiffe-rs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
proto
proto
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.rs
build.rs
 
 

Repository files navigation

spiffe-rs

Crates.io

spiffe-rs is a Rust port of the spiffe-go library, and all credit for the design, API surface, and semantics belongs to the original spiffe-go maintainers and contributors. This repository is an automated port: the current codebase was generated by an agent that translated spiffe-go into Rust and wired the APIs to match the Go surface.

It provides core SPIFFE types and helpers for working with SPIFFE IDs, bundles, and SVIDs, plus Workload API and SPIFFE TLS helpers.

What It Includes

  • SPIFFE ID parsing, validation, and matchers.
  • X.509 and JWT bundle parsing/manipulation.
  • X.509 and JWT SVID parsing/verification helpers.
  • Workload API client scaffolding with streaming watch support.
  • SPIFFE TLS helpers on rustls (dial/listen, modes, authorizers).
  • Federation helpers (bundle fetch, watch, and handler).

Examples

See examples/README.md for full standalone examples that mirror the go-spiffe examples.

Parse and validate a SPIFFE ID:

use spiffe_rs::spiffeid;

let id = spiffeid::require_from_string("spiffe://example.org/service");
assert_eq!(id.trust_domain().to_string(), "example.org");

Parse an X.509 SVID from PEM:

use spiffe_rs::svid::x509svid;

let cert_pem = std::fs::read("tests/testdata/x509svid/good-cert-and-key.pem").unwrap();
let key_pem = std::fs::read("tests/testdata/x509svid/key-pkcs8-rsa.pem").unwrap();
let svid = x509svid::SVID::parse(&cert_pem, &key_pem).unwrap();
assert!(svid.id.to_string().starts_with("spiffe://"));

Fetch a bundle from an HTTP endpoint:

use spiffe_rs::federation;
use spiffe_rs::spiffeid;

let trust_domain = spiffeid::require_trust_domain_from_string("domain.test");
let bundle = federation::fetch_bundle(trust_domain, "http://localhost:8080/bundle", &[]).unwrap();

Feature Matrix (vs spiffe-go)

Feature spiffe-go spiffe-rs
SPIFFE ID parsing/validation/matchers Yes Yes
X.509 bundle parsing & set Yes Yes
JWT bundle parsing & set Yes Yes
X.509 SVID parse/verify Yes Yes
JWT SVID parse/verify Yes Yes
Workload API client Yes Yes
Workload API sources (X509/JWT/Bundle) Yes Yes
Workload API watch/backoff Yes Yes
SPIFFE TLS helpers Yes Yes
Federation fetch/watch/handler Yes Yes

Status

The goal is feature parity with spiffe-go. If you find a mismatch or missing capability, please open an issue with the expected Go behavior and a minimal repro.

Interoperability with Go is exercised via optional compatibility tests (enabled with SPIFFE_RS_GO_COMPAT=1). These include JSON bundle parity, Workload API interop against a Go server, and SPIFFE TLS interop where a Go-issued SVID is accepted by Rustls via the spiffetls helpers.

Development

Run tests:

cargo test

Run Go compatibility tests:

SPIFFE_RS_GO_COMPAT=1 cargo test --test compat_spiffebundle_go --test compat_workloadapi_go --test compat_spiffetls_go

About

Rust port of spiffe-go, auto-generated by an agent, providing SPIFFE IDs, bundles, SVIDs, Workload API client, federation helpers, and rustls-based SPIFFE TLS utilities. Includes Go interoperability tests for parity and compatibility.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.1 Latest
Dec 22, 2025

Packages

No packages published

Languages