The C# SPIFFE library provides functionality to interact with the Workload API to fetch X.509 and JWT SVIDs and Bundles.
C# implementation of spiffe/go-spiffe.
Requires .NET8.
IMPORTANT
This is a prerelease version and it's not ready for use in production.
Start SPIRE or another SPIFFE Workload API implementation.
To create an mTLS Kestrel server:
WebApplicationBuilder builder = WebApplication.CreateBuilder();
using GrpcChannel channel = GrpcChannelFactory.CreateChannel("unix:///tmp/agent.sock");
IWorkloadApiClient client = WorkloadApiClient.Create(channel);
using X509Source x509Source = await X509Source.CreateAsync(client);
builder.WebHost.UseKestrel(kestrel =>
{
kestrel.Listen(IPAddress.Any, 8443, listenOptions =>
{
listenOptions.UseHttps(new TlsHandshakeCallbackOptions
{
// Configure mTLS server options
OnConnection = ctx => ValueTask.FromResult(
SpiffeSslConfig.GetMtlsServerOptions(x509Source, Authorizers.AuthorizeAny())),
});
});
});To dial an mTLS server:
GrpcChannel channel = GrpcChannelFactory.CreateChannel("unix:///tmp/agent.sock");
IWorkloadApiClient client = WorkloadApiClient.Create(channel);
X509Source x509Source = await X509Source.CreateAsync(client);
HttpClient http = new(new SocketsHttpHandler()
{
// Configure mTLS client options
SslOptions = SpiffeSslConfig.GetMtlsClientOptions(x509Source, Authorizers.AuthorizeAny()),
});The client and server obtain X509-SVIDs and X.509 bundles from the SPIFFE Workload API. The X509-SVIDs are presented by each peer and authenticated against the X.509 bundles. Both sides continue to be updated with X509-SVIDs and X.509 bundles streamed from the Workload API (e.g. secret rotation).
The samples directory contains examples for a variety of circumstances.