spiffe-rs
| Crates.io | spiffe-rs |
| lib.rs | spiffe-rs |
| version | 0.1.1 |
| created_at | 2025-12-20 19:30:28.802175+00 |
| updated_at | 2025-12-22 02:49:22.442612+00 |
| description | Rust port of spiffe-go with SPIFFE IDs, bundles, SVIDs, Workload API client, federation helpers, and rustls-based SPIFFE TLS utilities. |
| homepage | |
| repository | https://github.com/script3r/spiffe-rs |
| max_upload_size | |
| id | 1996879 |
| size | 439,164 |
Isaac Elbaz (script3r)
documentation
README
spiffe-rs
spiffe-rs is a Rust port of the spiffe-go library, and all credit for the
design, API surface, and semantics belongs to the original spiffe-go
maintainers and contributors. This repository is an automated port: the current
codebase was generated by an agent that translated spiffe-go into Rust and
wired the APIs to match the Go surface.
It provides core SPIFFE types and helpers for working with SPIFFE IDs, bundles, and SVIDs, plus Workload API and SPIFFE TLS helpers.
What It Includes
- SPIFFE ID parsing, validation, and matchers.
- X.509 and JWT bundle parsing/manipulation.
- X.509 and JWT SVID parsing/verification helpers.
- Workload API client scaffolding with streaming watch support.
- SPIFFE TLS helpers on rustls (dial/listen, modes, authorizers).
- Federation helpers (bundle fetch, watch, and handler).
Examples
See examples/README.md for full standalone examples that mirror the go-spiffe examples.
Parse and validate a SPIFFE ID:
use spiffe_rs::spiffeid;
let id = spiffeid::require_from_string("spiffe://example.org/service");
assert_eq!(id.trust_domain().to_string(), "example.org");
Parse an X.509 SVID from PEM:
use spiffe_rs::svid::x509svid;
let cert_pem = std::fs::read("tests/testdata/x509svid/good-cert-and-key.pem").unwrap();
let key_pem = std::fs::read("tests/testdata/x509svid/key-pkcs8-rsa.pem").unwrap();
let svid = x509svid::SVID::parse(&cert_pem, &key_pem).unwrap();
assert!(svid.id.to_string().starts_with("spiffe://"));
Fetch a bundle from an HTTP endpoint:
use spiffe_rs::federation;
use spiffe_rs::spiffeid;
let trust_domain = spiffeid::require_trust_domain_from_string("domain.test");
let bundle = federation::fetch_bundle(trust_domain, "http://localhost:8080/bundle", &[]).unwrap();
Feature Matrix (vs spiffe-go)
| Feature | spiffe-go | spiffe-rs |
|---|---|---|
| SPIFFE ID parsing/validation/matchers | Yes | Yes |
| X.509 bundle parsing & set | Yes | Yes |
| JWT bundle parsing & set | Yes | Yes |
| X.509 SVID parse/verify | Yes | Yes |
| JWT SVID parse/verify | Yes | Yes |
| Workload API client | Yes | Yes |
| Workload API sources (X509/JWT/Bundle) | Yes | Yes |
| Workload API watch/backoff | Yes | Yes |
| SPIFFE TLS helpers | Yes | Yes |
| Federation fetch/watch/handler | Yes | Yes |
Status
The goal is feature parity with spiffe-go. If you find a mismatch or missing
capability, please open an issue with the expected Go behavior and a minimal
repro.
Interoperability with Go is exercised via optional compatibility tests (enabled
with SPIFFE_RS_GO_COMPAT=1). These include JSON bundle parity, Workload API
interop against a Go server, and SPIFFE TLS interop where a Go-issued SVID is
accepted by Rustls via the spiffetls helpers.
Development
Run tests:
cargo test
Run Go compatibility tests:
SPIFFE_RS_GO_COMPAT=1 cargo test --test compat_spiffebundle_go --test compat_workloadapi_go --test compat_spiffetls_go