rust-spiffe: provide a local validation of the JWT-SVID

[hug-dev]

This is an issue for the rust-spiffe repository when the JWT-SVID feature is merged in.

Currently validation of JWT-SVID tokens is done through the Workload API (ValidateJWTSVID operation). However this creates the constraint of trusting the Workload API endpoint: the JWT-SVID is a secret and is a parameter of that call. If an attacker controls that socket then they have access of the authentication values of clients.

The validation could instead be done locally by fetching the trust bundle (the SPIFFE public keys) through the Bundle Endpoint which is authenticated.

[ionut-arm]

The validation could instead be done locally by fetching the trust bundle (the SPIFFE public keys) through the Bundle Endpoint which is authenticated.

From what I understand, this is based on JWK and for authenticating the Bundle Endpoint, there are two recommended approaches.

The first one uses public CAs to authenticate the keys used in TLS - we'd need to use a TLS implementation and have access to a (local?) set of trusted CA certificates. Maybe we can ask them how they recommend this to be implemented?

The second option uses TLS too, but ultimately relies on an initial trust bundle that is set up "through an offline exchange", so it'd have to be passed/configured by the admin (?)

I'm curious if either of these options is already implemented somewhere in Rust, sounds like something that would be reusable by many other projects that integrate with Spiffe.

[hug-dev]

From the freshly published JWT-SVID profile of the Workload API:

Workload API clients SHOULD use the ValidateJWTSVID method for JWT validation if supported by the client, allowing the SPIFFE Workload API to perform validation on their behalf. Doing this removes the need for the workload to implement validation logic, which can be error prone.

Also, there are security considerations of JWT-SVID which we currently apply (maybe we can check setting the lowest possible exp claim).

I think that using the ValidateJWTSVID RPC and clearly noting the possible threats in our TM is good enough for the SPIFFE authenticator.

[hug-dev]

Closing because of the above. If we wanted to add the validation in Parsec, we could use the parse_and_validate method on the new spiffe crate that we use.