Skip to main content

Fetch the SPIFFE trust bundle

This guide shows how to obtain the public verification material (JWKS and CA certificate) from Avassa so that an external service can verify SVIDs issued by Strongbox - without needing a Strongbox token.

For background on SPIFFE concepts and how Avassa issues SVIDs, see SPIFFE support.

Prerequisites

Before fetching trust material, the tenant must have SPIFFE settings configured:

supctl merge strongbox spiffe-settings <<EOF
issuing-ca: spiffe-ca
jwt-signing-key: spiffe-jwt
jwt-issuer: https://spire.example.org
distribute:
  to: all
EOF
  • jwt-signing-key is required for get-spiffe-jwks.
  • issuing-ca is required for get-spiffe-bundle.

See Authenticate with JWT-SVID for full spiffe-settings configuration details.

Fetch the JWKS for JWT-SVID verification

get-spiffe-jwks returns the public signing key(s) for a tenant's JWT-signing transit key in JWKS format. No authentication is required.

supctl -j do get-spiffe-jwks telco | jq -r '.jwks' > jwks.json

The resulting jwks.json can be fed directly to any JWKS-aware JWT library. For example, in Python with pyjwt:

import jwt
from jwt import PyJWKClient

jwks_data = open("jwks.json").read()
# or fetch from the Strongbox HTTPS endpoint directly
client = PyJWKClient("https://strongbox.example.org/v1/get-spiffe-jwks")
signing_key = client.get_signing_key_from_jwt(token)
payload = jwt.decode(token, signing_key.key, algorithms=["ES256"],
                     audience="my-service")

Or with a local JWKS file:

import json, jwt
from jwt.algorithms import ECAlgorithm

jwks = json.load(open("jwks.json"))
key = ECAlgorithm.from_jwk(jwks["keys"][0])
payload = jwt.decode(token, key, algorithms=["ES256"],
                     audience="my-service")

Fetch the CA bundle for X.509-SVID verification

get-spiffe-bundle returns the PEM CA certificate chain for a tenant's SPIFFE issuing CA. No authentication is required.

supctl -j do get-spiffe-bundle telco | jq -r '.cert' > spiffe-ca.pem

Use the CA certificate to verify an X.509-SVID:

openssl verify -CAfile spiffe-ca.pem svid.pem
svid.pem: OK

For mTLS configuration, add spiffe-ca.pem as the trusted CA for the TLS listener or client. The SPIFFE ID in the URI SAN of the peer certificate is then used for authorization rather than the CN.

Refreshing trust material

Trust material (signing keys, CA certificates) can be rotated. To handle rotation:

  • JWKS: the JWKS response includes a kid (key ID) for each key. JWT-SVID tokens carry the matching kid in their header, so a verifier can select the right key by kid lookup. Re-fetch the JWKS periodically or on a kid cache miss.
  • CA bundle: re-fetch get-spiffe-bundle after any CA rotation event and reload the trust store.