Expand description
Authentication layer for the Kipuka EST server.
RFC 7030 §3.2.3 defines several client authentication mechanisms for EST:
- mTLS — client presents a certificate during the TLS handshake.
- HTTP Basic (OTP) — username=entity-id, password=one-time password.
- HTTP Negotiate (GSSAPI) — Kerberos/SPNEGO authentication.
Each EST endpoint declares an authentication policy (AuthPolicy) that
the EstAuth extractor enforces before the handler runs. Admin routes
use a separate authentication mechanism (see super::routes::admin).
Modules§
- cms_
auth - CMS message-level authentication for EST (RFC 8295).
- gssapi
- GSSAPI/Kerberos authentication for EST endpoints.
- mtls
- mTLS client certificate authentication for EST endpoints.
- name_
match - Domain name and identity matching for TLS certificates (RFC 6125).
- otp
- HTTP Basic authentication with One-Time Password for EST enrollment.
Structs§
- Auth
Result - Result of a successful authentication.
- EstAuth
- Axum extractor that authenticates EST requests.
- Optional
Auth - Axum extractor that allows unauthenticated access.
Enums§
- Auth
Method - How a client authenticated to the EST server.
- Auth
Policy - Authentication policy for an EST endpoint.