webpki/
lib.rs

1// Copyright 2015 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! webpki: Web PKI X.509 Certificate Validation.
16//!
17//! See `EndEntityCert`'s documentation for a description of the certificate
18//! processing steps necessary for a TLS connection.
19//!
20//! # Features
21//!
22//! | Feature | Description |
23//! | ------- | ----------- |
24//! | `alloc` | Enable features that require use of the heap. Currently all RSA signature algorithms require this feature. |
25//! | `std` | Enable features that require libstd. Implies `alloc`. |
26//! | `ring` | Enable use of the *ring* crate for cryptography. |
27//! | `aws-lc-rs` | Enable use of the aws-lc-rs crate for cryptography. Previously this feature was named `aws_lc_rs`. |
28
29#![no_std]
30#![warn(elided_lifetimes_in_paths, unreachable_pub, clippy::use_self)]
31#![deny(missing_docs, clippy::as_conversions)]
32#![allow(
33    clippy::len_without_is_empty,
34    clippy::manual_let_else,
35    clippy::new_without_default,
36    clippy::single_match,
37    clippy::single_match_else,
38    clippy::type_complexity,
39    clippy::upper_case_acronyms
40)]
41// Enable documentation for all features on docs.rs
42#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
43
44#[cfg(any(feature = "std", test))]
45extern crate std;
46
47#[cfg(any(test, feature = "alloc"))]
48#[cfg_attr(test, macro_use)]
49extern crate alloc;
50
51#[macro_use]
52mod der;
53
54#[cfg(feature = "aws-lc-rs")]
55mod aws_lc_rs_algs;
56mod cert;
57mod end_entity;
58mod error;
59#[cfg(feature = "ring")]
60mod ring_algs;
61mod rpk_entity;
62mod signed_data;
63mod subject_name;
64mod time;
65mod trust_anchor;
66
67mod crl;
68mod verify_cert;
69mod x509;
70
71#[cfg(test)]
72pub(crate) mod test_utils;
73
74pub use {
75    cert::Cert,
76    crl::{
77        BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, ExpirationPolicy,
78        RevocationCheckDepth, RevocationOptions, RevocationOptionsBuilder, RevocationReason,
79        UnknownStatusPolicy,
80    },
81    end_entity::EndEntityCert,
82    error::{DerTypeId, Error, InvalidNameContext},
83    rpk_entity::RawPublicKeyEntity,
84    trust_anchor::anchor_from_trusted_cert,
85    verify_cert::KeyUsage,
86    verify_cert::VerifiedPath,
87};
88
89#[cfg(feature = "alloc")]
90pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
91
92#[cfg(feature = "ring")]
93/// Signature verification algorithm implementations using the *ring* crypto library.
94pub mod ring {
95    pub use super::ring_algs::{
96        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
97    };
98
99    #[cfg(feature = "alloc")]
100    pub use super::ring_algs::{
101        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
102        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
103        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
104    };
105}
106
107#[cfg(feature = "aws-lc-rs")]
108/// Signature verification algorithm implementations using the aws-lc-rs crypto library.
109pub mod aws_lc_rs {
110    pub use super::aws_lc_rs_algs::{
111        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
112        ECDSA_P521_SHA256, ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519,
113        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
114        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
115        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
116    };
117}
118
119/// An array of all the verification algorithms exported by this crate.
120///
121/// This will be empty if the crate is built without the `ring` and `aws-lc-rs` features.
122pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorithm] = &[
123    #[cfg(feature = "ring")]
124    ring::ECDSA_P256_SHA256,
125    #[cfg(feature = "ring")]
126    ring::ECDSA_P256_SHA384,
127    #[cfg(feature = "ring")]
128    ring::ECDSA_P384_SHA256,
129    #[cfg(feature = "ring")]
130    ring::ECDSA_P384_SHA384,
131    #[cfg(feature = "ring")]
132    ring::ED25519,
133    #[cfg(all(feature = "ring", feature = "alloc"))]
134    ring::RSA_PKCS1_2048_8192_SHA256,
135    #[cfg(all(feature = "ring", feature = "alloc"))]
136    ring::RSA_PKCS1_2048_8192_SHA384,
137    #[cfg(all(feature = "ring", feature = "alloc"))]
138    ring::RSA_PKCS1_2048_8192_SHA512,
139    #[cfg(all(feature = "ring", feature = "alloc"))]
140    ring::RSA_PKCS1_3072_8192_SHA384,
141    #[cfg(all(feature = "ring", feature = "alloc"))]
142    ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
143    #[cfg(all(feature = "ring", feature = "alloc"))]
144    ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
145    #[cfg(all(feature = "ring", feature = "alloc"))]
146    ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
147    #[cfg(feature = "aws-lc-rs")]
148    aws_lc_rs::ECDSA_P256_SHA256,
149    #[cfg(feature = "aws-lc-rs")]
150    aws_lc_rs::ECDSA_P256_SHA384,
151    #[cfg(feature = "aws-lc-rs")]
152    aws_lc_rs::ECDSA_P384_SHA256,
153    #[cfg(feature = "aws-lc-rs")]
154    aws_lc_rs::ECDSA_P384_SHA384,
155    #[cfg(feature = "aws-lc-rs")]
156    aws_lc_rs::ECDSA_P521_SHA256,
157    #[cfg(feature = "aws-lc-rs")]
158    aws_lc_rs::ECDSA_P521_SHA384,
159    #[cfg(feature = "aws-lc-rs")]
160    aws_lc_rs::ECDSA_P521_SHA512,
161    #[cfg(feature = "aws-lc-rs")]
162    aws_lc_rs::ED25519,
163    #[cfg(feature = "aws-lc-rs")]
164    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
165    #[cfg(feature = "aws-lc-rs")]
166    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
167    #[cfg(feature = "aws-lc-rs")]
168    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
169    #[cfg(feature = "aws-lc-rs")]
170    aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
171    #[cfg(feature = "aws-lc-rs")]
172    aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
173    #[cfg(feature = "aws-lc-rs")]
174    aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
175    #[cfg(feature = "aws-lc-rs")]
176    aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
177];
178
179fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
180    a.as_slice_less_safe() == b.as_slice_less_safe()
181}
webpki/lib.rs

webpki/
lib.rs
