Crate x509_parser[][src]

License: MIT Apache License 2.0 docs.rs crates.io Download numbers Github CI Minimum rustc version

X.509 Parser

A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.

It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.

The code is available on Github and is part of the Rusticata project.

Certificates are usually encoded in two main formats: PEM (usually the most common format) or DER. A PEM-encoded certificate is a container, storing a DER object. See the pem module for more documentation.

To decode a DER-encoded certificate, the main parsing method is parse_x509_certificate, which builds a X509Certificate object.

The returned objects for parsers follow the definitions of the RFC. This means that accessing fields is done by accessing struct members recursively. Some helper functions are provided, for example X509Certificate::issuer() returns the same as accessing <object>.tbs_certificate.issuer.

For PEM-encoded certificates, use the pem module.

Examples

Parsing a certificate in DER format:

use x509_parser::prelude::*;

static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");

let res = parse_x509_certificate(IGCA_DER);
match res {
    Ok((rem, cert)) => {
        assert!(rem.is_empty());
        //
        assert_eq!(cert.tbs_certificate.version, X509Version::V3);
    },
    _ => panic!("x509 parsing failed: {:?}", res),
}

To parse a CRL and print information about revoked certificates:

let res = parse_x509_crl(DER);
match res {
    Ok((_rem, crl)) => {
        for revoked in crl.iter_revoked_certificates() {
            println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
            println!("  Reason: {}", revoked.reason_code().unwrap_or_default().1);
        }
    },
    _ => panic!("CRL parsing failed: {:?}", res),
}

See also examples/print-cert.rs.

Features

/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
    let issuer_public_key = &issuer.tbs_certificate.subject_pki;
    cert
        .verify_signature(Some(issuer_public_key))
        .is_ok()
}

Rust version requirements

x509-parser requires Rustc version 1.45 or greater, based on nom 6 dependencies and for proc-macro attributes support.

Re-exports

pub use der_parser;
pub use der_parser::num_bigint;
pub use nom;
pub use oid_registry;

Modules

certificate

X.509 Certificate object definitions and operations

certification_request
cri_attributes
error

X.509 errors

extensions

X.509 Extensions objects and types

objects

X.509 helper objects definitions and registry

pem

Decoding functions for PEM-encoded data

prelude

A “prelude” for users of the x509-parser crate.

revocation_list
time
x509

X.509 objects and types

Functions

parse_crl_derDeprecated

Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object.

parse_x509_certificate

Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built object.

parse_x509_crl

Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object.

parse_x509_derDeprecated

Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built