Expand description
§X.509 Parser
A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.
It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.
The code is available on Github and is part of the Rusticata project.
Certificates are usually encoded in two main formats: PEM (usually the most common format) or
DER. A PEM-encoded certificate is a container, storing a DER object. See the
pem module for more documentation.
To decode a DER-encoded certificate, the main parsing method is
X509Certificate::from_der (
part of the FromDer trait
), which builds a
X509Certificate object.
An alternative method is to use X509CertificateParser,
which allows specifying parsing options (for example, not automatically parsing option contents).
The returned objects for parsers follow the definitions of the RFC. This means that accessing
fields is done by accessing struct members recursively. Some helper functions are provided, for
example X509Certificate::issuer() returns the
same as accessing <object>.tbs_certificate.issuer.
For PEM-encoded certificates, use the pem module.
This crate also provides visitor traits: X509CertificateVisitor.
§Examples
Parsing a certificate in DER format:
use x509_parser::prelude::*;
static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
let res = X509Certificate::from_der(IGCA_DER);
match res {
Ok((rem, cert)) => {
assert!(rem.is_empty());
//
assert_eq!(cert.version(), X509Version::V3);
},
_ => panic!("x509 parsing failed: {:?}", res),
}To parse a CRL and print information about revoked certificates:
let res = CertificateRevocationList::from_der(DER);
match res {
Ok((_rem, crl)) => {
for revoked in crl.iter_revoked_certificates() {
println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
println!(" Reason: {}", revoked.reason_code().unwrap_or_default().1);
}
},
_ => panic!("CRL parsing failed: {:?}", res),
}See also examples/print-cert.rs.
§Features
- The
verifyfeature adds support for (cryptographic) signature verification, based onring. It adds theX509Certificate::verify_signature()toX509Certificate.
/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
let issuer_public_key = issuer.public_key();
cert
.verify_signature(Some(issuer_public_key))
.is_ok()
}- The
validatefeatures add methods to run more validation functions on the certificate structure and values using theValidatetrait. It does not validate any cryptographic parameter (seeverifyabove).
§Rust version requirements
x509-parser requires Rustc version 1.67.1 or greater, based on der-parser
dependencies and for proc-macro attributes support.
Re-exports§
pub use asn1_rs;pub use der_parser;pub use der_parser::num_bigint;pub use nom;pub use oid_registry;
Modules§
- certificate
- X.509 Certificate object definitions and operations
- certification_
request - cri_
attributes - error
- X.509 errors
- extensions
- X.509 Extensions objects and types
- objects
- X.509 helper objects definitions and registry
- pem
- Decoding functions for PEM-encoded data
- prelude
- A “prelude” for users of the x509-parser crate.
- public_
key - revocation_
list - signature_
algorithm - signature_
value - time
- utils
- validate
validate - verify
verify - visitor
- x509
- X.509 objects and types
Functions§
- parse_
crl_ der Deprecated - Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object.
- parse_
x509_ certificate - Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built object.
- parse_
x509_ crl - Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object.
- parse_
x509_ der Deprecated - Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built