Bug: 194415839

Clone this repo:
  1. 41e6ac2 Restrict visibility to existing user. by Andrew Walbran · 9 months ago main master
  2. d07aafe Migrate to cargo_embargo. am: fe14e434be by Andrew Walbran · 11 months ago
  3. fe14e43 Migrate to cargo_embargo. by Andrew Walbran · 11 months ago
  4. e246832 Make x509-parser available to product and vendor am: d9bac8d442 am: 7a81510fe0 am: 1805372645 am: 7c740d630c by Matthew Maurer · 1 year, 7 months ago android14-d2-release android14-d2-s1-release android14-d2-s2-release android14-d2-s3-release android14-d2-s4-release android14-d2-s5-release android14-qpr1-automotiveos-release android14-qpr1-release android14-qpr1-s2-release android-14.0.0_r16 android-14.0.0_r17 android-14.0.0_r18 android-14.0.0_r19 android-14.0.0_r20 android-14.0.0_r21 android-14.0.0_r22 android-14.0.0_r23 android-14.0.0_r24 android-14.0.0_r25 android-14.0.0_r26 android-14.0.0_r27 android-14.0.0_r38 android-14.0.0_r39 android-14.0.0_r40 android-14.0.0_r41 android-14.0.0_r42 android-14.0.0_r43 android-14.0.0_r44 android-14.0.0_r45 android-automotiveos-14.0.0_lts2
  5. 7c740d6 Make x509-parser available to product and vendor am: d9bac8d442 am: 7a81510fe0 am: 1805372645 by Matthew Maurer · 1 year, 7 months ago android14-dev

License: MIT Apache License 2.0 docs.rs crates.io Download numbers Github CI Minimum rustc version

X.509 Parser

A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.

It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.

The code is available on Github and is part of the Rusticata project.

Certificates are usually encoded in two main formats: PEM (usually the most common format) or DER. A PEM-encoded certificate is a container, storing a DER object. See the pem module for more documentation.

To decode a DER-encoded certificate, the main parsing method is [X509Certificate::from_der] ( part of the FromDer trait ), which builds a X509Certificate object.

An alternative method is to use X509CertificateParser, which allows specifying parsing options (for example, not automatically parsing option contents).

The returned objects for parsers follow the definitions of the RFC. This means that accessing fields is done by accessing struct members recursively. Some helper functions are provided, for example X509Certificate::issuer() returns the same as accessing <object>.tbs_certificate.issuer.

For PEM-encoded certificates, use the pem module.

Examples

Parsing a certificate in DER format:

use x509_parser::prelude::*;

static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");

let res = X509Certificate::from_der(IGCA_DER);
match res {
    Ok((rem, cert)) => {
        assert!(rem.is_empty());
        //
        assert_eq!(cert.version(), X509Version::V3);
    },
    _ => panic!("x509 parsing failed: {:?}", res),
}

To parse a CRL and print information about revoked certificates:

#
#
let res = CertificateRevocationList::from_der(DER);
match res {
    Ok((_rem, crl)) => {
        for revoked in crl.iter_revoked_certificates() {
            println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
            println!("  Reason: {}", revoked.reason_code().unwrap_or_default().1);
        }
    },
    _ => panic!("CRL parsing failed: {:?}", res),
}

See also examples/print-cert.rs.

Features

/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
    let issuer_public_key = issuer.public_key();
    cert
        .verify_signature(Some(issuer_public_key))
        .is_ok()
}
  • The validate features add methods to run more validation functions on the certificate structure and values using the Validate trait. It does not validate any cryptographic parameter (see verify above).

Rust version requirements

x509-parser requires Rustc version 1.46 or greater, based on nom 7 dependencies and for proc-macro attributes support.

Changes

See CHANGELOG.md

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.