Skip to main content

Module client_cert

auth_framework::methods

Module client_cert 

Source
Expand description

Client certificate authentication (application-layer mTLS identity extraction).

§Where this fits in the stack

TLS layer   ─── mTLS handshake ──► proves client holds the private key
This module ─── cert inspection ──► extracts identity, applies policy

The TLS handshake cryptographically proves that the client possesses the private key corresponding to the certificate it presented. Once TLS is established, the server-side application receives the verified certificate as DER bytes. This module’s job is the second part: inspecting the certificate to answer “who is this client?” and “are they permitted?”.

§What this module covers

Any PKI-based client authentication that delivers an X.509 certificate to the application layer:

  • Software client certificates (p12/pfx, PEM bundles)
  • Smart card client certificates (SC/PKCS#11, hardware-bound private key)
  • US government PIV (NIST SP 800-73) certificates
  • CAC (Common Access Card) certificates

From this module’s perspective a smart card certificate is just an X.509 DER byte string. The PC/SC protocol that extracts it from the physical card is handled at the transport layer (PKCS#11 middleware, OS TLS stack, etc.).

§What this module does NOT do

  • Cryptographic signature verification of the cert chain: that belongs in the TLS library (rustls, native-tls). ClientCertConfig::trusted_ca_ders is a defence-in-depth post-TLS policy check (issuer DN matching), not a replacement for TLS-level chain verification.
  • OCSP / CRL revocation checking: a future extension. Rely on the TLS layer’s revocation configuration for now.
  • PC/SC card reader access: use a PKCS#11 middleware library at the transport layer (e.g. OpenSC).

Structs§

CertIdentity
Identity extracted from a successfully validated client certificate.
CertPin
Certificate fingerprint for pinning.
CertPinStore
A certificate pin store for enforcing certificate pinning.
ClientCertAuthMethod
Application-layer client certificate authenticator.
ClientCertConfig
Configuration for ClientCertAuthMethod.
CrlStore
An in-memory CRL (Certificate Revocation List) store.

Enums§

RevocationStatus
Revocation check result.

Functions§

cert_thumbprint_s256
Computes a certificate thumbprint for use in RFC 8705 certificate-bound access tokens (mTLS client certificate binding).
verify_cert_binding
Verify that a presented certificate matches the x5t#S256 thumbprint bound to an access token (RFC 8705 §3).