cert_helper/lib.rs
1//! # Cert-Helper
2//!
3//! ## Description
4//!
5//! A lightweight wrapper around the OpenSSL crate for working with X.509 certificates and private keys.
6//!
7//! This library provides a set of utility functions to simplify common tasks such as:
8//! - Creating self-signed or CA-signed certificates
9//! - Generating RSA/ECDSA private keys
10//! - Creating Certificate Signing Requests (CSRs)
11//! - Signing certificates from CSRs using a CA certificate and key
12//! - Reading and writing certificates, keys, and CSRs in PEM format
13//! - Validating certificate chains and properties
14//! - Create or update certificate revocation list(crl)
15//!
16//! ### Certificate Signing Requirements
17//! To sign another certificate, the signing certificate must:
18//! - Have the `CA` (Certificate Authority) flag set to `true`
19//! - Include the `KeyUsage` extension with the `keyCertSign` bit enabled
20//!
21//! These constraints ensure that the certificate is recognized as a valid CA and can be used to issue other certificates.
22//!
23//! ### Use Cases
24//! - Generating certificates for local development or internal services
25//! - Creating a simple certificate authority for testing
26//! - Validating certificate chains in custom TLS setups
27//! - Creating CSRs to be signed by external or internal CAs
28//! - Issuing signed certificates from CSRs for controlled certificate management
29//! - Create crl for testing how a client handle certificate revocations
30//!
31//!
32//! ## Basic Example creating a certificate and private key
33//! ```rust
34//! use cert_helper::certificate::{CertBuilder, Certificate, HashAlg, KeyType, Usage, verify_cert, UseesBuilderFields};
35//!
36//! // create a self signed certificate with several optional values set
37//! let ca = CertBuilder::new()
38//! .common_name("My Test Ca")
39//! .country_name("SE")
40//! .state_province("Stockholm")
41//! .organization("my org")
42//! .locality_time("Stockholm")
43//! .is_ca(true)
44//! .key_type(KeyType::P521)
45//! .signature_alg(HashAlg::SHA512)
46//! .key_usage([Usage::certsign, Usage::crlsign].into_iter().collect());
47//! let root_cert = ca.build_and_self_sign();
48//! assert!(root_cert.is_ok())
49//! // to write data to file you need to use X509Common to access the save
50//! // ca.save("./certs/", "mytestca")?;
51//!```
52//! ## Basic Example creating a certificate signing request and private key
53//! ```rust
54//! use cert_helper::certificate::{Usage, Csr, verify_cert, UseesBuilderFields,CsrBuilder};
55//!
56//! // create a certificate signing request and private key
57//! let csr_builder = CsrBuilder::new()
58//! .common_name("example2.com")
59//! .country_name("SE")
60//! .state_province("Stockholm")
61//! .organization("My org")
62//! .locality_time("Stockholm")
63//! .alternative_names(vec!["example2.com", "www.example2.com"])
64//! .key_usage(
65//! [
66//! Usage::contentcommitment,
67//! Usage::encipherment,
68//! Usage::serverauth,
69//! ]
70//! .into_iter()
71//! .collect(),
72//! );
73//! let csr = csr_builder.certificate_signing_request();
74//! assert!(csr.is_ok());
75//!
76//! // to write data to file you need to use X509Common to access the save
77//! // csr.save("./certs/", "mytestca")?;
78//!
79//!```
80//! ## Basic Example creating a signed certificate from a signing request
81//! ```rust
82//! use cert_helper::certificate::{CertBuilder, Csr, verify_cert, UseesBuilderFields, CsrBuilder,CsrOptions};
83//!
84//! let ca = CertBuilder::new().common_name("My Test Ca").is_ca(true);
85//! let root_cert = ca.build_and_self_sign().expect("failed to create root certificate");
86//!
87//! let csr_builder = CsrBuilder::new().common_name("example2.com");
88//! let csr = csr_builder.certificate_signing_request().expect("Failed to generate csr");
89//! let options = CsrOptions::new();// used for enabling csr for CA certficates
90//! let cert = csr.build_signed_certificate(&root_cert, options);
91//! assert!(cert.is_ok());
92//! ```
93//!
94//! ## Basic Example creating a chain of signed certificates and verify the chain
95//! ```rust
96//! use cert_helper::certificate::{CertBuilder, verify_cert, UseesBuilderFields};
97//!
98//! let cert = CertBuilder::new().common_name("Cert-1").is_ca(true);
99//! let cert_1 = cert.build_and_self_sign().expect("Failed to create certificate");
100//! let cert = CertBuilder::new().common_name("Cert-2").is_ca(true);
101//! let cert_2 = cert.build_and_sign(&cert_1).expect("Failed to create certificate");
102//! let cert = CertBuilder::new().common_name("Cert-3");
103//! let cert_3 = cert.build_and_sign(&cert_2).expect("Failed to create certificate");
104//!
105//! match verify_cert(&cert_3.x509, &cert_1.x509, vec![&cert_2.x509]) {
106//! Ok(true) => println!("verify ok"),
107//! _ => println!("failed verify"),
108//! }
109//!
110//! ```
111//!
112//! ## Example on how to create a certifcate revocation list(clr)
113//! ```rust
114//! use cert_helper::certificate::{CertBuilder, UseesBuilderFields};
115//! use cert_helper::crl::X509CrlBuilder;
116//! use chrono::Utc;
117//! use num_bigint::BigUint;
118//!
119//! let ca = CertBuilder::new()
120//! .common_name("My Test Ca")
121//! .is_ca(true)
122//! .build_and_self_sign()
123//! .unwrap();
124//! let mut builder = X509CrlBuilder::new(ca);
125//! let revocked = CertBuilder::new()
126//! .common_name("My Test")
127//! .build_and_self_sign()
128//! .unwrap();
129//!
130//! let bytes = revocked.x509.serial_number().to_bn().unwrap().to_vec();
131//! builder.add_revoked_cert(BigUint::from_bytes_be(&bytes), Utc::now());
132//!
133//! let crl_der = builder.build_and_sign();
134//! // to save crl as pem use the helper function
135//! // write_der_crl_as_pem(&crl_der, "./certs", "crl.pem").expect("failed to save crl as pem file");
136//!
137//! ```
138//!
139//! ## Config
140//!
141//! Values that can be selected for building a certificate
142//! | keyword | description | options |
143//! | ----------------- | --------------------------------------------------------------------------- | ----------------------------------- |
144//! | common_name | the common name this certificate shoud have, mandatory field | string: www.foo.se |
145//! | key_type | key type to be used, defaults to RSA2048 | enum: RSA2048, RSA4096, P224, P256, P384, P512 |
146//! | ca | is this certificate used to sign other certificates, default value is false | boolean: true or false |
147//! | country_name | the country code to use,must follow the standard defined by ISO 3166-1 alpha-2. | string: SE |
148//! | organization | organisation name | string: test |
149//! | state_province | some name | string: test |
150//! | locality_time | Stockholm | string: Stockholm |
151//! | alternative_names | list of alternative DNS names this certificate is valid for | string: valid dns names |
152//! | signature_alg | which algorithm to be used for signature, default is SHA256 | enum: SHA1, SHA256, SHA384, SHA512 |
153//! | valid_from | Start date then the certificate is valid, default is now | string: 2010-01-01 |
154//! | valid_to | End date then the certificate is not valid, default is 1 year | string: 2020-01-01 |
155//! | usage | Key usage to add to the certificates, see list below for options | list of enums, defined in Key Usage table |
156//!
157//! ### Key usage
158//!
159//! If CA is true the key usages to sign certificates and crl lists are added automatically.
160//!
161//! | keyword | description |
162//! | ----------------- | ---------------------------------------------------------- |
163//! | certsign | allowed to sign certificates |
164//! | crlsign | allowed to sign crl |
165//! | encipherment | allowed to enciphering private or secret keys |
166//! | clientauth | allowed to authenticate as client |
167//! | serverauth | allowed ot be used for server authenthication |
168//! | signature | allowed to perfom digital signature (For auth) |
169//! | contentcommitment | allowed to perfom document signature (prev non repudation) |
170
171pub mod certificate;
172pub mod crl;