certkit/
lib.rs

1//! # CertKit - A Pure Rust Certificate Management Library
2//!
3//! CertKit is a comprehensive certificate management library built entirely with rustcrypto libraries,
4//! providing an alternative to rcgen without dependencies on ring or openssl (except for testing).
5//! It supports creating and managing X.509 certificate chains, including loading intermediate CAs
6//! and generating server and client certificates.
7//!
8//! ## Supported Key Types
9//!
10//! CertKit supports the following cryptographic key types:
11//! - **RSA**: 2048, 3072, and 4096-bit keys
12//! - **ECDSA**: P-256, P-384, and P-521 curves
13//! - **Ed25519**: Edwards curve digital signature algorithm
14//!
15//! ## Supported Certificate Formats
16//!
17//! - **DER**: Distinguished Encoding Rules (binary format)
18//! - **PEM**: Privacy-Enhanced Mail (base64-encoded text format)
19//!
20//! ## Key Features
21//!
22//! - **Pure Rust**: Built entirely with rustcrypto libraries
23//! - **Certificate Chain Management**: Create and validate certificate hierarchies
24//! - **Self-Signed Certificates**: Generate root CA certificates
25//! - **Intermediate CAs**: Support for multi-level certificate authorities
26//! - **X.509 Extensions**: Comprehensive support for standard extensions
27//! - **Format Flexibility**: Import/export in both PEM and DER formats
28//!
29//! ## Quick Start
30//!
31//! ### Generating a Self-Signed Certificate
32//!
33//! ```rust,no_run
34//! use certkit::{
35//!     key::KeyPair,
36//!     cert::{Certificate, params::{CertificationRequestInfo, DistinguishedName}},
37//! };
38//!
39//! # fn main() -> Result<(), certkit::error::CertKitError> {
40//! // Generate an RSA key pair
41//! let key_pair = KeyPair::generate_rsa(2048)?;
42//!
43//! // Create certificate parameters
44//! let subject = DistinguishedName::builder()
45//!     .common_name("example.com".to_string())
46//!     .organization("Example Corp".to_string())
47//!     .country("US".to_string())
48//!     .build();
49//!
50//! let cert_info = CertificationRequestInfo::builder()
51//!     .subject(subject)
52//!     .subject_public_key(certkit::key::PublicKey::from_key_pair(&key_pair))
53//!     .build();
54//!
55//! // Generate the self-signed certificate
56//! let certificate = Certificate::new_self_signed(&cert_info, &key_pair);
57//!
58//! // Export to PEM format
59//! let pem_cert = certificate.to_pem()?;
60//! println!("Certificate:\n{}", pem_cert);
61//! # Ok(())
62//! # }
63//! ```
64//!
65//! ### Creating a Certificate Chain
66//!
67//! ```rust,no_run
68//! use certkit::{
69//!     key::KeyPair,
70//!     cert::{Certificate, CertificateWithPrivateKey, params::{CertificationRequestInfo, DistinguishedName, Validity}},
71//!     issuer::Issuer,
72//! };
73//!
74//! # fn main() -> Result<(), certkit::error::CertKitError> {
75//! // Generate keys for CA and end-entity
76//! let ca_key = KeyPair::generate_ecdsa_p256();
77//! let server_key = KeyPair::generate_ecdsa_p256();
78//!
79//! // Create CA certificate
80//! let ca_subject = DistinguishedName::builder()
81//!     .common_name("Example CA".to_string())
82//!     .organization("Example Corp".to_string())
83//!     .build();
84//!
85//! let ca_cert_info = CertificationRequestInfo::builder()
86//!     .subject(ca_subject)
87//!     .subject_public_key(certkit::key::PublicKey::from_key_pair(&ca_key))
88//!     .is_ca(true)
89//!     .build();
90//!
91//! let ca_cert = Certificate::new_self_signed(&ca_cert_info, &ca_key);
92//! let ca_with_key = CertificateWithPrivateKey {
93//!     cert: ca_cert,
94//!     key: ca_key,
95//! };
96//!
97//! // Create server certificate signed by CA
98//! let server_subject = DistinguishedName::builder()
99//!     .common_name("server.example.com".to_string())
100//!     .build();
101//!
102//! let server_cert_info = CertificationRequestInfo::builder()
103//!     .subject(server_subject)
104//!     .subject_public_key(certkit::key::PublicKey::from_key_pair(&server_key))
105//!     .build();
106//!
107//! let validity = Validity::for_days(365);
108//! let server_cert = ca_with_key.issue(&server_cert_info, validity);
109//!
110//! println!("Server certificate issued successfully!");
111//! # Ok(())
112//! # }
113//! ```
114//!
115//! ### Working with Certificate Extensions
116//!
117//! ```rust,no_run
118//! use certkit::{
119//!     key::KeyPair,
120//!     cert::{
121//!         Certificate,
122//!         params::{CertificationRequestInfo, DistinguishedName, ExtensionParam},
123//!         extensions::{SubjectAltName, ExtendedKeyUsage, ExtendedKeyUsageOption, ToAndFromX509Extension},
124//!     },
125//! };
126//!
127//! # fn main() -> Result<(), certkit::error::CertKitError> {
128//! let key_pair = KeyPair::generate_ed25519();
129//!
130//! // Create Subject Alternative Name extension
131//! let san = SubjectAltName {
132//!     names: vec!["example.com".to_string(), "www.example.com".to_string()],
133//! };
134//!
135//! // Create Extended Key Usage extension
136//! let eku = ExtendedKeyUsage {
137//!     usage: vec![ExtendedKeyUsageOption::ServerAuth, ExtendedKeyUsageOption::ClientAuth],
138//! };
139//!
140//! let subject = DistinguishedName::builder()
141//!     .common_name("example.com".to_string())
142//!     .build();
143//!
144//! let cert_info = CertificationRequestInfo::builder()
145//!     .subject(subject)
146//!     .subject_public_key(certkit::key::PublicKey::from_key_pair(&key_pair))
147//!     .extensions(vec![
148//!         ExtensionParam::from_extension(san, false),
149//!         ExtensionParam::from_extension(eku, true),
150//!     ])
151//!     .build();
152//!
153//! let certificate = Certificate::new_self_signed(&cert_info, &key_pair);
154//! println!("Certificate with extensions created successfully!");
155//! # Ok(())
156//! # }
157//! ```
158//!
159//! ## Error Handling
160//!
161//! CertKit uses a comprehensive error system that provides detailed information about failures:
162//!
163//! ```rust
164//! use certkit::{key::KeyPair, error::CertKitError};
165//!
166//! match KeyPair::import_from_pkcs8_pem("invalid pem data") {
167//!     Ok(key_pair) => println!("Key imported successfully"),
168//!     Err(CertKitError::DecodingError(msg)) => println!("Failed to decode key: {}", msg),
169//!     Err(CertKitError::InvalidInput(msg)) => println!("Invalid input: {}", msg),
170//!     Err(e) => println!("Other error: {}", e),
171//! }
172//! ```
173//!
174//! ## Module Organization
175//!
176//! - [`key`]: Key generation, import/export, and cryptographic operations
177//! - [`cert`]: Certificate creation, encoding/decoding, and management
178//! - [`issuer`]: Certificate issuing functionality and CA operations
179//! - [`error`]: Comprehensive error types and handling
180//! - [`tbs_certificate`]: Low-level certificate structure manipulation
181
182pub mod cert;
183pub mod error;
184pub mod issuer;
185pub mod key;
186pub mod tbs_certificate;
certkit/lib.rs

certkit/
lib.rs
