secure_network 0.1.1

TLS policy validation, SPKI certificate pinning, and cleartext traffic detection.
Documentation

secure_network

crates.io docs.rs License: MIT OR Apache-2.0

TLS configuration validation, SPKI certificate pinning, mTLS identity, and cleartext detection for OWASP MASVS-NETWORK-1 and MASVS-NETWORK-2. Part of the SunLit Security Libraries workspace.

When to reach for this crate

  • You're shipping a mobile or desktop app and need to pin server certificates by SPKI hash, with current+backup pin rotation.
  • You operate an mTLS gateway and need to extract and revocation-check client identities from a verified chain.
  • You need to validate TLS configuration (allowed versions, cipher suites) against a policy without performing the handshake yourself.
  • You need a cleartext detector to guarantee mobile traffic isn't slipping out over plain HTTP.

All types are pure-Rust policy objects and validators — they do not perform TLS handshakes. The application provides raw certificate chains and TLS parameters; this crate provides the validation logic.

Install

[dependencies]
secure_network = "0.1"

Quick examples

Certificate pinning by SPKI SHA-256

use secure_network::cert_pin::{CertPinValidator, PinSet};

// Current pin and backup pin (best practice: always have a backup).
let pins = PinSet::from_hex_hashes(&[
    "abc123...64hex",  // SPKI SHA-256 of current cert
    "def456...64hex",  // SPKI SHA-256 of backup
])?;

let validator = CertPinValidator::new(pins);
// Pass each presented leaf certificate (DER bytes) into validator.validate()
// during connection setup; reject the connection on mismatch.
# Ok::<(), Box<dyn std::error::Error>>(())

TLS configuration policy

use secure_network::tls_policy::{CipherSuite, TlsPolicy, TlsVersion};

let policy = TlsPolicy::builder()
    .min_version(TlsVersion::Tls12)
    .allow_cipher(CipherSuite::Tls13Aes256GcmSha384)
    .allow_cipher(CipherSuite::Tls13ChaCha20Poly1305Sha256)
    .build();

let result = policy.validate(TlsVersion::Tls13, CipherSuite::Tls13Aes256GcmSha384);
assert!(result.is_allow());

Cleartext-traffic detection

use secure_network::cleartext::{CleartextDetector, CleartextResult};

let detector = CleartextDetector::default();
match detector.evaluate("http://api.example.com/data") {
    CleartextResult::Cleartext { .. } => panic!("plain HTTP forbidden"),
    CleartextResult::Encrypted => { /* fine */ }
}

What's inside

Module Use it for
cert_pin::PinSet / CertPinValidator SPKI SHA-256 pin validation with multi-pin rotation.
tls_policy::TlsPolicy Allowed-version and allowed-cipher policy for connection setup.
tls_policy::TlsValidationResult / TlsDenyReason Structured validation results for logging/telemetry.
cleartext::CleartextDetector Detect cleartext URLs/hosts for mobile/desktop egress checks.
mtls::MtlsClientIdentity / MtlsClientIdentityStatus Typed mTLS client identity extraction from a verified chain.
mtls::MtlsRevocationLookup / NoMtlsRevocations Pluggable revocation hooks (CRL, OCSP, custom store).
error::NetworkSecurityError Structured errors with no PII or hostnames.

Compatibility

  • MSRV: 1.78
  • #![forbid(unsafe_code)], #![deny(missing_docs)]
  • Pure Rust; depends on x509-parser and sha2

Status

Alpha.

Related crates

Part of the SunLit Security Libraries workspace:

Crate Purpose
security_core Shared types, identity, classification, severity, redaction.
security_events Security logging and tamper-evident audit chain.
secure_errors Three-layer error model with redaction-safe public errors.
secure_output Context-aware output encoders (HTML, JSON, URL, JS, CSS, XML, LDAP, shell).
secure_data Secrets, envelope encryption, Argon2id, FIPS, mobile storage.
secure_device_trust Native-client device trust and session certificates.
secure_resilience RASP and environment-detection policy.
secure_privacy PII classification, consent, retention, pseudonymization.
secure_boundary Input validation, security headers, boundary protections.
secure_identity JWT/OIDC, MFA, sessions, biometric step-up.
secure_authz Typed deny-by-default authorization with device-trust predicates.

Getting help

  • Questions, ideas, design discussions — open a GitHub Discussion.
  • Bug reports — use the bug-report template in GitHub Issues.
  • Security issues — please do not open a public issue. See SECURITY.md for the responsible-disclosure process.

Contributing

Contributions are welcome. Please read CONTRIBUTING.md and the Code of Conduct before opening a PR.

License

Dual-licensed under MIT or Apache-2.0 at your option.