x509-parser 0.8.0-beta2

Parser for the X.509 v3 format (RFC 5280 certificates)
Documentation

License: MIT Apache License 2.0 docs.rs crates.io Download numbers Travis CI AppVeyor CI

X.509 Parser

A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.

It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.

The code is available on Github and is part of the Rusticata project.

The main parsing method is parse_x509_der, which takes a DER-encoded certificate as input, and builds a X509Certificate object.

For PEM-encoded certificates, use the pem module.

Examples

Parsing a certificate in DER format:

use x509_parser::parse_x509_der;

static IGCA_DER: &'static [u8] = include_bytes!("../assets/IGC_A.der");

let res = parse_x509_der(IGCA_DER);
match res {
    Ok((rem, cert)) => {
        assert!(rem.is_empty());
        //
        assert_eq!(cert.tbs_certificate.version, 2);
    },
    _ => panic!("x509 parsing failed: {:?}", res),
}

See also examples/print-cert.rs.

Compatibility with older rust versions

1.34

There is a build error in arrayvec with rust 1.34: error[E0658]: use of unstable library feature 'maybe_uninit'

To fix it, force the version of lexical-core down:

cargo update -p lexical-core --precise 0.6.7

Changes

0.8.0

  • Upgrade to der-parser 4.0
  • Fix clippy warnings
    • nid2obj argument is now passed by copy, not reference
  • Add method to get a formatted string of the certificate serial number
  • Add method to get decoded version
  • Add convenience methods to access the most common fields (subject, issuer, etc.)
  • Make OID objects public
  • Implement parsing for some extensions
    • Support for extensions is not complete, support for more types will be added later
  • Add example to decode and print certificates

Thanks: @jannschu

0.7.0

  • Expose raw bytes of the certificate serial number
  • Set edition to 2018

0.6.4

  • Fix infinite loop when certificate has no END mark

0.6.3

  • Fix infinite loop when reading non-pem data (#28)

0.6.2

  • Remove debug code left in Pem::read

0.6.1

  • Add CRL parser
  • Expose CRL tbs bytes
  • PEM: ignore lines before BEGIN label (#21)
  • Fix parsing default values for TbsCertificate version field (#24)
  • Use BerResult from der-parser for simpler function signatures
  • Expose tbsCertificate bytes
  • Upgrade dependencies (base64)

0.6.0

  • Update to der-parser 3.0 and nom 5
  • Breaks API, cleaner error types

0.5.1

  • Add time_to_expiration to Validity object
  • Add method to read a Pem object from BufRead + Seek
  • Add method to Pem to decode and extract certificate

0.5.0

  • Update to der-parser 2.0

0.4.3

  • Make parse_subject_public_key_info public
  • Add function sn2oid (get an OID by short name)

0.4.2

  • Support GeneralizedTime conversion

0.4.1

  • Fix case where certificate has no extensions

0.4.0

  • Upgrade to der-parser 1.1, and Use num-bigint over num
  • Rename x509_parser to parse_x509_der
  • Do not export subparsers
  • Improve documentation

0.3.0

  • Upgrade to nom 4

0.2.0

  • Rewrite X.509 structures and parsing code to work in one pass Warning: this is a breaking change
  • Add support for PEM-encoded certificates
  • Add some documentation

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.