X.509 Parser
A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.
It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.
The code is available on Github and is part of the Rusticata project.
The main parsing method is parse_x509_der
, which takes a
DER-encoded certificate as input, and builds a
X509Certificate
object.
For PEM-encoded certificates, use the pem
module.
Examples
Parsing a certificate in DER format:
use parse_x509_der;
static IGCA_DER: &'static = include_bytes!;
let res = parse_x509_der;
match res
See also examples/print-cert.rs
.
Features
- The
verify
feature adds support for (cryptographic) signature verification, based on ring. It adds theverify_signature
toX509Certificate
.
/// Cryptographic signature verification: returns true if certificate was signed by issuer
Compatibility with older rust versions
1.34
There is a build error in arrayvec
with rust 1.34: error[E0658]: use of unstable library feature 'maybe_uninit'
To fix it, force the version of lexical-core
down:
cargo update -p lexical-core --precise 0.6.7
Changes
0.8.0
- Upgrade to
der-parser
4.0 - Fix clippy warnings
nid2obj
argument is now passed by copy, not reference
- Add method to get a formatted string of the certificate serial number
- Add method to get decoded version
- Add convenience methods to access the most common fields (subject, issuer, etc.)
- Make OID objects public
- Implement parsing for some extensions
- Support for extensions is not complete, support for more types will be added later
- Add example to decode and print certificates
- Add
verify
feature to verify cryptographic signature by a public key
Thanks: @jannschu
0.7.0
- Expose raw bytes of the certificate serial number
- Set edition to 2018
0.6.4
- Fix infinite loop when certificate has no END mark
0.6.3
- Fix infinite loop when reading non-pem data (#28)
0.6.2
- Remove debug code left in
Pem::read
0.6.1
- Add CRL parser
- Expose CRL tbs bytes
- PEM: ignore lines before BEGIN label (#21)
- Fix parsing default values for TbsCertificate version field (#24)
- Use BerResult from der-parser for simpler function signatures
- Expose tbsCertificate bytes
- Upgrade dependencies (base64)
0.6.0
- Update to der-parser 3.0 and nom 5
- Breaks API, cleaner error types
0.5.1
- Add
time_to_expiration
toValidity
object - Add method to read a
Pem
object fromBufRead + Seek
- Add method to
Pem
to decode and extract certificate
0.5.0
- Update to der-parser 2.0
0.4.3
- Make
parse_subject_public_key_info
public - Add function
sn2oid
(get an OID by short name)
0.4.2
- Support GeneralizedTime conversion
0.4.1
- Fix case where certificate has no extensions
0.4.0
- Upgrade to der-parser 1.1, and Use num-bigint over num
- Rename x509_parser to parse_x509_der
- Do not export subparsers
- Improve documentation
0.3.0
- Upgrade to nom 4
0.2.0
- Rewrite X.509 structures and parsing code to work in one pass Warning: this is a breaking change
- Add support for PEM-encoded certificates
- Add some documentation
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.