Crate x509_parser[−][src]
X.509 Parser
A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.
It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.
The code is available on Github and is part of the Rusticata project.
Certificates are usually encoded in two main formats: PEM (usually the most common format) or
DER. A PEM-encoded certificate is a container, storing a DER object. See the
pem module for more documentation.
To decode a DER-encoded certificate, the main parsing method is
parse_x509_certificate, which builds a
X509Certificate object.
The returned objects for parsers follow the definitions of the RFC. This means that accessing
fields is done by accessing struct members recursively. Some helper functions are provided, for
example X509Certificate::issuer() returns the
same as accessing <object>.tbs_certificate.issuer.
For PEM-encoded certificates, use the pem module.
Examples
Parsing a certificate in DER format:
use x509_parser::prelude::*; static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der"); let res = parse_x509_certificate(IGCA_DER); match res { Ok((rem, cert)) => { assert!(rem.is_empty()); // assert_eq!(cert.tbs_certificate.version, X509Version::V3); }, _ => panic!("x509 parsing failed: {:?}", res), }
To parse a CRL and print information about revoked certificates:
let res = parse_x509_crl(DER); match res { Ok((_rem, crl)) => { for revoked in crl.iter_revoked_certificates() { println!("Revoked certificate serial: {}", revoked.raw_serial_as_string()); println!(" Reason: {}", revoked.reason_code().unwrap_or_default().1); } }, _ => panic!("CRL parsing failed: {:?}", res), }
See also examples/print-cert.rs.
Features
- The
verifyfeature adds support for (cryptographic) signature verification, based onring. It adds the X509Certificate::verify_signature() toX509Certificate.
/// Cryptographic signature verification: returns true if certificate was signed by issuer #[cfg(feature = "verify")] pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool { let issuer_public_key = &issuer.tbs_certificate.subject_pki; cert .verify_signature(Some(issuer_public_key)) .is_ok() }
Rust version requirements
x509-parser requires Rustc version 1.45 or greater, based on nom 6
dependencies and for proc-macro attributes support.
Re-exports
pub use der_parser; |
pub use der_parser::num_bigint; |
pub use nom; |
pub use oid_registry; |
Modules
| certificate | X.509 Certificate object definitions and operations |
| certification_request | |
| cri_attributes | |
| error | X.509 errors |
| extensions | X.509 Extensions objects and types |
| objects | X.509 helper objects definitions and registry |
| pem | Decoding functions for PEM-encoded data |
| prelude | A “prelude” for users of the x509-parser crate. |
| revocation_list | |
| time | |
| x509 | X.509 objects and types |
Functions
| parse_crl_der | Deprecated Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object. |
| parse_x509_certificate | Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built object. |
| parse_x509_crl | Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built object. |
| parse_x509_der | Deprecated Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built |