Crate x509_signature

A low-level X.509 parsing and certificate signature verification library.

x509-signature can verify the signatures of X.509 certificates, as well as certificates made by their private keys. It can also verify that a certificate is valid for the given time. However, it is (by design) very low-level: it does not know about any X.509 extensions, and does not parse distinguished names at all. It also provides no path-building facilities. As such, it is not intended for use with the web PKI; use webpki for that.

x509-signature’s flexibiity is a double-edged sword: it allows it to be used in situations where webpki cannot be used, but it also makes it significantly more dangerous. As a general rule, x509-signature will accept any certificate that webpki will, but it will also accept certificates that webpki will reject. If you find a certificate that x509-signature rejects and webpki rejects, please report it as a bug.

x509-signature was developed for use with libp2p, which uses certificates that webpki cannot handle. Its bare-bones design ensures that it can handle almost any conforming X.509 certificate, but it also means that the application is responsible for ensuring that the certificate has valid X.509 extensions. x509-signature cannot distinguish between a certificate valid for mozilla.org and one for evilmalware.com! However, x509-signature does provide the hooks needed for higher-level libraries to be built on top of it.

Like webpki, x509-signature is zero-copy and #![no_std] friendly. If built without the alloc feature, x509-signature will not rely on features of ring that require heap allocation, specifically RSA. x509-signature should never panic on any input.

Structs

• ASN1Time
  An ASN.1 timestamp.
• DataAlgorithmSignature
  A data-algorithm-signature structure
• ExtensionIterator
  An iterator over X.509 extensions.
• SequenceIterator
  An iterator over X.509 sequences.
• SubjectPublicKeyInfo
  A PKIX SubjectPublicKeyInfo struct
• X509Certificate
  A parsed (but not validated) X.509 version 3 certificate.

Enums

• Error
  Errors that can be produced when parsing a certificate or validating a signature.
• Restrictions
  Restrictions on allowed signature algorithms
• SignatureScheme
  A signature scheme supported by this library

Constants

• MAX_ASN1_TIMESTAMP
  The largest timestamp that an ASN.1 GeneralizedTime can represent.
• MIN_ASN1_TIMESTAMP
  The smallest timestamp that an ASN.1 GeneralizedTime can represent.

Functions

• days_from_ymd
  We use our own version, instead of chrono, because:
• parse_algorithmid
  Parse the ASN.1 DER-encoded algorithm identifier in asn1 into a SignatureScheme. This will fail if asn1 is not a known signature scheme.
• parse_certificate
  Extracts the algorithm id and public key from a certificate
• seconds_from_hms
  Convert an (hour, minute, second) tuple to a number of seconds since midnight or an error.