Struct x509_signature::X509Certificate

pub struct X509Certificate<'a> { /* fields omitted */ }

A parsed (but not validated) X.509 version 3 certificate.

Implementations

impl<'a> X509Certificate<'a>

pub fn das(&self) -> DataAlgorithmSignature<'a>

The tbsCertificate, signatureAlgorithm, and signature

pub fn serial(&self) -> &'a [u8]

The serial number. Big-endian and non-empty. The first byte is guaranteed to be non-zero.

pub fn issuer(&self) -> &'a [u8]

The X.509 issuer. This has not been validated and is not trusted. In particular, it is not guaranteed to be valid ASN.1 DER.

pub fn not_before(&self) -> ASN1Time

The earliest time, in seconds since the Unix epoch, that the certificate is valid.

Will always be between MIN_ASN1_TIMESTAMP and MAX_ASN1_TIMESTAMP, inclusive.

pub fn not_after(&self) -> ASN1Time

The latest time, in seconds since the Unix epoch, that the certificate is valid.

Will always be between MIN_ASN1_TIMESTAMP and MAX_ASN1_TIMESTAMP, inclusive.

pub fn subject(&self) -> &'a [u8]

X.509 subject. This has not been validated and is not trusted. In particular, it is not guaranteed to be valid ASN.1 DER.

pub fn subject_public_key_info(&self) -> SubjectPublicKeyInfo<'a>

The subjectPublicKeyInfo, encoded as ASN.1 DER. There is no guarantee that the OID or public key are valid ASN.1 DER, but if they are not, all methods that check signatures will fail.

pub fn extensions(&self) -> ExtensionIterator<'a>

An iterator over the certificate’s extensions.

pub fn check_signature(
    &self,
    algorithm: SignatureScheme,
    message: &[u8],
    signature: &[u8]
) -> Result<(), Error>

Verify a signature made by the certificate.

pub fn check_tls13_signature(
    &self,
    algorithm: SignatureScheme,
    message: &[u8],
    signature: &[u8]
) -> Result<(), Error>

Verify a signature made by the certificate, applying the restrictions of TLSv1.3:

• ECDSA algorithms where the hash has a different size than the curve are not allowed.
• RSA PKCS1.5 signatures are not allowed.

This is a good choice for new protocols and applications. Note that extensions are not checked, so applications must process extensions themselves.

pub fn check_tls12_signature(
    &self,
    algorithm: SignatureScheme,
    message: &[u8],
    signature: &[u8]
) -> Result<(), Error>

Verify a signature made by the certificate, applying the restrictions of TLSv1.2:

• RSA-PSS signatures are not allowed.

This should not be used outside of a TLSv1.2 implementation. Note that extensions are not checked, so applications must process extensions themselves.

pub fn valid_at_timestamp(&self, now: i64) -> Result<(), Error>

Check that the certificate is valid at time now, in seconds since the Epoch.

pub fn tbs_certificate(&self) -> &[u8]

The tbsCertficate

pub fn signature_algorithm_id(&self) -> &[u8]

The AlgorithmId of the algorithm used to sign this certificate

pub fn signature(&self) -> &[u8]

The signature of the certificate

pub fn check_signature_from(&self, cert: &X509Certificate) -> Result<(), Error>

Verify that this certificate was signed by cert’s secret key.

This does not check that cert is a certificate authority.

pub fn check_issued_by(&self, cert: &X509Certificate) -> Result<(), Error>

As above, but also check that self’s issuer is cert’s subject.

pub fn check_self_signature(&self) -> Result<(), Error>

👎 Deprecated since 0.3.3:

Use check_self_issued instead

Check that this certificate is self-signed. This does not check that the subject and issuer are equal.

pub fn check_self_issued(&self) -> Result<(), Error>

Check that this certificate is self-signed, and that the subject and issuer are equal.

Trait Implementations

impl<'a> Debug for X509Certificate<'a>

fn fmt(&self, f: &mut Formatter) -> Result

Formats the value using the given formatter.