Crate x509_lint

Crate x509_lint 

Source
Expand description

X.509 Certificate and CRL linter

This crate provides two kinds of lints: CertificateLint for X.509 Certificates, and CRLLint for X.509 Certificate Revocation Lists.

Lints are simple functions receiving a parsed object, and returning a LintResult.

§Running lints

To run lints, either define and call the lints directly, or use a lint registry to store lint definitions and functions.

This crate provides default registries for certificates and CRLs.

For example, to get the default registry for RFC5280 lints on X.509 Certificates, use the following:

use x509_lint::*;
use x509_lint::x509_parser::prelude::X509Certificate;

fn check_certificate(x509: &X509Certificate<'_>) {
    let registry = rfc_lints();
    let _results = registry.run_lints(x509);
    // use results
}

run_lints returns a list of LintDefinition and LintResult. The lifetime of definitions is the lifetime of the registry containing them.

Similarly, crl_rfc_lints returns a registry for CRL lints.

§Adding lints

To add a new lint to a registry, a LintDefinition and a function are required. Helpers macros certificate_lint and crl_lint are provided to simplify declaration.

Example:

use x509_lint::*;
use x509_lint::x509_parser::prelude::X509Certificate;

lint_definition!(
    CHECK_VERSION /* definition name */,
    "rfc:check_version" /* lint name (must be unique) */,
    "Invalid X.509 version" /* lint description */,
    "RFC5280: 4.1.2.1" /* lint citation (optional) */);

fn test_certificate_version(x509: &X509Certificate<'_>) -> LintResult {
    if x509.version.0 >= 3 {
        LintResult::new(LintStatus::Error)
    } else {
        LintResult::pass()
    }
}

// adding to a registry
let mut registry = CertificateLintRegistry::default();
registry.insert(CHECK_VERSION, test_certificate_version);

The LintResult can also provide some details (see LintDetails):

if x509.version.0 >= 3 {
    let details = LintDetails::from("details on lint error");
    LintResult::new(LintStatus::Error).with_details(details)
} else {
    LintResult::pass()
}

Re-exports§

pub use x509_parser;

Macros§

certificate_lint
Helper macro to implement a new CertificateLint
crl_lint
Helper macro to implement a new Certificate Revocation List lint
lint_definition
Helper macro to define a new lint

Structs§

CRLLintRegistry
Registry containing X.509 Certificate Revocation List lint functions
CertificateLintRegistry
Registry containing X.509 Certificate lint functions
LintDefinition
Definition of a Lint: name, description, citation (optional)
LintDetails
Lint result details (text additional information)
LintResult
Lint check result

Enums§

LintStatus
Lint check status

Functions§

crl_rfc_lints
Return a CRLLintRegistry containing all RFC lints included in this crate for X.509 Certificate Revocation List (CRL)
rfc_lints
Return a CertificateLintRegistry containing all RFC lints included in this crate for X.509 Certificates

Type Aliases§

CRLLint
Prototype for X.509 certificate lint function
CertificateLint
Prototype for X.509 certificate lint function