Google Git
Sign in
android / platform / external / rust / crates / x509-parser / a8facd236c2e3db2e8e00c3827cfc75615d21349
commita8facd236c2e3db2e8e00c3827cfc75615d21349[log] [tgz]
authorYiming Jing <yimingjing@google.com>Thu Jul 29 20:11:08 2021 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Thu Jul 29 20:11:08 2021 +0000
tree86677630c97bf599115f7ebd8cca5071a1179d9c
parent2312499f50b3d6823653cf77327705be14da07ae [diff]
parent75780c959c3dfb1e813743f399b9ebfe10602d27 [diff]
Initial import of x509-parser 0.9.2 am: 6ea24ae4ef am: 75780c959c

Original change: https://android-review.googlesource.com/c/platform/external/rust/crates/x509-parser/+/1775436

Change-Id: Ia8f0cceb6668b6b968d7a826ed52190a96cfff9c
tree: 86677630c97bf599115f7ebd8cca5071a1179d9c
  1. assets/
  2. examples/
  3. src/
  4. tests/
  5. LICENSELICENSE-APACHE
  6. .cargo_vcs_info.json
  7. .gitignore
  8. Cargo.toml
  9. Cargo.toml.orig
  10. CHANGELOG.md
  11. LICENSE-APACHE
  12. LICENSE-MIT
  13. METADATA
  14. MODULE_LICENSE_APACHE2
  15. OWNERS
  16. README.md
README.md

License: MIT Apache License 2.0 docs.rs crates.io Download numbers Github CI Minimum rustc version

X.509 Parser

A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.

It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.

The code is available on Github and is part of the Rusticata project.

Certificates are usually encoded in two main formats: PEM (usually the most common format) or DER. A PEM-encoded certificate is a container, storing a DER object. See the pem module for more documentation.

To decode a DER-encoded certificate, the main parsing method is parse_x509_certificate, which builds a X509Certificate object.

The returned objects for parsers follow the definitions of the RFC. This means that accessing fields is done by accessing struct members recursively. Some helper functions are provided, for example X509Certificate::issuer() returns the same as accessing <object>.tbs_certificate.issuer.

For PEM-encoded certificates, use the pem module.

Examples

Parsing a certificate in DER format:

use x509_parser::prelude::*;

static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");

let res = parse_x509_certificate(IGCA_DER);
match res {
    Ok((rem, cert)) => {
        assert!(rem.is_empty());
        //
        assert_eq!(cert.tbs_certificate.version, X509Version::V3);
    },
    _ => panic!("x509 parsing failed: {:?}", res),
}

To parse a CRL and print information about revoked certificates:

#
#
let res = parse_x509_crl(DER);
match res {
    Ok((_rem, crl)) => {
        for revoked in crl.iter_revoked_certificates() {
            println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
            println!("  Reason: {}", revoked.reason_code().unwrap_or_default().1);
        }
    },
    _ => panic!("CRL parsing failed: {:?}", res),
}

See also examples/print-cert.rs.

Features

/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
    let issuer_public_key = &issuer.tbs_certificate.subject_pki;
    cert
        .verify_signature(Some(issuer_public_key))
        .is_ok()
}

Rust version requirements

x509-parser requires Rustc version 1.45 or greater, based on nom 6 dependencies and for proc-macro attributes support.

Changes

See CHANGELOG.md

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.