PKCS#12 library written in pure Rust

Overview

This project contains a simple to use high-level library to work with PKCS#12/PFX keystores, written in pure Rust, modeled after Java KeyStore API.

Features:

• Single- and multi-keychain PKCS#12
• Support for 'truststores' with only CA root certificates
• Modern and legacy encryption schemes
• Able to read and write Java-compatible keystores

Limitations:

• MD5-based encryption schemes are not supported
• Single password is used to encrypt both private keys and certificate data in one store
• Non-encrypted stores are not supported

Documentation

License

Licensed under MIT or Apache license (LICENSE-MIT or LICENSE-APACHE)

lib.rs:

A convenient high-level library to work with PKCS#12/PFX keystores, written in pure Rust, modeled after Java KeyStore API.

This crate consists of a [KeyStore] struct which provides a set of functions to read and write PKCS#12 files and their contents. It supports single- or multi-keychain keystores and also so called 'truststores' (keystores with only root certificates and without private keys).

Each entry in the keystore is accessed by 'alias', which is a friendly name chosen when creating it.

All certificates must be encoded in X.509 format. Private keys must be encoded in PKCS#8.

Each private key contains a key material, a local key ID (unique byte or string sequence) and a list of certificates organized into chain. The first in the chain must be the entity certificate associated with the private key. The last must be the CA root certificate, with any intermediates in between.

Supported encryption schemes:

• EncryptionAlgorithm::PbeWithShaAnd3KeyTripleDesCbc - legacy encryption to support the existing stores
• EncryptionAlgorithm::PbeWithShaAnd40BitRc4Cbc - legacy encryption to support the existing stores
• EncryptionAlgorithm::PbeWithHmacSha256AndAes256 - the default encryption which should be used for new keystores

Supported MAC algorithms: MacAlgorithm::HmacSha1, MacAlgorithm::HmacSha256