#X509 #Certificate #parser #nom

x509-parser

Parser for the X.509 v3 format (RFC 5280 certificates)

20 releases

✓ Uses Rust 2018 edition

new 0.8.0-beta4 Jul 8, 2020
0.7.0 Mar 31, 2020
0.6.0 Aug 5, 2019
0.5.1 Jul 17, 2019
0.1.0 Jan 20, 2018

#88 in Parser implementations

Download history 3317/week @ 2020-03-23 3280/week @ 2020-03-30 3320/week @ 2020-04-06 3042/week @ 2020-04-13 4176/week @ 2020-04-20 3814/week @ 2020-04-27 2044/week @ 2020-05-04 2108/week @ 2020-05-11 2364/week @ 2020-05-18 2168/week @ 2020-05-25 2483/week @ 2020-06-01 2486/week @ 2020-06-08 1876/week @ 2020-06-15 1955/week @ 2020-06-22 2107/week @ 2020-06-29 2718/week @ 2020-07-06

10,918 downloads per month
Used in 13 crates (10 directly)

MIT/Apache

92KB
2K SLoC

License: MIT Apache License 2.0 docs.rs crates.io Download numbers Travis CI Github CI

X.509 Parser

A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.

It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.

The code is available on Github and is part of the Rusticata project.

The main parsing method is parse_x509_der, which takes a DER-encoded certificate as input, and builds a X509Certificate object.

For PEM-encoded certificates, use the pem module.

Examples

Parsing a certificate in DER format:

use x509_parser::parse_x509_der;

static IGCA_DER: &'static [u8] = include_bytes!("../assets/IGC_A.der");

let res = parse_x509_der(IGCA_DER);
match res {
    Ok((rem, cert)) => {
        assert!(rem.is_empty());
        //
        assert_eq!(cert.tbs_certificate.version, 2);
    },
    _ => panic!("x509 parsing failed: {:?}", res),
}

See also examples/print-cert.rs.

Features

  • The verify feature adds support for (cryptographic) signature verification, based on ring. It adds the verify_signature to X509Certificate.
/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
    let issuer_public_key = &issuer.tbs_certificate.subject_pki;
    cert
        .verify_signature(Some(issuer_public_key))
        .is_ok()
}

Compatibility with older rust versions

1.34

There is a build error in arrayvec with rust 1.34: error[E0658]: use of unstable library feature 'maybe_uninit'

To fix it, force the version of lexical-core down:

cargo update -p lexical-core --precise 0.6.7

The verify feature is not compatible with rustc 1.34.

Changes

See CHANGELOG.md

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Dependencies

~2MB
~39K SLoC