A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.
It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.
The code is available on Github and is part of the Rusticata project.
The main parsing method is parse_x509_der, which takes a
DER-encoded certificate as input, and builds a
X509Certificate object.
For PEM-encoded certificates, use the pem module.
Parsing a certificate in DER format:
use x509_parser::parse_x509_der;
static IGCA_DER: &'static [u8] = include_bytes!("../assets/IGC_A.der");
let res = parse_x509_der(IGCA_DER);
match res {
Ok((rem, cert)) => {
assert!(rem.is_empty());
//
assert_eq!(cert.tbs_certificate.version, 2);
},
_ => panic!("x509 parsing failed: {:?}", res),
}See also examples/print-cert.rs.
- The
verifyfeature adds support for (cryptographic) signature verification, based on ring. It adds theverify_signaturetoX509Certificate.
/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
let issuer_public_key = &issuer.tbs_certificate.subject_pki;
cert
.verify_signature(Some(issuer_public_key))
.is_ok()
}The 5.0 series of der-parser requires Rustc version 1.44 or greater, based on nom 6
dependencies.
There is a build error in arrayvec with rust 1.34: error[E0658]: use of unstable library feature 'maybe_uninit'
To fix it, force the version of lexical-core down:
cargo update -p lexical-core --precise 0.6.7
The verify feature is not compatible with rustc 1.34.
See CHANGELOG.md
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.