A X.509 v3 (RFC5280) parser, implemented with the nom parser combinator framework.
It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken to ensure security and safety of this crate, including design (recursion limit, defensive programming), tests, and fuzzing. It also aims to be panic-free.
The code is available on Github and is part of the Rusticata project.
Certificates are usually encoded in two main formats: PEM (usually the most common format) or
DER. A PEM-encoded certificate is a container, storing a DER object. See the
pem
module for more documentation.
To decode a DER-encoded certificate, the main parsing method is
parse_x509_der
, which builds a
X509Certificate
object.
The returned objects for parsers follow the definitions of the RFC. This means that accessing
fields is done by accessing struct members recursively. Some helper functions are provided, for
example X509Certificate::issuer() returns the
same as accessing <object>.tbs_certificate.issuer
.
For PEM-encoded certificates, use the pem
module.
Parsing a certificate in DER format:
use x509_parser::{parse_x509_der, X509Version};
static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
let res = parse_x509_der(IGCA_DER);
match res {
Ok((rem, cert)) => {
assert!(rem.is_empty());
//
assert_eq!(cert.tbs_certificate.version, X509Version::V3);
},
_ => panic!("x509 parsing failed: {:?}", res),
}
To parse a CRL and print information about revoked certificates:
#
#
let res = parse_crl_der(DER);
match res {
Ok((_rem, crl)) => {
for revoked in crl.iter_revoked_certificates() {
println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
println!(" Reason: {}", revoked.reason_code().unwrap_or_default().1);
}
},
_ => panic!("CRL parsing failed: {:?}", res),
}
See also examples/print-cert.rs
.
- The
verify
feature adds support for (cryptographic) signature verification, based onring
. It adds the X509Certificate::verify_signature() toX509Certificate
.
/// Cryptographic signature verification: returns true if certificate was signed by issuer
#[cfg(feature = "verify")]
pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
let issuer_public_key = &issuer.tbs_certificate.subject_pki;
cert
.verify_signature(Some(issuer_public_key))
.is_ok()
}
The 5.0 series of der-parser
requires Rustc version 1.44 or greater, based on nom 6
dependencies.
There is a build error in arrayvec
with rust 1.34: error[E0658]: use of unstable library feature 'maybe_uninit'
To fix it, force the version of lexical-core
down:
cargo update -p lexical-core --precise 0.6.7
The verify
feature is not compatible with rustc 1.34.
See CHANGELOG.md
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.