Expand description
This crate provides types for representing X.509 certificates, keys and other types as commonly used in the rustls ecosystem. It is intended to be used by crates that need to work with such X.509 types, such as rustls, rustls-webpki, rustls-pemfile, and others.
Some of these crates used to define their own trivial wrappers around DER-encoded bytes. However, in order to avoid inconvenient dependency edges, these were all disconnected. By using a common low-level crate of types with long-term stable API, we hope to avoid the downsides of unnecessary dependency edges while providing good interoperability between crates.
§DER and PEM
Many of the types defined in this crate represent DER-encoded data. DER is a binary encoding of the ASN.1 format commonly used in web PKI specifications. It is a binary encoding, so it is relatively compact when stored in memory. However, as a binary format, it is not very easy to work with for humans and in contexts where binary data is inconvenient. For this reason, many tools and protocols use a ASCII-based encoding of DER, called PEM. In addition to the base64-encoded DER, PEM objects are delimited by header and footer lines which indicate the type of object contained in the PEM blob.
Types here can be created from:
- DER using (for example)
PrivatePkcs8KeyDer::from()
. - PEM using (for example)
pem::PemObject::from_pem_slice()
.
The pem::PemObject
trait contains the full selection of ways to construct
these types from PEM encodings. That includes ways to open and read from a file,
from a slice, or from an std::io
stream.
There is also a lower-level API that allows a given PEM file to be fully consumed
in one pass, even if it contains different data types: see the implementation of
the pem::PemObject
trait on the (pem::SectionKind, Vec<u8>)
tuple.
§Creating new certificates and keys
This crate does not provide any functionality for creating new certificates or keys. However, the rcgen crate can be used to create new certificates and keys.
§Cloning private keys
This crate intentionally does not implement Clone
on private key types in
order to minimize the exposure of private key data in memory.
If you want to extend the lifetime of a PrivateKeyDer<'_>
, consider PrivateKeyDer::clone_key()
.
Alternatively since these types are immutable, consider wrapping the PrivateKeyDer<'_>
in a Rc
or an Arc
.
§Target wasm32-unknown-unknown
with the web
feature
std::time::SystemTime
is unavailable in wasm32-unknown-unknown
targets, so calls to
UnixTime::now()
,
otherwise enabled by the std
feature,
require building instead with the web
feature. It gets time by calling Date.now()
in the browser.
Modules§
- pem
alloc
Low-level PEM decoding APIs.
Structs§
- Failure to parse an IP address
- A DER encoding of the PKIX AlgorithmIdentifier type:
- A DER-encoded X.509 certificate; as specified in RFC 5280
- A Certificate Revocation List; as specified in RFC 5280
- A Certificate Signing Request; as specified in RFC 2986
- DER-encoded data, either owned or borrowed
- A type which encapsulates a string (borrowed or owned) that is a syntactically valid DNS name.
- A TLS-encoded Encrypted Client Hello (ECH) configuration list (
ECHConfigList
); as specified in draft-ietf-tls-esni-18 §4 - The provided input could not be parsed because it is not a syntactically-valid DNS Name.
- A detail-less error when a signature is not valid.
no_std
implementation ofstd::net::Ipv4Addr
.no_std
implementation ofstd::net::Ipv6Addr
.- A DER-encoded plaintext RSA private key; as specified in PKCS#1/RFC 3447
- A DER-encoded plaintext private key; as specified in PKCS#8/RFC 5958
- A Sec1-encoded plaintext private key; as specified in RFC 5915
- A DER-encoded SubjectPublicKeyInfo (SPKI), as specified in RFC 5280.
- A trust anchor (a.k.a. root CA)
- A timestamp, tracking the number of non-leap seconds since the Unix epoch.
Enums§
no_std
implementation ofstd::net::IpAddr
.- A DER-encoded X.509 private key, in one of several formats
- Encodes ways a client can know the expected name of the server.
Traits§
- An abstract signature verification algorithm.
Type Aliases§
- Subject
Public KeyInfo Deprecated A DER-encoded SubjectPublicKeyInfo (SPKI), as specified in RFC 5280.