webpki/
lib.rs

1// Copyright 2015 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! webpki: Web PKI X.509 Certificate Validation.
16//!
17//! See `EndEntityCert`'s documentation for a description of the certificate
18//! processing steps necessary for a TLS connection.
19//!
20//! # Features
21//!
22//! | Feature | Description |
23//! | ------- | ----------- |
24//! | `alloc` | Enable features that require use of the heap. Currently all RSA signature algorithms require this feature. |
25//! | `std` | Enable features that require libstd. Implies `alloc`. |
26//! | `ring` | Enable use of the *ring* crate for cryptography. |
27//! | `aws_lc_rs` | Enable use of the aws-lc-rs crate for cryptography. |
28
29#![no_std]
30#![warn(elided_lifetimes_in_paths, unreachable_pub, clippy::use_self)]
31#![deny(missing_docs, clippy::as_conversions)]
32#![allow(
33    clippy::len_without_is_empty,
34    clippy::new_without_default,
35    clippy::single_match,
36    clippy::single_match_else,
37    clippy::type_complexity,
38    clippy::upper_case_acronyms
39)]
40// Enable documentation for all features on docs.rs
41#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
42
43#[cfg(any(feature = "std", test))]
44extern crate std;
45
46#[cfg(any(test, feature = "alloc"))]
47#[cfg_attr(test, macro_use)]
48extern crate alloc;
49
50#[macro_use]
51mod der;
52
53#[cfg(feature = "aws_lc_rs")]
54mod aws_lc_rs_algs;
55mod cert;
56mod end_entity;
57mod error;
58#[cfg(feature = "ring")]
59mod ring_algs;
60mod rpk_entity;
61mod signed_data;
62mod subject_name;
63mod time;
64mod trust_anchor;
65
66mod crl;
67mod verify_cert;
68mod x509;
69
70#[cfg(test)]
71pub(crate) mod test_utils;
72
73pub use {
74    cert::Cert,
75    crl::{
76        BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, ExpirationPolicy,
77        RevocationCheckDepth, RevocationOptions, RevocationOptionsBuilder, RevocationReason,
78        UnknownStatusPolicy,
79    },
80    end_entity::EndEntityCert,
81    error::{DerTypeId, Error},
82    rpk_entity::RawPublicKeyEntity,
83    signed_data::alg_id,
84    trust_anchor::anchor_from_trusted_cert,
85    verify_cert::KeyUsage,
86    verify_cert::VerifiedPath,
87};
88
89pub use pki_types as types;
90
91#[cfg(feature = "alloc")]
92pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
93
94#[cfg(feature = "ring")]
95/// Signature verification algorithm implementations using the *ring* crypto library.
96pub mod ring {
97    pub use super::ring_algs::{
98        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
99    };
100
101    #[cfg(feature = "alloc")]
102    pub use super::ring_algs::{
103        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
104        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
105        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
106    };
107}
108
109#[cfg(feature = "aws_lc_rs")]
110/// Signature verification algorithm implementations using the aws-lc-rs crypto library.
111pub mod aws_lc_rs {
112    pub use super::aws_lc_rs_algs::{
113        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
114        ECDSA_P521_SHA256, ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519,
115        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
116        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
117        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
118    };
119}
120
121/// An array of all the verification algorithms exported by this crate.
122///
123/// This will be empty if the crate is built without the `ring` and `aws_lc_rs` features.
124pub static ALL_VERIFICATION_ALGS: &[&dyn types::SignatureVerificationAlgorithm] = &[
125    #[cfg(feature = "ring")]
126    ring::ECDSA_P256_SHA256,
127    #[cfg(feature = "ring")]
128    ring::ECDSA_P256_SHA384,
129    #[cfg(feature = "ring")]
130    ring::ECDSA_P384_SHA256,
131    #[cfg(feature = "ring")]
132    ring::ECDSA_P384_SHA384,
133    #[cfg(feature = "ring")]
134    ring::ED25519,
135    #[cfg(all(feature = "ring", feature = "alloc"))]
136    ring::RSA_PKCS1_2048_8192_SHA256,
137    #[cfg(all(feature = "ring", feature = "alloc"))]
138    ring::RSA_PKCS1_2048_8192_SHA384,
139    #[cfg(all(feature = "ring", feature = "alloc"))]
140    ring::RSA_PKCS1_2048_8192_SHA512,
141    #[cfg(all(feature = "ring", feature = "alloc"))]
142    ring::RSA_PKCS1_3072_8192_SHA384,
143    #[cfg(all(feature = "ring", feature = "alloc"))]
144    ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
145    #[cfg(all(feature = "ring", feature = "alloc"))]
146    ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
147    #[cfg(all(feature = "ring", feature = "alloc"))]
148    ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
149    #[cfg(feature = "aws_lc_rs")]
150    aws_lc_rs::ECDSA_P256_SHA256,
151    #[cfg(feature = "aws_lc_rs")]
152    aws_lc_rs::ECDSA_P256_SHA384,
153    #[cfg(feature = "aws_lc_rs")]
154    aws_lc_rs::ECDSA_P384_SHA256,
155    #[cfg(feature = "aws_lc_rs")]
156    aws_lc_rs::ECDSA_P384_SHA384,
157    #[cfg(feature = "aws_lc_rs")]
158    aws_lc_rs::ECDSA_P521_SHA256,
159    #[cfg(feature = "aws_lc_rs")]
160    aws_lc_rs::ECDSA_P521_SHA384,
161    #[cfg(feature = "aws_lc_rs")]
162    aws_lc_rs::ECDSA_P521_SHA512,
163    #[cfg(feature = "aws_lc_rs")]
164    aws_lc_rs::ED25519,
165    #[cfg(feature = "aws_lc_rs")]
166    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
167    #[cfg(feature = "aws_lc_rs")]
168    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
169    #[cfg(feature = "aws_lc_rs")]
170    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
171    #[cfg(feature = "aws_lc_rs")]
172    aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
173    #[cfg(feature = "aws_lc_rs")]
174    aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
175    #[cfg(feature = "aws_lc_rs")]
176    aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
177    #[cfg(feature = "aws_lc_rs")]
178    aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
179];
180
181fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
182    a.as_slice_less_safe() == b.as_slice_less_safe()
183}
webpki/lib.rs

webpki/
lib.rs
