webpki/
lib.rs

Help
1// Copyright 2015 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! webpki: Web PKI X.509 Certificate Validation.
16//!
17//! See `EndEntityCert`'s documentation for a description of the certificate
18//! processing steps necessary for a TLS connection.
19//!
20//! # Features
21//!
22//! | Feature | Description |
23//! | ------- | ----------- |
24//! | `alloc` | Enable features that require use of the heap. Currently all RSA signature algorithms require this feature. |
25//! | `std` | Enable features that require libstd. Implies `alloc`. |
26//! | `ring` | Enable use of the *ring* crate for cryptography. |
27//! | `aws-lc-rs` | Enable use of the aws-lc-rs crate for cryptography. Previously this feature was named `aws_lc_rs`. |
28
29#![no_std]
30#![warn(elided_lifetimes_in_paths, unreachable_pub, clippy::use_self)]
31#![deny(missing_docs, clippy::as_conversions)]
32#![allow(
33    clippy::len_without_is_empty,
34    clippy::manual_let_else,
35    clippy::new_without_default,
36    clippy::single_match,
37    clippy::single_match_else,
38    clippy::type_complexity,
39    clippy::upper_case_acronyms
40)]
41// Enable documentation for all features on docs.rs
42#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
43
44#[cfg(any(feature = "std", test))]
45extern crate std;
46
47#[cfg(any(test, feature = "alloc"))]
48#[cfg_attr(test, macro_use)]
49extern crate alloc;
50
51#[macro_use]
52mod der;
53
54#[cfg(feature = "aws-lc-rs")]
55mod aws_lc_rs_algs;
56mod cert;
57mod end_entity;
58mod error;
59#[cfg(feature = "ring")]
60mod ring_algs;
61mod rpk_entity;
62mod signed_data;
63mod subject_name;
64mod time;
65mod trust_anchor;
66
67mod crl;
68mod verify_cert;
69mod x509;
70
71#[cfg(test)]
72pub(crate) mod test_utils;
73
74pub use {
75    cert::Cert,
76    crl::{
77        BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, ExpirationPolicy,
78        RevocationCheckDepth, RevocationOptions, RevocationOptionsBuilder, RevocationReason,
79        UnknownStatusPolicy,
80    },
81    end_entity::EndEntityCert,
82    error::{DerTypeId, Error, InvalidNameContext},
83    rpk_entity::RawPublicKeyEntity,
84    trust_anchor::anchor_from_trusted_cert,
85    verify_cert::{KeyUsage, RequiredEkuNotFoundContext, VerifiedPath},
86};
87
88#[cfg(feature = "alloc")]
89pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
90
91#[cfg(feature = "ring")]
92/// Signature verification algorithm implementations using the *ring* crypto library.
93pub mod ring {
94    pub use super::ring_algs::{
95        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
96    };
97
98    #[cfg(feature = "alloc")]
99    pub use super::ring_algs::{
100        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
101        RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
102        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
103        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
104        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
105    };
106}
107
108#[cfg(feature = "aws-lc-rs")]
109/// Signature verification algorithm implementations using the aws-lc-rs crypto library.
110pub mod aws_lc_rs {
111    pub use super::aws_lc_rs_algs::{
112        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
113        ECDSA_P521_SHA256, ECDSA_P521_SHA384, ECDSA_P521_SHA512, ED25519,
114        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
115        RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
116        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
117        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
118        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
119    };
120}
121
122/// An array of all the verification algorithms exported by this crate.
123///
124/// This will be empty if the crate is built without the `ring` and `aws-lc-rs` features.
125pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorithm] = &[
126    #[cfg(feature = "ring")]
127    ring::ECDSA_P256_SHA256,
128    #[cfg(feature = "ring")]
129    ring::ECDSA_P256_SHA384,
130    #[cfg(feature = "ring")]
131    ring::ECDSA_P384_SHA256,
132    #[cfg(feature = "ring")]
133    ring::ECDSA_P384_SHA384,
134    #[cfg(feature = "ring")]
135    ring::ED25519,
136    #[cfg(all(feature = "ring", feature = "alloc"))]
137    ring::RSA_PKCS1_2048_8192_SHA256,
138    #[cfg(all(feature = "ring", feature = "alloc"))]
139    ring::RSA_PKCS1_2048_8192_SHA384,
140    #[cfg(all(feature = "ring", feature = "alloc"))]
141    ring::RSA_PKCS1_2048_8192_SHA512,
142    #[cfg(all(feature = "ring", feature = "alloc"))]
143    ring::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
144    #[cfg(all(feature = "ring", feature = "alloc"))]
145    ring::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
146    #[cfg(all(feature = "ring", feature = "alloc"))]
147    ring::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
148    #[cfg(all(feature = "ring", feature = "alloc"))]
149    ring::RSA_PKCS1_3072_8192_SHA384,
150    #[cfg(all(feature = "ring", feature = "alloc"))]
151    ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
152    #[cfg(all(feature = "ring", feature = "alloc"))]
153    ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
154    #[cfg(all(feature = "ring", feature = "alloc"))]
155    ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
156    #[cfg(feature = "aws-lc-rs")]
157    aws_lc_rs::ECDSA_P256_SHA256,
158    #[cfg(feature = "aws-lc-rs")]
159    aws_lc_rs::ECDSA_P256_SHA384,
160    #[cfg(feature = "aws-lc-rs")]
161    aws_lc_rs::ECDSA_P384_SHA256,
162    #[cfg(feature = "aws-lc-rs")]
163    aws_lc_rs::ECDSA_P384_SHA384,
164    #[cfg(feature = "aws-lc-rs")]
165    aws_lc_rs::ECDSA_P521_SHA256,
166    #[cfg(feature = "aws-lc-rs")]
167    aws_lc_rs::ECDSA_P521_SHA384,
168    #[cfg(feature = "aws-lc-rs")]
169    aws_lc_rs::ECDSA_P521_SHA512,
170    #[cfg(feature = "aws-lc-rs")]
171    aws_lc_rs::ED25519,
172    #[cfg(feature = "aws-lc-rs")]
173    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
174    #[cfg(feature = "aws-lc-rs")]
175    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
176    #[cfg(feature = "aws-lc-rs")]
177    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
178    #[cfg(feature = "aws-lc-rs")]
179    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
180    #[cfg(feature = "aws-lc-rs")]
181    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
182    #[cfg(feature = "aws-lc-rs")]
183    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
184    #[cfg(feature = "aws-lc-rs")]
185    aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
186    #[cfg(feature = "aws-lc-rs")]
187    aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
188    #[cfg(feature = "aws-lc-rs")]
189    aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
190    #[cfg(feature = "aws-lc-rs")]
191    aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
192];
193
194fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
195    a.as_slice_less_safe() == b.as_slice_less_safe()
196}
webpki/lib.rs

webpki/
lib.rs
