Expand description
This crate provides types for representing X.509 certificates, keys and other types as commonly used in the rustls ecosystem. It is intended to be used by crates that need to work with such X.509 types, such as rustls, rustls-webpki, rustls-pemfile, and others.
Some of these crates used to define their own trivial wrappers around DER-encoded bytes. However, in order to avoid inconvenient dependency edges, these were all disconnected. By using a common low-level crate of types with long-term stable API, we hope to avoid the downsides of unnecessary dependency edges while providing good interoperability between crates.
§DER and PEM
Many of the types defined in this crate represent DER-encoded data. DER is a binary encoding of the ASN.1 format commonly used in web PKI specifications. It is a binary encoding, so it is relatively compact when stored in memory. However, as a binary format, it is not very easy to work with for humans and in contexts where binary data is inconvenient. For this reason, many tools and protocols use a ASCII-based encoding of DER, called PEM. In addition to the base64-encoded DER, PEM objects are delimited by header and footer lines which indicate the type of object contained in the PEM blob.
Types here can be created from:
- DER using (for example)
PrivatePkcs8KeyDer::from(). - PEM using (for example)
pem::PemObject::from_pem_slice().
The pem::PemObject trait contains the full selection of ways to construct
these types from PEM encodings. That includes ways to open and read from a file,
from a slice, or from an std::io stream.
There is also a lower-level API that allows a given PEM file to be fully consumed
in one pass, even if it contains different data types: see the implementation of
the pem::PemObject trait on the (pem::SectionKind, Vec<u8>) tuple.
§Creating new certificates and keys
This crate does not provide any functionality for creating new certificates or keys. However, the rcgen crate can be used to create new certificates and keys.
§Cloning private keys
This crate intentionally does not implement Clone on private key types in
order to minimize the exposure of private key data in memory.
If you want to extend the lifetime of a PrivateKeyDer<'_>, consider PrivateKeyDer::clone_key().
Alternatively since these types are immutable, consider wrapping the PrivateKeyDer<'_> in a Rc
or an Arc.
§Target wasm32-unknown-unknown with the web feature
std::time::SystemTime
is unavailable in wasm32-unknown-unknown targets, so calls to
UnixTime::now(),
otherwise enabled by the std feature,
require building instead with the web
feature. It gets time by calling Date.now()
in the browser.
Re-exports§
pub use alg_id::AlgorithmIdentifier;
Modules§
- alg_id
- The PKIX
AlgorithmIdentifiertype, and common values. - pem
- Low-level PEM decoding APIs.
Structs§
- Addr
Parse Error - Failure to parse an IP address
- Certificate
Der - A DER-encoded X.509 certificate; as specified in RFC 5280
- Certificate
Revocation List Der - A Certificate Revocation List; as specified in RFC 5280
- Certificate
Signing Request Der - A Certificate Signing Request; as specified in RFC 2986
- Der
- DER-encoded data, either owned or borrowed
- DnsName
- A type which encapsulates a string (borrowed or owned) that is a syntactically valid DNS name.
- EchConfig
List Bytes - A TLS-encoded Encrypted Client Hello (ECH) configuration list (
ECHConfigList); as specified in draft-ietf-tls-esni-18 §4 - Invalid
DnsName Error - The provided input could not be parsed because it is not a syntactically-valid DNS Name.
- Invalid
Signature - A detail-less error when a signature is not valid.
- Ipv4
Addr no_stdimplementation ofstd::net::Ipv4Addr.- Ipv6
Addr no_stdimplementation ofstd::net::Ipv6Addr.- Private
Pkcs1 KeyDer - A DER-encoded plaintext RSA private key; as specified in PKCS#1/RFC 3447
- Private
Pkcs8 KeyDer - A DER-encoded plaintext private key; as specified in PKCS#8/RFC 5958
- Private
Sec1 KeyDer - A Sec1-encoded plaintext private key; as specified in RFC 5915
- Subject
Public KeyInfo Der - A DER-encoded SubjectPublicKeyInfo (SPKI), as specified in RFC 5280.
- Trust
Anchor - A trust anchor (a.k.a. root CA)
- Unix
Time - A timestamp, tracking the number of non-leap seconds since the Unix epoch.
Enums§
- IpAddr
no_stdimplementation ofstd::net::IpAddr.- Private
KeyDer - A DER-encoded X.509 private key, in one of several formats
- Server
Name - Encodes ways a client can know the expected name of the server.
Traits§
- Signature
Verification Algorithm - An abstract signature verification algorithm.
Type Aliases§
- Subject
Public KeyInfo Deprecated - A DER-encoded SubjectPublicKeyInfo (SPKI), as specified in RFC 5280.