webpki — Web PKI TLS X.509 certificate validation in Rust.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABIL

Information

Category: Rust / Cryptography
Watchers: 22
Star: 423
Fork: 176
Last update: May 23, 2023

Resource links

https://briansmith.org/rustdoc/webpki/

https://github.com/briansmith/webpki

README
Issues 111

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

What is webpki?

webpki is a library that validates Web PKI (TLS/SSL) certificates. webpki is designed to provide a full implementation of the client side of the Web PKI to a diverse range of applications and devices, including embedded (IoT) applications, mobile apps, desktop applications, and server infrastructure. webpki is intended to not only be the best implementation of the Web PKI, but to also precisely define what the Web PKI is.

webpki is written in Rust and uses ring for signature verification.

webpki is strongly influenced by mozilla::pkix. You can read a little about the ideas underlying both mozilla::pkix and webpki in insanity::pkix: A New Certificate Path Building & Validation Library.

The Rust compiler statically guarantees there are no buffer overflows, uses-after-free, double-frees, data races, etc. in webpki. webpki takes advantage of Rust's borrow checker to ensure that its zero-copy parsing strategy is safe and efficient. webpki never allocates memory on the heap, and it maintains a tight bound on the amount of stack memory it uses. webpki avoids all superfluous PKIX features in order to keep its object code size small. Further reducing the code size of webpki is an important goal.

This release is the very first prototype. Lots of improvements are planned, including:

An extensive automated test suite.
Key pinning.
Certificate Transparency support.
Short-lived certificate, OCSP stapling, and CRLSet support.
Customization of the supported algorithms, key sizes, and elliptic curves allowed during a validation.
A C language wrapper interface to allow using webpki in non-Rust applications.
A specification of precisely what the Web PKI is.

Demo

See https://github.com/ctz/rustls#example-code for an example of using webpki.

License

See LICENSE. This project happily accepts pull requests without any formal copyright/contributor license agreement. Pull requests must explicitly indicate who owns the copyright to the code being contributed and that the code is being licensed under the same terms as the existing webpki code.

Bug Reporting

Please report bugs either as pull requests or as issues in the issue tracker. webpki has a full disclosure vulnerability policy. Please do NOT attempt to report any security vulnerability in this code privately to anybody.

Online Automated Testing

Travis CI is used for Linux and Mac OS X. Appveyor is used for Windows.

OS	Arch.	Status
Linux	x86, x64	Build Status
Mac OS X x64	x86, x64	Build Status
Windows (-msvc)	x86, x64	Build Status

111 Open More issues

Closed

Implementations MUST accept SHA2 AlgorithmIdentifiers with absent parameters

See #98 We have an end entity certificate that is doesn't have a "NULL" value for the parameters of the AlgorithmIdentifier--it is absent. Reading RFC 5754, it looks like this scenario needs to be covered by implementations:

The AlgorithmIdentifier parameters field is OPTIONAL. Implementations MUST accept SHA2 AlgorithmIdentifiers with absent parameters. Implementations MUST accept SHA2 AlgorithmIdentifiers with NULL parameters. Implementations MUST generate SHA2 AlgorithmIdentifiers with absent parameters.

This is an easy enough fix to implement since we just need to add a few more .der files to cover the case when "NULL" is absent, like so:

# rsaEncryption
OBJECT_IDENTIFIER { 1.2.840.113549.1.1.1 }

and then run ascii2der on that.

Without this change, we see an UnknownIssuer error which bubbles up from the UnsupportedSignatureAlgorithm error.

opened Apr 22, 2019 by codeman9 11

Closed

Yubico U2F attestation cert with failing test

Not for merge.

This adds a failing test for parsing an attestation certificate from a Yubico U2F device. I have not yet learned enough about webpki/ring internals to figure out where the problem is. I will keep working on it, but would appreciate assistance if anyone can help.

opened Jan 15, 2017 by robn 9

Closed

add a method to collect the DNS names from a certificate

Fix #64

I am not too happy about it yet, I'd like to remove the ToString implementation for DNSName, since there's a Into<&str> for DNSNameRef. Unfortunately, I have not been able to make the function return a vector of DNSNameRefyet. For reference, the code I'm currently trying to build is:

#[cfg(feature = "std")]
pub fn list_cert_dns_names<'a>(cert: &'e super::EndEntityCert<'a>)
                                   -> Result<Vec<DNSNameRef<'a>>, Error> {
    let cert = &cert.inner;
    let names = std::cell::RefCell::new(Vec::new());

    iterate_names(cert.subject, cert.subject_alt_name, Ok(()), &|name| {
        match name {
            GeneralName::DNSName(presented_id) => {
                names.borrow_mut().push(DNSNameRef(presented_id));
            },
            _ => ()
        }
        NameIteration::KeepGoing
    }).map(|_| names.into_inner())
}

But there's a conflict between the lifetime of name (created in iterate_names and passed to the closure) and the lifetime of the DNSNameRef returned as result.

opened Dec 28, 2017 by Geal 9

Closed

add method to return the length of consumed data when parsing der cert

i want to calculate the length in bytes of a der encoded cert buried in a variable-length packet. by exposing the reader's byte position i hope to make it possible to read out the number of bytes consumed by the der parser.

see https://github.com/briansmith/untrusted/pull/8

opened Feb 17, 2017 by cmsd2 8

Closed

Parse v1 roots

This should address issue #13.

opened Jun 18, 2016 by ctz 8

Closed

Add support for PKCS#12

As briefly discussed in https://github.com/briansmith/ring/issues/224.

opened Mar 5, 2017 by aidanhs 7

Open

Only allow contiguous netmasks

Should fix #130.

I haven't figured out yet how to test this. Any suggestions?

I own the copyright to the code being contributed and that the code is being licensed under the same terms as the existing webpki code.

opened Jun 8, 2020 by djc 0

Open

Validation of IP address name constraints should be stricter

This was reported by Gregor Kopf for Cure53. Thanks Gregor!

RFC 5280 has this to say about IP address name constraints:

For IPv4 addresses, the iPAddress field of GeneralName MUST contain eight (8) octets, encoded in the style of RFC 4632 (CIDR) to represent an address range [RFC4632]. For IPv6 addresses, the iPAddress field MUST contain 32 octets similarly encoded. For example, a name constraint for "class C" subnet 192.0.2.0 is represented as the octets C0 00 02 00 FF FF FF 00, representing the CIDR notation 192.0.2.0/24 (mask 255.255.255.0).

Gregor noted that this code: https://github.com/briansmith/webpki/blob/049c5ad5c5b0272baf007ef1301acaf9d5c4ac56/src/name.rs#L357-L375 "... would support non-contiguous subnet masks - i.e., masks that have one-bits after the first zero bit. I know that the respective RFCs are not too clear about whether such masks should be allowed or not."

The question is whether it is correct (or at least better) to support non-contiguous subnet masks or to reject non-contiguous masks. Even more than that, should we support masks that aren't prefixes?

Chromium's name constraint logic does have these requirements. See https://chromium.googlesource.com/chromium/src/+blame/51ba3e6902ecd7284d3be51db648127d1be2187f/net/cert/internal/name_constraints.cc#239

I don't remember making a conscious decision about this in the past. The RFC 5280 encoding of subnet mask is wasteful and error-prone if it really intends to be restricted to masks that can be represented in CIDR notation. OTOH we don't have any motivation to support masks that can't be represented with CIDR notation. webpki should align with Chromium here.

opened Jun 4, 2020 by briansmith 1

Open

Add as_str to DNSName

There already exists AsRef<str> implementation for DNSName, but given there is also as_ref() -> DNSNameRef, trying to get a &str with dns_name.as_ref() ends up picking the wrong implementation.

The AsRef::<str>::as_ref(&source) alternative works, but isn't that pretty!

The as_str() is somewhat idiomatic solution to this (see String::as_str() for an example).

(The AsRef::<str>::... is a suitable workaround, which I've already unleashed upon my codebase so I don't really need this PR to land if there's a reason to reject it.)

Pull requests must explicitly indicate who owns the copyright to the code being contributed and that the code is being licensed under the same terms as the existing webpki code.

I don't believe the changes are significant enough to be covered by copyright, but to avoid any doubt, if they were, I'd be the owner and I'll license them under the same terms as the exiting webpki code.

opened May 30, 2020 by Rantanen 0

Open

Fix License information in Cargo.toml

For standard licenses it is best practice to specify the license name instead of the file. See: https://doc.rust-lang.org/cargo/reference/manifest.html#the-license-and-license-file-fields

opened Apr 20, 2020 by pacman82 0

Open

Added support for trusting self-signed certificates

Added a flag is_end_entity to TrustAnchor for self-signed certs, and deferred the CAUsedAsEndEntity error returned by check_issuer_independent_properties() to be checked again once the matching trust anchor is found, returning the error if the trust anchor is not flagged as an end entity.

Added tests verifying the acceptance of a self-signed certificate when a TrustAnchor with is_end_entity: true is present for the certificate, and verifying the rejection of the same certificate when it is not.

opened Apr 9, 2020 by jbg 1

Open

Rename and overhall DNS name types

opened Mar 22, 2020 by briansmith 0

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

A collection of shell scripts that help handling X.509 certificate and TLS issues

PKIjs is a pure JavaScript library implementing the formats that are used in PKI applications

Certificate Expiry Monitor Controller monitors the expiration of TLS certificates used in Ingress.

PKI support for SSH certificates

async-native-tls - Native TLS using futures

rust-native-tls — Bindings for native TLS libraries

ForgeCert uses the BouncyCastle C# API and a stolen Certificate Authority (CA) certificate + private key to forge certificates for arbitrary users capable of authentication to Active Directory.

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

GCTExposer - Discover sub-domains by searching through Certificate Transparency logs

Go package to embed the Mozilla Included CA Certificate List

OpenSSL compatibility layer for the Rust SSL/TLS stack

The UAPKI is crypto library for using in PKI with support of Ukrainian and internationlal cryptographic standards.

async-tls - Asynchronous TLS/SSL streams using Rustls

A Java library that implements a ByteChannel interface over SSLEngine, enabling easy-to-use (socket-like) TLS for Java applications.

A command-line tool for testing SSL/TLS handshake latency, written in Go.

TLS 1.3 implementation in C (master supports RFC8446 as well as draft-26, -27, -28)

An idiomatic Go (golang) validation package. Supports configurable and extensible validation rules (validators) using normal language constructs instead of error-prone struct tags.

jQuery Validation Plugin library sources

Validation library

Validation Pipe and GraphQL validation filter for NestJS

Share this repo

Related Repos

Cryptography

Stack Exchange Knowledge Graph

Stack of Knowledge Universe A universe that consists of meta knowledge domains from Stack Exchange, made using Bevy with ❤️ . Setup Remove .placeholde

Cryptography

A bzip2 implementation in pure Rust.

ribzip2 - a comprehensible bzip2 implementation ribzip2 is command line utility providing bzip2 compression and decompression written in pure Rust. It

Cryptography

A pure Rust framework and implementation of (derivative-free) methods for solving nonlinea...

Gomez A pure Rust framework and implementation of (derivative-free) methods for solving nonlinear (bound-constrained) systems of equations. Warning: T

Cryptography

An implementation of Olm and Megolm in pure Rust.

A Rust implementation of Olm and Megolm vodozemac is a Rust implementation of libolm, a cryptographic library used for end-to-end encryption in Matrix

Cryptography

Simple encryption tool for passing secrets

soda Simple command line utility for encrypting and decrypting secrets. More information to come if anyone actually cares. For now writing a bare mini

Cryptography

Random minting framework for Secret Network NFT projects

Randomized SNIP-721 Mint Impl This contract is a reference implementation using Baedriks SNIP-721 impl as a framework, optimized for randomly minting

Cryptography

A password entropy calculator/library.

paspio paspio, short for pasvorta entropio, is a password entropy calculator/library. Please refrain from using this as a sole measure of password str

Cryptography

A game built with Phaser. Your a bug, its your mission to collect all the secret items and...

Bug Saves World this is a really early demo photo of what one of the loading screens will sorta look like You are the last bug left on planet Earth, t

Cryptography

Rust implementation of Shamir's Secret Sharing

Horcrux - Rust implementation of Shamir's Secret Sharing This program is an example implementation of Shamir's Secret Sharing in Rust. You can find mo

Cryptography

A pure Rust implementation of the Web Local Storage API, for use in non-browser contexts

Rust Web Local Storage API A Rust implementation of the Web LocalStorage API, for use in non-browser contexts About the Web Local Storage API MDN docs

Cryptography

A pure Rust PLONK implementation using arkworks as a backend.

PLONK This is a pure Rust implementation of the PLONK zk proving system Usage use ark_plonk::prelude::*; use ark_ec::bls12::Bls12; use rand_core::OsRn

Cryptography

137

Keyscope is a key and secret workflow (validation, invalidation, etc.) tool built in Rust

✅ Automate your key and secret validation workflows 🤠 Over 30 different providers 🤖 Export to JSON, audit via CSV 🔑 Keyscope Keyscope is a key and

Cryptography

Pure rust implementation of jq

XQ JQ reimplemented purely in Rust. Caution This program is under development. You probably want to use the original implementation of jq, or pure Go

Cryptography

Zei is a library that provide tools to create and verify public transaction with confident...

#Zei: Findora's Cryptographic Library Zei is a library that provide tools to create and verify public transaction with confidential data. Support: Bas

Cryptography

3.2k

Rust and Elixir libraries for end-to-end encrypted, mutually authenticated, secure communi...

Tools for mutual authenticated and end-to-end encrypted messaging between distributed applications.