/rust/registry/src/index.crates.io-1949cf8c6b5b557f/x509-parser-0.18.1/src/lib.rs

Source
//! [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE-MIT)
//! [![Apache License 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](./LICENSE-APACHE)
//! [![docs.rs](https://docs.rs/x509-parser/badge.svg)](https://docs.rs/x509-parser)
//! [![crates.io](https://img.shields.io/crates/v/x509-parser.svg)](https://crates.io/crates/x509-parser)
//! [![Download numbers](https://img.shields.io/crates/d/x509-parser.svg)](https://crates.io/crates/x509-parser)
//! [![Github CI](https://github.com/rusticata/x509-parser/workflows/Continuous%20integration/badge.svg)](https://github.com/rusticata/x509-parser/actions)
//! [![Minimum rustc version](https://img.shields.io/badge/rustc-1.67.1+-lightgray.svg)](#rust-version-requirements)
//!
//! # X.509 Parser
//!
//! A X.509 v3 ([RFC5280]) parser, implemented with the [nom](https://github.com/Geal/nom)
//! parser combinator framework.
//!
//! It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken
//! to ensure security and safety of this crate, including design (recursion limit, defensive
//! programming), tests, and fuzzing. It also aims to be panic-free.
//!
//! The code is available on [Github](https://github.com/rusticata/x509-parser)
//! and is part of the [Rusticata](https://github.com/rusticata) project.
//!
//! Certificates are usually encoded in two main formats: PEM (usually the most common format) or
//! DER.  A PEM-encoded certificate is a container, storing a DER object. See the
//! [`pem`](pem/index.html) module for more documentation.
//!
//! To decode a DER-encoded certificate, the main parsing method is
//! `X509Certificate::from_der` (
//! part of the [`FromDer`](prelude/trait.FromDer.html) trait
//! ), which builds a
//! [`X509Certificate`](certificate/struct.X509Certificate.html) object.
//!
//! An alternative method is to use [`X509CertificateParser`](certificate/struct.X509CertificateParser.html),
//! which allows specifying parsing options (for example, not automatically parsing option contents).
//!
//! The returned objects for parsers follow the definitions of the RFC. This means that accessing
//! fields is done by accessing struct members recursively. Some helper functions are provided, for
//! example [`X509Certificate::issuer()`](certificate/struct.X509Certificate.html#method.issuer) returns the
//! same as accessing `<object>.tbs_certificate.issuer`.
//!
//! For PEM-encoded certificates, use the [`pem`](pem/index.html) module.
//!
//! This crate also provides visitor traits: [`X509CertificateVisitor`](crate::visitor::X509CertificateVisitor).
//!
//! # Examples
//!
//! Parsing a certificate in DER format:
//!
//! ```rust
//! use x509_parser::prelude::*;
//!
//! static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
//!
//! # fn main() {
//! let res = X509Certificate::from_der(IGCA_DER);
//! match res {
//!     Ok((rem, cert)) => {
//!         assert!(rem.is_empty());
//!         //
//!         assert_eq!(cert.version(), X509Version::V3);
//!     },
//!     _ => panic!("x509 parsing failed: {:?}", res),
//! }
//! # }
//! ```
//!
//! To parse a CRL and print information about revoked certificates:
//!
//! ```rust
//! # use x509_parser::prelude::*;
//! #
//! # static DER: &[u8] = include_bytes!("../assets/example.crl");
//! #
//! # fn main() {
//! let res = CertificateRevocationList::from_der(DER);
//! match res {
//!     Ok((_rem, crl)) => {
//!         for revoked in crl.iter_revoked_certificates() {
//!             println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
//!             println!("  Reason: {}", revoked.reason_code().unwrap_or_default().1);
//!         }
//!     },
//!     _ => panic!("CRL parsing failed: {:?}", res),
//! }
//! # }
//! ```
//!
//! See also `examples/print-cert.rs`.
//!
//! # Features
//!
//! - The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
//!   It adds the
//!   [`X509Certificate::verify_signature()`](certificate/struct.X509Certificate.html#method.verify_signature)
//!   to `X509Certificate`.
//!
//! ```rust
//! # #[cfg(any(feature = "verify", feature = "verify-aws"))]
//! # use x509_parser::certificate::X509Certificate;
//! /// Cryptographic signature verification: returns true if certificate was signed by issuer
//! #[cfg(any(feature = "verify", feature = "verify-aws"))]
//! pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
//!     let issuer_public_key = issuer.public_key();
//!     cert
//!         .verify_signature(Some(issuer_public_key))
//!         .is_ok()
//! }
//! ```
//!
//! - The `verify-aws` feature offers the same support for signature verification, but based on
//!   `aws-lc-rs` instead of `ring`.
//!
//! - _Note_: if both `verify` and `verify-aws` features are enabled (which happens when using
//!   `--all-features`), the verification will use `aws-lc-rs`. It also has the side-effect of
//!   having a dependency on `ring`, even if it is not used.
//!
//! - The `validate` features add methods to run more validation functions on the certificate structure
//!   and values using the [`Validate`](validate/trait.Validate.html) trait.
//!   It does not validate any cryptographic parameter (see `verify` above).
//!
//! ## Rust version requirements
//!
//! `x509-parser` requires **Rustc version 1.67.1 or greater**, based on der-parser
//! dependencies and for proc-macro attributes support.
//!
//! [RFC5280]: https://tools.ietf.org/html/rfc5280

#![deny(/*missing_docs,*/
        unstable_features,
        unused_import_braces, unused_qualifications)]
#![warn(
    missing_debug_implementations,
    /* missing_docs,
    rust_2018_idioms,*/
    unreachable_pub
)]
#![forbid(unsafe_code)]
#![deny(rustdoc::broken_intra_doc_links)]
#![doc(test(
    no_crate_inject,
    attr(deny(warnings, rust_2018_idioms), allow(dead_code, unused_variables))
))]
#![cfg_attr(docsrs, feature(doc_cfg))]

pub mod certificate;
pub mod certification_request;
pub mod cri_attributes;
pub mod error;
pub mod extensions;
pub mod objects;
pub mod pem;
pub mod prelude;
pub mod public_key;
pub mod revocation_list;
pub mod signature_algorithm;
pub mod signature_value;
pub mod time;
pub mod utils;
#[cfg(feature = "validate")]
#[cfg_attr(docsrs, doc(cfg(feature = "validate")))]
pub mod validate;
#[cfg(any(feature = "verify", feature = "verify-aws"))]
#[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
pub mod verify;
pub mod visitor;
pub mod x509;

// reexports
pub use asn1_rs;
pub use der_parser;
pub use der_parser::num_bigint;
pub use nom;
pub use oid_registry;

use asn1_rs::FromDer;
use certificate::X509Certificate;
use error::X509Result;
use revocation_list::CertificateRevocationList;

/// Parse a **DER-encoded** X.509 Certificate, and return the remaining of the input and the built
/// object.
///
///
/// This function is an alias to [X509Certificate::from_der](certificate::X509Certificate::from_der). See this function
/// for more information.
///
/// For PEM-encoded certificates, use the [`pem`](pem/index.html) module.
#[inline]
pub fn parse_x509_certificate(i: &[u8]) -> X509Result<'_, X509Certificate<'_>> {
    X509Certificate::from_der(i)
}

/// Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built
/// object.
///
/// This function is an alias to [CertificateRevocationList::from_der](revocation_list::CertificateRevocationList::from_der). See this function
/// for more information.
#[inline]
pub fn parse_x509_crl(i: &[u8]) -> X509Result<'_, CertificateRevocationList<'_>> {
    CertificateRevocationList::from_der(i)
}

/// Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built
#[deprecated(
    since = "0.9.0",
    note = "please use `parse_x509_certificate` or `X509Certificate::from_der` instead"
)]
#[inline]
pub fn parse_x509_der(i: &[u8]) -> X509Result<'_, X509Certificate<'_>> {
    X509Certificate::from_der(i)
}

/// Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built
/// object.
#[deprecated(
    since = "0.9.0",
    note = "please use `parse_x509_crl` or `CertificateRevocationList::from_der` instead"
)]
#[inline]
pub fn parse_crl_der(i: &[u8]) -> X509Result<'_, CertificateRevocationList<'_>> {
    CertificateRevocationList::from_der(i)
}

Coverage Report

Created: 2026-03-28 06:33

Line	Count	Source
1		//! [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE-MIT)
2		//! [![Apache License 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](./LICENSE-APACHE)
3		//! [![docs.rs](https://docs.rs/x509-parser/badge.svg)](https://docs.rs/x509-parser)
4		//! [![crates.io](https://img.shields.io/crates/v/x509-parser.svg)](https://crates.io/crates/x509-parser)
5		//! [![Download numbers](https://img.shields.io/crates/d/x509-parser.svg)](https://crates.io/crates/x509-parser)
6		//! [![Github CI](https://github.com/rusticata/x509-parser/workflows/Continuous%20integration/badge.svg)](https://github.com/rusticata/x509-parser/actions)
7		//! [![Minimum rustc version](https://img.shields.io/badge/rustc-1.67.1+-lightgray.svg)](#rust-version-requirements)
8		//!
9		//! # X.509 Parser
10		//!
11		//! A X.509 v3 ([RFC5280]) parser, implemented with the [nom](https://github.com/Geal/nom)
12		//! parser combinator framework.
13		//!
14		//! It is written in pure Rust, fast, and makes extensive use of zero-copy. A lot of care is taken
15		//! to ensure security and safety of this crate, including design (recursion limit, defensive
16		//! programming), tests, and fuzzing. It also aims to be panic-free.
17		//!
18		//! The code is available on [Github](https://github.com/rusticata/x509-parser)
19		//! and is part of the [Rusticata](https://github.com/rusticata) project.
20		//!
21		//! Certificates are usually encoded in two main formats: PEM (usually the most common format) or
22		//! DER. A PEM-encoded certificate is a container, storing a DER object. See the
23		//! [`pem`](pem/index.html) module for more documentation.
24		//!
25		//! To decode a DER-encoded certificate, the main parsing method is
26		//! `X509Certificate::from_der` (
27		//! part of the [`FromDer`](prelude/trait.FromDer.html) trait
28		//! ), which builds a
29		//! [`X509Certificate`](certificate/struct.X509Certificate.html) object.
30		//!
31		//! An alternative method is to use [`X509CertificateParser`](certificate/struct.X509CertificateParser.html),
32		//! which allows specifying parsing options (for example, not automatically parsing option contents).
33		//!
34		//! The returned objects for parsers follow the definitions of the RFC. This means that accessing
35		//! fields is done by accessing struct members recursively. Some helper functions are provided, for
36		//! example [`X509Certificate::issuer()`](certificate/struct.X509Certificate.html#method.issuer) returns the
37		//! same as accessing `<object>.tbs_certificate.issuer`.
38		//!
39		//! For PEM-encoded certificates, use the [`pem`](pem/index.html) module.
40		//!
41		//! This crate also provides visitor traits: [`X509CertificateVisitor`](crate::visitor::X509CertificateVisitor).
42		//!
43		//! # Examples
44		//!
45		//! Parsing a certificate in DER format:
46		//!
47		//! ```rust
48		//! use x509_parser::prelude::*;
49		//!
50		//! static IGCA_DER: &[u8] = include_bytes!("../assets/IGC_A.der");
51		//!
52		//! # fn main() {
53		//! let res = X509Certificate::from_der(IGCA_DER);
54		//! match res {
55		//! Ok((rem, cert)) => {
56		//! assert!(rem.is_empty());
57		//! //
58		//! assert_eq!(cert.version(), X509Version::V3);
59		//! },
60		//! _ => panic!("x509 parsing failed: {:?}", res),
61		//! }
62		//! # }
63		//! ```
64		//!
65		//! To parse a CRL and print information about revoked certificates:
66		//!
67		//! ```rust
68		//! # use x509_parser::prelude::*;
69		//! #
70		//! # static DER: &[u8] = include_bytes!("../assets/example.crl");
71		//! #
72		//! # fn main() {
73		//! let res = CertificateRevocationList::from_der(DER);
74		//! match res {
75		//! Ok((_rem, crl)) => {
76		//! for revoked in crl.iter_revoked_certificates() {
77		//! println!("Revoked certificate serial: {}", revoked.raw_serial_as_string());
78		//! println!(" Reason: {}", revoked.reason_code().unwrap_or_default().1);
79		//! }
80		//! },
81		//! _ => panic!("CRL parsing failed: {:?}", res),
82		//! }
83		//! # }
84		//! ```
85		//!
86		//! See also `examples/print-cert.rs`.
87		//!
88		//! # Features
89		//!
90		//! - The `verify` and `verify-aws` features adds support for (cryptographic) signature verification, based on `ring` or `aws-lc` respectively.
91		//! It adds the
92		//! [`X509Certificate::verify_signature()`](certificate/struct.X509Certificate.html#method.verify_signature)
93		//! to `X509Certificate`.
94		//!
95		//! ```rust
96		//! # #[cfg(any(feature = "verify", feature = "verify-aws"))]
97		//! # use x509_parser::certificate::X509Certificate;
98		//! /// Cryptographic signature verification: returns true if certificate was signed by issuer
99		//! #[cfg(any(feature = "verify", feature = "verify-aws"))]
100		//! pub fn check_signature(cert: &X509Certificate<'_>, issuer: &X509Certificate<'_>) -> bool {
101		//! let issuer_public_key = issuer.public_key();
102		//! cert
103		//! .verify_signature(Some(issuer_public_key))
104		//! .is_ok()
105		//! }
106		//! ```
107		//!
108		//! - The `verify-aws` feature offers the same support for signature verification, but based on
109		//! `aws-lc-rs` instead of `ring`.
110		//!
111		//! - _Note_: if both `verify` and `verify-aws` features are enabled (which happens when using
112		//! `--all-features`), the verification will use `aws-lc-rs`. It also has the side-effect of
113		//! having a dependency on `ring`, even if it is not used.
114		//!
115		//! - The `validate` features add methods to run more validation functions on the certificate structure
116		//! and values using the [`Validate`](validate/trait.Validate.html) trait.
117		//! It does not validate any cryptographic parameter (see `verify` above).
118		//!
119		//! ## Rust version requirements
120		//!
121		//! `x509-parser` requires Rustc version 1.67.1 or greater, based on der-parser
122		//! dependencies and for proc-macro attributes support.
123		//!
124		//! [RFC5280]: https://tools.ietf.org/html/rfc5280
125
126		#![deny(/missing_docs,/
127		unstable_features,
128		unused_import_braces, unused_qualifications)]
129		#![warn(
130		missing_debug_implementations,
131		/* missing_docs,
132		rust_2018_idioms,*/
133		unreachable_pub
134		)]
135		#![forbid(unsafe_code)]
136		#![deny(rustdoc::broken_intra_doc_links)]
137		#![doc(test(
138		no_crate_inject,
139		attr(deny(warnings, rust_2018_idioms), allow(dead_code, unused_variables))
140		))]
141		#![cfg_attr(docsrs, feature(doc_cfg))]
142
143		pub mod certificate;
144		pub mod certification_request;
145		pub mod cri_attributes;
146		pub mod error;
147		pub mod extensions;
148		pub mod objects;
149		pub mod pem;
150		pub mod prelude;
151		pub mod public_key;
152		pub mod revocation_list;
153		pub mod signature_algorithm;
154		pub mod signature_value;
155		pub mod time;
156		pub mod utils;
157		#[cfg(feature = "validate")]
158		#[cfg_attr(docsrs, doc(cfg(feature = "validate")))]
159		pub mod validate;
160		#[cfg(any(feature = "verify", feature = "verify-aws"))]
161		#[cfg_attr(docsrs, doc(cfg(any(feature = "verify", feature = "verify-aws"))))]
162		pub mod verify;
163		pub mod visitor;
164		pub mod x509;
165
166		// reexports
167		pub use asn1_rs;
168		pub use der_parser;
169		pub use der_parser::num_bigint;
170		pub use nom;
171		pub use oid_registry;
172
173		use asn1_rs::FromDer;
174		use certificate::X509Certificate;
175		use error::X509Result;
176		use revocation_list::CertificateRevocationList;
177
178		/// Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built
179		/// object.
180		///
181		///
182		/// This function is an alias to [X509Certificate::from_der](certificate::X509Certificate::from_der). See this function
183		/// for more information.
184		///
185		/// For PEM-encoded certificates, use the [`pem`](pem/index.html) module.
186		#[inline]
187	0	pub fn parse_x509_certificate(i: &[u8]) -> X509Result<'_, X509Certificate<'_>> {
188	0	X509Certificate::from_der(i)
189	0	} Unexecuted instantiation: x509_parser::parse_x509_certificate Unexecuted instantiation: x509_parser::parse_x509_certificate
190
191		/// Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built
192		/// object.
193		///
194		/// This function is an alias to [CertificateRevocationList::from_der](revocation_list::CertificateRevocationList::from_der). See this function
195		/// for more information.
196		#[inline]
197	0	pub fn parse_x509_crl(i: &[u8]) -> X509Result<'_, CertificateRevocationList<'_>> {
198	0	CertificateRevocationList::from_der(i)
199	0	}
200
201		/// Parse a DER-encoded X.509 Certificate, and return the remaining of the input and the built
202		#[deprecated(
203		since = "0.9.0",
204		note = "please use `parse_x509_certificate` or `X509Certificate::from_der` instead"
205		)]
206		#[inline]
207	0	pub fn parse_x509_der(i: &[u8]) -> X509Result<'_, X509Certificate<'_>> {
208	0	X509Certificate::from_der(i)
209	0	}
210
211		/// Parse a DER-encoded X.509 v2 CRL, and return the remaining of the input and the built
212		/// object.
213		#[deprecated(
214		since = "0.9.0",
215		note = "please use `parse_x509_crl` or `CertificateRevocationList::from_der` instead"
216		)]
217		#[inline]
218	0	pub fn parse_crl_der(i: &[u8]) -> X509Result<'_, CertificateRevocationList<'_>> {
219	0	CertificateRevocationList::from_der(i)
220	0	}