- Notifications
You must be signed in to change notification settings - Fork166
WebPKI X.509 Certificate Validation in Rust
License
briansmith/webpki
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIESWITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FORANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGESWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN ANACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OFOR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
webpki is a library that validates Web PKI (TLS/SSL) certificates. webpkiis designed to provide afull implementation of the client side of theWeb PKI to a diverse range of applications and devices,including embedded (IoT) applications, mobile apps, desktop applications, andserver infrastructure. webpki is intended to not only be the bestimplementation of the Web PKI, but to alsoprecisely define what the Web PKIis.
webpki is written inRust and usesring for signature verification.
webpki is strongly influenced bymozilla::pkix. You can read alittle about the ideas underlying both mozilla::pkix and webpki ininsanity::pkix: A New Certificate Path Building & ValidationLibrary.
The Rust compiler statically guarantees there are no buffer overflows,uses-after-free, double-frees, data races, etc. in webpki. webpki takesadvantage of Rust's borrow checker to ensure that itszero-copy parsingstrategy is safe and efficient. webpkinever allocates memory on the heap,and it maintains a tight bound on the amount of stack memory it uses. webpkiavoids all superfluous PKIX features in order to keep its object code sizesmall. Further reducing the code size of webpki is an important goal.
This release is the very first prototype. Lots of improvements are planned,including:
- An extensive automated test suite.
- Key pinning.
- Certificate Transparency support.
- Short-lived certificate, OCSP stapling, and CRLSet support.
- Customization of the supported algorithms, key sizes, and elliptic curvesallowed during a validation.
- A C language wrapper interface to allow using webpki in non-Rustapplications.
- A specification of precisely what the Web PKI is.
Seehttps://github.com/ctz/rustls#example-code for an example of usingwebpki.
SeeLICENSE. This project happily accepts pull requests without anyformal copyright/contributor license agreement. Pull requests must explicitlyindicate who owns the copyright to the code being contributed and that the codeis being licensed under the same terms as the existing webpki code.
Please report bugs either as pull requests or as issues inthe issuetracker. webpki has afull disclosure vulnerability policy.Please do NOT attempt to reportany security vulnerability in this code privately to anybody.
About
WebPKI X.509 Certificate Validation in Rust