1// Copyright 2015 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! webpki: Web PKI X.509 Certificate Validation.
16//!
17//! See `EndEntityCert`'s documentation for a description of the certificate
18//! processing steps necessary for a TLS connection.
19//!
20//! # Features
21//!
22//! | Feature | Description |
23//! | ------- | ----------- |
24//! | `alloc` | Enable features that require use of the heap. Currently all RSA signature algorithms require this feature. |
25//! | `std` | Enable features that require libstd. Implies `alloc`. |
26//! | `ring` | Enable use of the *ring* crate for cryptography. |
27//! | `aws_lc_rs` | Enable use of the aws-lc-rs crate for cryptography. |
28
29#![cfg_attr(not(feature = "std"), no_std)]
30#![warn(unreachable_pub)]
31#![deny(missing_docs, clippy::as_conversions)]
32#![allow(
33 clippy::len_without_is_empty,
34 clippy::new_without_default,
35 clippy::single_match,
36 clippy::single_match_else,
37 clippy::type_complexity,
38 clippy::upper_case_acronyms
39)]
40// Enable documentation for all features on docs.rs
41#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
42
43#[cfg(any(test, feature = "alloc"))]
44#[cfg_attr(test, macro_use)]
45extern crate alloc;
46
47#[macro_use]
48mod der;
49
50#[cfg(feature = "aws_lc_rs")]
51mod aws_lc_rs_algs;
52mod cert;
53mod end_entity;
54mod error;
55#[cfg(feature = "ring")]
56mod ring_algs;
57mod signed_data;
58mod subject_name;
59mod time;
60mod trust_anchor;
61
62mod crl;
63mod verify_cert;
64mod x509;
65
66#[cfg(test)]
67pub(crate) mod test_utils;
68
69pub use {
70 cert::Cert,
71 crl::{
72 BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, RevocationCheckDepth,
73 RevocationOptions, RevocationOptionsBuilder, RevocationReason, UnknownStatusPolicy,
74 },
75 end_entity::EndEntityCert,
76 error::{DerTypeId, Error},
77 signed_data::alg_id,
78 trust_anchor::anchor_from_trusted_cert,
79 verify_cert::KeyUsage,
80 verify_cert::VerifiedPath,
81};
82
83pub use pki_types as types;
84
85#[cfg(feature = "alloc")]
86pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
87
88#[cfg(feature = "ring")]
89/// Signature verification algorithm implementations using the *ring* crypto library.
90pub mod ring {
91 pub use super::ring_algs::{
92 ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
93 };
94
95 #[cfg(feature = "alloc")]
96 pub use super::ring_algs::{
97 RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
98 RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
99 RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
100 };
101}
102
103#[cfg(feature = "aws_lc_rs")]
104/// Signature verification algorithm implementations using the aws-lc-rs crypto library.
105pub mod aws_lc_rs {
106 pub use super::aws_lc_rs_algs::{
107 ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384,
108 ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384,
109 RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_3072_8192_SHA384,
110 RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
111 RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
112 };
113}
114
115/// An array of all the verification algorithms exported by this crate.
116///
117/// This will be empty if the crate is built without the `ring` and `aws_lc_rs` features.
118pub static ALL_VERIFICATION_ALGS: &[&dyn types::SignatureVerificationAlgorithm] = &[
119 #[cfg(feature = "ring")]
120 ring::ECDSA_P256_SHA256,
121 #[cfg(feature = "ring")]
122 ring::ECDSA_P256_SHA384,
123 #[cfg(feature = "ring")]
124 ring::ECDSA_P384_SHA256,
125 #[cfg(feature = "ring")]
126 ring::ECDSA_P384_SHA384,
127 #[cfg(feature = "ring")]
128 ring::ED25519,
129 #[cfg(all(feature = "ring", feature = "alloc"))]
130 ring::RSA_PKCS1_2048_8192_SHA256,
131 #[cfg(all(feature = "ring", feature = "alloc"))]
132 ring::RSA_PKCS1_2048_8192_SHA384,
133 #[cfg(all(feature = "ring", feature = "alloc"))]
134 ring::RSA_PKCS1_2048_8192_SHA512,
135 #[cfg(all(feature = "ring", feature = "alloc"))]
136 ring::RSA_PKCS1_3072_8192_SHA384,
137 #[cfg(all(feature = "ring", feature = "alloc"))]
138 ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
139 #[cfg(all(feature = "ring", feature = "alloc"))]
140 ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
141 #[cfg(all(feature = "ring", feature = "alloc"))]
142 ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
143 #[cfg(feature = "aws_lc_rs")]
144 aws_lc_rs::ECDSA_P256_SHA256,
145 #[cfg(feature = "aws_lc_rs")]
146 aws_lc_rs::ECDSA_P256_SHA384,
147 #[cfg(feature = "aws_lc_rs")]
148 aws_lc_rs::ECDSA_P384_SHA256,
149 #[cfg(feature = "aws_lc_rs")]
150 aws_lc_rs::ECDSA_P384_SHA384,
151 #[cfg(feature = "aws_lc_rs")]
152 aws_lc_rs::ECDSA_P521_SHA512,
153 #[cfg(feature = "aws_lc_rs")]
154 aws_lc_rs::ED25519,
155 #[cfg(feature = "aws_lc_rs")]
156 aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
157 #[cfg(feature = "aws_lc_rs")]
158 aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
159 #[cfg(feature = "aws_lc_rs")]
160 aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
161 #[cfg(feature = "aws_lc_rs")]
162 aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
163 #[cfg(feature = "aws_lc_rs")]
164 aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
165 #[cfg(feature = "aws_lc_rs")]
166 aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
167 #[cfg(feature = "aws_lc_rs")]
168 aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
169];
170
171fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
172 a.as_slice_less_safe() == b.as_slice_less_safe()
173}
174