1#![no_std]
30#![warn(
31 elided_lifetimes_in_paths,
32 unnameable_types,
33 unreachable_pub,
34 clippy::use_self
35)]
36#![deny(missing_docs, clippy::as_conversions)]
37#![allow(
38 clippy::len_without_is_empty,
39 clippy::manual_let_else,
40 clippy::new_without_default,
41 clippy::single_match,
42 clippy::single_match_else,
43 clippy::type_complexity,
44 clippy::upper_case_acronyms
45)]
46#![cfg_attr(webpki_docsrs, feature(doc_cfg))]
48
49#[cfg(any(feature = "std", test))]
50extern crate std;
51
52#[cfg(any(test, feature = "alloc"))]
53#[cfg_attr(test, macro_use)]
54extern crate alloc;
55
56#[macro_use]
57mod der;
58
59#[cfg(feature = "aws-lc-rs")]
60mod aws_lc_rs_algs;
61mod cert;
62mod end_entity;
63mod error;
64#[cfg(feature = "ring")]
65mod ring_algs;
66mod rpk_entity;
67mod signed_data;
68mod subject_name;
69mod time;
70mod trust_anchor;
71
72mod crl;
73mod verify_cert;
74mod x509;
75
76#[cfg(test)]
77pub(crate) mod test_utils;
78
79pub use {
80 cert::Cert,
81 crl::{
82 BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, CrlsRequired,
83 ExpirationPolicy, RevocationCheckDepth, RevocationOptions, RevocationOptionsBuilder,
84 RevocationReason, UnknownStatusPolicy,
85 },
86 der::DerIterator,
87 end_entity::EndEntityCert,
88 error::{
89 DerTypeId, Error, InvalidNameContext, UnsupportedSignatureAlgorithmContext,
90 UnsupportedSignatureAlgorithmForPublicKeyContext,
91 },
92 rpk_entity::RawPublicKeyEntity,
93 trust_anchor::anchor_from_trusted_cert,
94 verify_cert::{
95 ExtendedKeyUsageValidator, IntermediateIterator, KeyPurposeId, KeyPurposeIdIter, KeyUsage,
96 RequiredEkuNotFoundContext, VerifiedPath,
97 },
98};
99
100#[cfg(feature = "alloc")]
101pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
102
103#[cfg(feature = "ring")]
104pub mod ring {
106 pub use super::ring_algs::{
107 ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
108 };
109
110 #[cfg(feature = "alloc")]
111 pub use super::ring_algs::{
112 RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
113 RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
114 RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
115 RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
116 RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
117 };
118}
119
120#[cfg(feature = "aws-lc-rs")]
121pub mod aws_lc_rs {
123 pub use super::aws_lc_rs_algs::{
124 ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P256_SHA512, ECDSA_P384_SHA256,
125 ECDSA_P384_SHA384, ECDSA_P384_SHA512, ECDSA_P521_SHA256, ECDSA_P521_SHA384,
126 ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256,
127 RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS, RSA_PKCS1_2048_8192_SHA384,
128 RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS, RSA_PKCS1_2048_8192_SHA512,
129 RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS, RSA_PKCS1_3072_8192_SHA384,
130 RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
131 RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
132 };
133 #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
134 pub use super::aws_lc_rs_algs::{ML_DSA_44, ML_DSA_65, ML_DSA_87};
135}
136
137pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorithm] = &[
141 #[cfg(feature = "ring")]
142 ring::ECDSA_P256_SHA256,
143 #[cfg(feature = "ring")]
144 ring::ECDSA_P256_SHA384,
145 #[cfg(feature = "ring")]
146 ring::ECDSA_P384_SHA256,
147 #[cfg(feature = "ring")]
148 ring::ECDSA_P384_SHA384,
149 #[cfg(feature = "ring")]
150 ring::ED25519,
151 #[cfg(all(feature = "ring", feature = "alloc"))]
152 ring::RSA_PKCS1_2048_8192_SHA256,
153 #[cfg(all(feature = "ring", feature = "alloc"))]
154 ring::RSA_PKCS1_2048_8192_SHA384,
155 #[cfg(all(feature = "ring", feature = "alloc"))]
156 ring::RSA_PKCS1_2048_8192_SHA512,
157 #[cfg(all(feature = "ring", feature = "alloc"))]
158 ring::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
159 #[cfg(all(feature = "ring", feature = "alloc"))]
160 ring::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
161 #[cfg(all(feature = "ring", feature = "alloc"))]
162 ring::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
163 #[cfg(all(feature = "ring", feature = "alloc"))]
164 ring::RSA_PKCS1_3072_8192_SHA384,
165 #[cfg(all(feature = "ring", feature = "alloc"))]
166 ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
167 #[cfg(all(feature = "ring", feature = "alloc"))]
168 ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
169 #[cfg(all(feature = "ring", feature = "alloc"))]
170 ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
171 #[cfg(feature = "aws-lc-rs")]
172 aws_lc_rs::ECDSA_P256_SHA256,
173 #[cfg(feature = "aws-lc-rs")]
174 aws_lc_rs::ECDSA_P256_SHA384,
175 #[cfg(feature = "aws-lc-rs")]
176 aws_lc_rs::ECDSA_P256_SHA512,
177 #[cfg(feature = "aws-lc-rs")]
178 aws_lc_rs::ECDSA_P384_SHA256,
179 #[cfg(feature = "aws-lc-rs")]
180 aws_lc_rs::ECDSA_P384_SHA384,
181 #[cfg(feature = "aws-lc-rs")]
182 aws_lc_rs::ECDSA_P384_SHA512,
183 #[cfg(feature = "aws-lc-rs")]
184 aws_lc_rs::ECDSA_P521_SHA256,
185 #[cfg(feature = "aws-lc-rs")]
186 aws_lc_rs::ECDSA_P521_SHA384,
187 #[cfg(feature = "aws-lc-rs")]
188 aws_lc_rs::ECDSA_P521_SHA512,
189 #[cfg(feature = "aws-lc-rs")]
190 aws_lc_rs::ED25519,
191 #[cfg(feature = "aws-lc-rs")]
192 aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
193 #[cfg(feature = "aws-lc-rs")]
194 aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
195 #[cfg(feature = "aws-lc-rs")]
196 aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
197 #[cfg(feature = "aws-lc-rs")]
198 aws_lc_rs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
199 #[cfg(feature = "aws-lc-rs")]
200 aws_lc_rs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
201 #[cfg(feature = "aws-lc-rs")]
202 aws_lc_rs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
203 #[cfg(feature = "aws-lc-rs")]
204 aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
205 #[cfg(feature = "aws-lc-rs")]
206 aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
207 #[cfg(feature = "aws-lc-rs")]
208 aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
209 #[cfg(feature = "aws-lc-rs")]
210 aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
211 #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
212 aws_lc_rs::ML_DSA_44,
213 #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
214 aws_lc_rs::ML_DSA_65,
215 #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
216 aws_lc_rs::ML_DSA_87,
217];
218
219fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
220 a.as_slice_less_safe() == b.as_slice_less_safe()
221}