webpki/
lib.rs

1// Copyright 2015 Brian Smith.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
10// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
12// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
13// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
14
15//! webpki: Web PKI X.509 Certificate Validation.
16//!
17//! See `EndEntityCert`'s documentation for a description of the certificate
18//! processing steps necessary for a TLS connection.
19//!
20//! # Features
21//!
22//! | Feature | Description |
23//! | ------- | ----------- |
24//! | `alloc` | Enable features that require use of the heap. Currently all RSA signature algorithms require this feature. |
25//! | `std` | Enable features that require libstd. Implies `alloc`. |
26//! | `ring` | Enable use of the *ring* crate for cryptography. |
27//! | `aws-lc-rs` | Enable use of the aws-lc-rs crate for cryptography. Previously this feature was named `aws_lc_rs`. |
28
29#![no_std]
30#![warn(
31    elided_lifetimes_in_paths,
32    unnameable_types,
33    unreachable_pub,
34    clippy::use_self
35)]
36#![deny(missing_docs, clippy::as_conversions)]
37#![allow(
38    clippy::len_without_is_empty,
39    clippy::manual_let_else,
40    clippy::new_without_default,
41    clippy::single_match,
42    clippy::single_match_else,
43    clippy::type_complexity,
44    clippy::upper_case_acronyms
45)]
46// Enable documentation for all features on docs.rs
47#![cfg_attr(webpki_docsrs, feature(doc_cfg))]
48
49#[cfg(any(feature = "std", test))]
50extern crate std;
51
52#[cfg(any(test, feature = "alloc"))]
53#[cfg_attr(test, macro_use)]
54extern crate alloc;
55
56#[macro_use]
57mod der;
58
59#[cfg(feature = "aws-lc-rs")]
60mod aws_lc_rs_algs;
61mod cert;
62mod end_entity;
63mod error;
64#[cfg(feature = "ring")]
65mod ring_algs;
66mod rpk_entity;
67mod signed_data;
68mod subject_name;
69mod time;
70mod trust_anchor;
71
72mod crl;
73mod verify_cert;
74mod x509;
75
76#[cfg(test)]
77pub(crate) mod test_utils;
78
79pub use {
80    cert::Cert,
81    crl::{
82        BorrowedCertRevocationList, BorrowedRevokedCert, CertRevocationList, CrlsRequired,
83        ExpirationPolicy, RevocationCheckDepth, RevocationOptions, RevocationOptionsBuilder,
84        RevocationReason, UnknownStatusPolicy,
85    },
86    der::DerIterator,
87    end_entity::EndEntityCert,
88    error::{
89        DerTypeId, Error, InvalidNameContext, UnsupportedSignatureAlgorithmContext,
90        UnsupportedSignatureAlgorithmForPublicKeyContext,
91    },
92    rpk_entity::RawPublicKeyEntity,
93    trust_anchor::anchor_from_trusted_cert,
94    verify_cert::{
95        ExtendedKeyUsageValidator, IntermediateIterator, KeyPurposeId, KeyPurposeIdIter, KeyUsage,
96        RequiredEkuNotFoundContext, VerifiedPath,
97    },
98};
99
100#[cfg(feature = "alloc")]
101pub use crl::{OwnedCertRevocationList, OwnedRevokedCert};
102
103#[cfg(feature = "ring")]
104/// Signature verification algorithm implementations using the *ring* crypto library.
105pub mod ring {
106    pub use super::ring_algs::{
107        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
108    };
109
110    #[cfg(feature = "alloc")]
111    pub use super::ring_algs::{
112        RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
113        RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
114        RSA_PKCS1_2048_8192_SHA512, RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
115        RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
116        RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
117    };
118}
119
120#[cfg(feature = "aws-lc-rs")]
121/// Signature verification algorithm implementations using the aws-lc-rs crypto library.
122pub mod aws_lc_rs {
123    pub use super::aws_lc_rs_algs::{
124        ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P256_SHA512, ECDSA_P384_SHA256,
125        ECDSA_P384_SHA384, ECDSA_P384_SHA512, ECDSA_P521_SHA256, ECDSA_P521_SHA384,
126        ECDSA_P521_SHA512, ED25519, RSA_PKCS1_2048_8192_SHA256,
127        RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS, RSA_PKCS1_2048_8192_SHA384,
128        RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS, RSA_PKCS1_2048_8192_SHA512,
129        RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS, RSA_PKCS1_3072_8192_SHA384,
130        RSA_PSS_2048_8192_SHA256_LEGACY_KEY, RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
131        RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
132    };
133    #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
134    pub use super::aws_lc_rs_algs::{ML_DSA_44, ML_DSA_65, ML_DSA_87};
135}
136
137/// An array of all the verification algorithms exported by this crate.
138///
139/// This will be empty if the crate is built without the `ring` and `aws-lc-rs` features.
140pub static ALL_VERIFICATION_ALGS: &[&dyn pki_types::SignatureVerificationAlgorithm] = &[
141    #[cfg(feature = "ring")]
142    ring::ECDSA_P256_SHA256,
143    #[cfg(feature = "ring")]
144    ring::ECDSA_P256_SHA384,
145    #[cfg(feature = "ring")]
146    ring::ECDSA_P384_SHA256,
147    #[cfg(feature = "ring")]
148    ring::ECDSA_P384_SHA384,
149    #[cfg(feature = "ring")]
150    ring::ED25519,
151    #[cfg(all(feature = "ring", feature = "alloc"))]
152    ring::RSA_PKCS1_2048_8192_SHA256,
153    #[cfg(all(feature = "ring", feature = "alloc"))]
154    ring::RSA_PKCS1_2048_8192_SHA384,
155    #[cfg(all(feature = "ring", feature = "alloc"))]
156    ring::RSA_PKCS1_2048_8192_SHA512,
157    #[cfg(all(feature = "ring", feature = "alloc"))]
158    ring::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
159    #[cfg(all(feature = "ring", feature = "alloc"))]
160    ring::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
161    #[cfg(all(feature = "ring", feature = "alloc"))]
162    ring::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
163    #[cfg(all(feature = "ring", feature = "alloc"))]
164    ring::RSA_PKCS1_3072_8192_SHA384,
165    #[cfg(all(feature = "ring", feature = "alloc"))]
166    ring::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
167    #[cfg(all(feature = "ring", feature = "alloc"))]
168    ring::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
169    #[cfg(all(feature = "ring", feature = "alloc"))]
170    ring::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
171    #[cfg(feature = "aws-lc-rs")]
172    aws_lc_rs::ECDSA_P256_SHA256,
173    #[cfg(feature = "aws-lc-rs")]
174    aws_lc_rs::ECDSA_P256_SHA384,
175    #[cfg(feature = "aws-lc-rs")]
176    aws_lc_rs::ECDSA_P256_SHA512,
177    #[cfg(feature = "aws-lc-rs")]
178    aws_lc_rs::ECDSA_P384_SHA256,
179    #[cfg(feature = "aws-lc-rs")]
180    aws_lc_rs::ECDSA_P384_SHA384,
181    #[cfg(feature = "aws-lc-rs")]
182    aws_lc_rs::ECDSA_P384_SHA512,
183    #[cfg(feature = "aws-lc-rs")]
184    aws_lc_rs::ECDSA_P521_SHA256,
185    #[cfg(feature = "aws-lc-rs")]
186    aws_lc_rs::ECDSA_P521_SHA384,
187    #[cfg(feature = "aws-lc-rs")]
188    aws_lc_rs::ECDSA_P521_SHA512,
189    #[cfg(feature = "aws-lc-rs")]
190    aws_lc_rs::ED25519,
191    #[cfg(feature = "aws-lc-rs")]
192    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256,
193    #[cfg(feature = "aws-lc-rs")]
194    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384,
195    #[cfg(feature = "aws-lc-rs")]
196    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512,
197    #[cfg(feature = "aws-lc-rs")]
198    aws_lc_rs::RSA_PKCS1_2048_8192_SHA256_ABSENT_PARAMS,
199    #[cfg(feature = "aws-lc-rs")]
200    aws_lc_rs::RSA_PKCS1_2048_8192_SHA384_ABSENT_PARAMS,
201    #[cfg(feature = "aws-lc-rs")]
202    aws_lc_rs::RSA_PKCS1_2048_8192_SHA512_ABSENT_PARAMS,
203    #[cfg(feature = "aws-lc-rs")]
204    aws_lc_rs::RSA_PKCS1_3072_8192_SHA384,
205    #[cfg(feature = "aws-lc-rs")]
206    aws_lc_rs::RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
207    #[cfg(feature = "aws-lc-rs")]
208    aws_lc_rs::RSA_PSS_2048_8192_SHA384_LEGACY_KEY,
209    #[cfg(feature = "aws-lc-rs")]
210    aws_lc_rs::RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
211    #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
212    aws_lc_rs::ML_DSA_44,
213    #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
214    aws_lc_rs::ML_DSA_65,
215    #[cfg(all(feature = "aws-lc-rs-unstable", not(feature = "aws-lc-rs-fips")))]
216    aws_lc_rs::ML_DSA_87,
217];
218
219fn public_values_eq(a: untrusted::Input<'_>, b: untrusted::Input<'_>) -> bool {
220    a.as_slice_less_safe() == b.as_slice_less_safe()
221}