Please use the `main`` branch or version specific branches like:
v0.101.1v0.100.0
for WASIX compatability.
Important Notice: Since version
0.101.7upstream is directly supported in WASIX. See this PR
webpki is a library that validates Web PKI (TLS/SSL) certificates. It's used by Rustls to handle certificate-related tasks required for implementing TLS clients and servers.
webpki is written in Rust and uses ring for cryptographic operations and low-level parsing.
This is a fork of the original webpki project
which adds a number of features required by the rustls project. This fork is
released as the rustls-webpki crate, with versions starting 0.100.0 so as to
not confusingly overlap with webpki versions.
-
Representing trust anchors - webpki requires the caller to bootstrap trust by explicitly specifying a set of trust anchors using the
TrustAnchortype. -
Parsing certificates - webpki can convert from the raw encoded form of a certificate into something that can be used for making trust decisions.
-
Path building - webpki can determine if a certificate for an end entity like a website or client identity was issued by a trust anchor, or a series of intermediate certificates the trust anchor has endorsed.
-
Name/usage validation - webpki can determine if a certificate is valid for a given DNS name or IP address by considering the allowed usage of the certificate and additional constraints.
webpki offers a minimal feature set tailored to the needs of Rustls. Notably it does not offer:
- Certificate or keypair generation
- Access to arbitrary certificate extensions
- Parsing/representation of certificate subjects, or human-friendly display of these fields
For these tasks you may prefer using webpki in combination with libraries like x509-parser and rcgen.
- 0.101.1 (2023-07-05)
- Fixed 32-bit architecture compatibility.
- 0.101.0 (2023-07-04)
- Breaking change: added
EndEntity::verify_is_valid_tls_client_certargument for certificate revocation lists. - Breaking change: removed
Time::try_from. - Breaking change: removed
From<DnsNameRef<'_>impl forDnsName. - Breaking change: replaced
AsRef<[u8]>withAsRef<str>forDnsNameRef. - Added certificate revocation list (CRL) support.
- Improved specificity of errors returned from
EndEntityCert::verify_is_valid_tls_client_certandEndEntityCert::verify_is_valid_tls_server_cert. - Improved error specificity for malformed subject alternate names.
- Added
EndEntityCert::dns_namesmethod for returning a list of DNS subject alternate names from an end entity cert. - Changed
EndEntityCert::verify_is_valid_for_subject_nameto ignore invalid names when verifying cert is valid for a provided subject. - MSRV increased to Rust 1.57. <<<<<<< HEAD
- Breaking change: added
- 0.100.1 (2023-03-28)
4a39e2b67d4cddf58b0ea16dd821a04ee2240058
- Relax constraint on serial number length.
- 0.100.0 (2023-03-13) - first release of
rustls-webpkicrate.- Allow verification of certificates with IP address subjectAltNames.
EndEntityCert::verify_is_valid_for_subject_namewas added, andEndEntityCert::verify_is_valid_for_dns_namewas removed. - Make
Errortype non-exhaustive. - Reject non-contiguous netmasks in IP address name constraints.
- Name constraints of type dNSName and iPAddress now work and are tested. directoryName name constraints are not implemented and will prevent path building where they appear.
- Relax requirement that serial numbers are positive to deal with issuers that cannot generate correct ASN.1 but nevertheless persist in doing so.
- Allow verification of certificates with IP address subjectAltNames.
- 0.22.0 (2021-04-10) - last upstream release of
webpkicrate.
See https://github.com/rustls/rustls#example-code for an example of using webpki.
See LICENSE. This project happily accepts pull requests without any formal copyright/contributor license agreement.
Please refer to the SECURITY policy for security issues. All other bugs should be reported as GitHub issues.