#tls #certificate #validation #certificate-chain

certitude

Certificate validation logic for OS X and Windows

4 stable releases

Uses old Rust 2015

1.1.0 May 24, 2017
1.0.2 May 31, 2016
1.0.1 Mar 9, 2016
1.0.0 Mar 7, 2016

#2335 in Cryptography


Used in c-certitude

MIT license

23KB
443 lines

Certitude for Rust

This repository contains a proof-of-concept for building a cross-platform Rust library that is capable of using the system-native X.509 stack to validate certificates.

This is inspired by the Chrome web browser's choice to use BoringSSL (a fork of OpenSSL) to do their TLS at the protocol level, but to use the system's logic for validating certificates. This allows the Chrome application to feel "native" when it comes to certificate management, without requiring their network engineers to understand the idiosyncracies of each platform-native TLS implementation.

API

The goal with this library is provide two APIs: one that is suited to Rust directly, and then one that is available using the C ABI that can be called by as many programming languages as possible. This will make it possible to reduce the duplication of work across languages: each language need only make a single FFI call to the Rust library, which will then handle the abstraction to the various platforms.

The Rust API currently looks like this:

extern crate certitude;

use certitude::platform::validate_cert_chain;

fn example() {
    // Assume certs is a Vector of DER-encoded certificates.
    let valid = validate_cert_chain(certs, "example.com");

    if valid {
        // The certificate chain is valid.
    } else {
        // The certificate chain is invalid in some way.
    }
}

The OS X and Windows implementations are transparently switched in and out, such that a user of this library can use a single API and have the appropriate platform-specific logic used directly, without their intervention. This of course requires building against the correct target, but as long as the target is correctly specified the correct version of the code will be used.

Work In Progress

This is currently a very early beta, and I'm mostly investigating the feasibility of the approach. Currently the library supports OS X and Windows as a valid certificate verification platform. I will investigate the feasibility of hooking into OpenSSL, though that's considered a strictly less important problem than sorting this out on Windows and OS X, as people using OpenSSL for their TLS will already have access to OpenSSL's native validation logic.


lib.rs:

Functions for validating certificates on many platforms.

Certitude focuses on making it possible to validate a chain of X.509 certificates used for a TLS connection by using the appropriate platform-specific logic, rather than by relying on the TLS library that actually makes the connection. This approach is useful for libraries that want to use OpenSSL build TLS connections on Windows and OS X, but that want to exhibit "platform-native" behaviour on those systems.

Currently Certitude only supports Windows and OS X: it explicitly does not support Linux or any other Unix, where it is expected that the verification logic provided by OpenSSL (or the appropriate TLS library) used on those systems will be used instead. As that library is likely the one responsible for actually handling the TLS logic, it is likely pretty easy to use the built-in validation logic.

Dependencies

~230KB