cryptographic-message-syntax

cryptographic-message-syntax is a pure Rust implementation of Cryptographic Message Syntax (CMS) as defined by RFC 5652. Also included is Time-Stamp Protocol (TSP) (RFC 3161) client support.

From a high level CMS defines a way to digitally sign and authenticate arbitrary content.

This crate was originally developed to support code signing on Apple platforms. (See the apple-codesign Rust crate.) However, it is a generic library crate. But some historical decisions from its original may remain.

lib.rs:

Cryptographic Message Syntax (RFC 5652) in Pure Rust

This crate attempts to implement parts of RFC 5652 in pure, safe Rust.

Functionality includes:

• Partial (de)serialization support for ASN.1 data structures. The Rust structs are all defined. But not everything has (de)serialization code implemented.
• High-level Rust API for extracting useful attributes from a parsed SignedData structure and performing common operations, such as verifying signature integrity.

RFC 5652 is quite old. If you are looking to digitally sign content, you may want to look at something newer, such as RPKI (RFC 6488). (RPKI appears to be the spiritual success to this specification.)

IMPORTANT SECURITY LIMITATIONS

The verification functionality in this crate is purposefully limited and isn't sufficient for trusting signed data. You need to include additional trust verification if you are using this crate for verifying signed data.

This crate exposes functionality to verify signatures and content integrity of signed data. Specifically it can verify that an embedded cryptographic signature over some arbitrary/embedded content was issued by a known signing certificate. This answers the question did certificate X sign content Y. This is an important question to answer, but it fails to answer other important questions such as:

• Is the signature cryptographically strong or weak? Do I trust the signature?
• Do I trust the signer?

Answering do I trust the signer is an extremely difficult and nuanced problem. It entails things like:

• Ensuring the signing certificate is using secure cryptography.
• Validating that the signing certificate is one you think it was or was issued by a trusted party.
• Validating the certificate isn't expired or hasn't been revoked.
• Validating that the certificate contains attributes/extensions desired (e.g. a certificate can be earmarked as used for signing code).

If you are using this crate as part of verifying signed content, you need to have answers to these hard questions. This will require writing code beyond what is available in this crate. You ideally want to use existing libraries for this, as getting this correct is difficult. Ideally you would consult a security/cryptography domain expert for help.

Technical Notes

RFC 5652 is based off PKCS #7 version 1.5 (RFC 2315). So common tools/libraries for interacting with PKCS #7 may have success parsing this format. For example, you can use OpenSSL to read the data structures:

$ openssl pkcs7 -inform DER -in -print $ openssl pkcs7 -inform PEM -in -print $ openssl asn1parse -inform DER -in

RFC 5652 uses BER (not DER) for serialization. There were attempts to use other, more popular BER/DER/ASN.1 serialization crates. However, we could only get bcder working. In a similar vein, there are other crates implementing support for common ASN.1 functionality, such as serializing X.509 certificates. Again, many of these depend on serializers that don't seem to be compatible with BER. So we've recursively defined ASN.1 data structures referenced by RFC5652 and taught them to serialize using bcder.