Lib.rs

Cryptography
#cert #certificate #store #persistence #api #pyrus

pyrus-cert-store

A simple API to provide certificate persistence for pyrus-crypto

Owned by lysolaka.

1 unstable release

new 0.2.3 Mar 6, 2025

#1769 in Cryptography

MIT license

29KB
337 lines

Pyrus Cert Store

This crate's main purpose is to provide a simple API for "secure" Cert storage. It is largely inspired by sequoia-cert-store.

A note on security

This crate makes no security guarantees and its security goes as far as the author's will to make his school project secure.

There were no and will not be any security audits of this crate and so use with caution.

How it works?

The storage backend is rusqlite with crate feature bundled-sqlcipher-vendored-openssl enabled. This allows for encrypting the SQL database and keeps the secrets "secure".

Certificates are stored as LazyCerts, which is basically a serialized (unparsed) certificate, a fingerprint, and a user id, which allows for filtering and listing the certificates without parsing them which is fallible.

Examples

Openning a store and saving a certificate

use pyrus_cert_store::{CertStore, LazyCert};

let my_cert: Cert = ;//..
let store = CertStore::open("certstore.db3")
    .with_passphrase(String::from("password123"), b"use a better password and salt")
    .connect()?;

store.insert(LazyCert::try_from(&my_cert)?)?;
let stored_cert: LazyCert = store.get(my_cert.fingerprint())?;
let stored_cert = stored_cert.to_cert()?;

assert_eq!(my_cert, stored_cert);

Openning a store in memory and removing a saved certificate

use pyrus_cert_store::{CertStore, LazyCert};

let my_cert: Cert = ;//..

// passing "" as path opens the store in memory
let store = CertStore::open("")
    .with_passphrase(String::from("password123"), b"use a better password and salt")
    .connect()?;

store.insert(LazyCert::try_from(&my_cert)?)?;
store.remove(my_cert.fingerprint())?;

assert!(store.get(my_cert.fingerprint()).is_err());

Openning an unencrypted store

Since encryption is done using an SQL pragma there is no way to prove that in tests.

use pyrus_cert_store::{CertStore, LazyCert};

// not configuring a passphrase assumes no encryption
let store = CertStore::open("").connect()?;

// dropping a store safely flushes all statements and saves it
// well this one is in memory so it will be simply dropped

Dependencies

~32MB
~660K SLoC