pierrelf.com
Phase 5: Pure Rust Crypto#
Implement X.509 certificate parsing and certificate chain validation in the crypto crate.
Dependencies#
- Requires ASN.1 DER parser
- Requires SHA-2 (for certificate fingerprints and signature hash)
- Requires RSA PKCS#1 v1.5 signature verification
- Requires ECDSA signature verification
Requirements#
X.509 certificate parsing (RFC 5280):
- Parse DER-encoded X.509v3 certificates
- Extract: version, serial number, issuer, subject, validity (notBefore/notAfter), subject public key info, extensions
- Parse common extensions: Basic Constraints, Key Usage, Subject Alternative Names (SAN), Authority Key Identifier, Subject Key Identifier
- PEM decoding (Base64 between -----BEGIN CERTIFICATE----- markers)
Certificate chain validation:
- Build chain from leaf to root
- Verify each certificate's signature against its issuer's public key
- Check validity period (not expired, not yet valid)
- Check Basic Constraints (CA:TRUE for intermediate certs)
- Verify subject/issuer chain linkage
- Root CA trust store: embed Mozilla's root certificates or load from system
Signature algorithms to support:
- sha256WithRSAEncryption
- sha384WithRSAEncryption
- ecdsa-with-SHA256
- ecdsa-with-SHA384
Acceptance Criteria#
- Parse real-world X.509 certificates (e.g., from Let's Encrypt, DigiCert)
- Extract subject, issuer, SAN, validity period
- PEM decoding
- Verify certificate chain for a real HTTPS site
- Reject expired certificates
- Reject certificates with invalid signatures
- Reject certificates where issuer doesn't match
- Embedded root CA store (at minimum: Let's Encrypt, DigiCert, GlobalSign roots)
-
cargo test -p we-cryptopasses -
cargo clippy -p we-crypto -- -D warningsclean