Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement certificate parser / validation #2

Open
klutzy opened this issue Aug 26, 2014 · 8 comments
Open

Implement certificate parser / validation #2

klutzy opened this issue Aug 26, 2014 · 8 comments

Comments

@klutzy
Copy link
Owner

klutzy commented Aug 26, 2014

Yes, the most dangerous code in the world!
I currently only implemented DER parser a bit. I have to implement ASN.1 tree -> certificate parser and certificate validator. Not sure how macros work well for this..
@l0kod
Copy link

l0kod commented Nov 27, 2014

It would be great to have multiple crates for each Suruga main features like standalone DER/PEM/ASN1 parser, x509 certificate/CRL parser and PKCS#1/PKCS#8 parser.

Using rust-crypto should help too.

@lmb
Copy link

lmb commented Mar 1, 2015

Hi klutzy,

Are you actively working on this? I would be interested in contributing.

I have previously written a partial DER parser in C, which I had to abandon b/c it felt C didn't help much. I would work on this over the next few weeks most probably, implementing

  • a simple, non-streaming DER parser
  • implementations of operations on ASN.1 types
  • an X.509 parser that basically turns [u8] into a X509Cert, but does not do any validation itself
  • possibly a small DSL to define DER structures (time allowing)

This would allow suruga to implement all certificate validation logic, while keeping concerns separated.
I do not believe an ASN.1 schema parser is worth implementing, since a DSL is easier to implement and has less overhead.

With your help I'd like to flesh out a basic API that would make sense from the suruga side, and then see how I can make it possible.

What do you think?

@klutzy
Copy link
Owner Author

klutzy commented Mar 1, 2015

Oops, I forgot to update current status: in my x509-parser branch, I've implemented DER reader and X.509 Certificate and CRL reader. Last month I checked it parses some wild certificates well, but I need more validation so haven't pushed to master yet.

@lmb
Copy link

lmb commented Mar 1, 2015

I see! Are you looking for collaborators then or is this more of a one man project?

@klutzy klutzy mentioned this issue Mar 18, 2015
Open
@kmcallister
Copy link
Contributor

I'm also interested in helping.

@tdierks
Copy link

tdierks commented Dec 28, 2016

I would suggest not implementing an ASN.1 -> DER parser; in my experience, you're much better off never using the ASN.1 at all, but instead re-expressing the structure in code or in some much simpler DSL, then writing a BER parser that goes from octets to parsed structure. You probably don't need a DER encoder; while the standard nominally requires DER expression as the signed structure, in practice, certificates are already DER and so don't require re-encoding. (In the past, some CAs signed BER, so re-encoding would never validate, but that is hopefully uncommon now.)

@l0kod
Copy link

l0kod commented Jan 10, 2017

FYI, there is a DER parser available: https://github.com/rusticata/der-parser

@anishnath
Copy link

There is a useful online version of the PEM parser https://8gwifi.org/PemParserFunctions.jsp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@lmb @kmcallister @l0kod @klutzy @tdierks @anishnath