webpki is a library that validates Web PKI (TLS/SSL) certificates. It's
used by Rustls to handle certificate-related
tasks required for implementing TLS clients and servers.

webpki is written in Rust and uses
ring for cryptographic operations and
low-level parsing.

This is a fork of the original webpki project
which adds a number of features required by the rustls project.  This fork is
released as the rustls-webpki crate, with versions starting 0.100.0 so as to
not confusingly overlap with webpki versions.

Features

  - Representing trust anchors - webpki requires the caller to bootstrap trust by
    explicitly specifying a set of trust anchors using the TrustAnchor type.

  - Parsing certificates - webpki can convert from the raw encoded form of
    a certificate into something that can be used for making trust decisions.

  - Path building - webpki can determine if a certificate for an end entity like
    a website or client identity was issued by a trust anchor, or a series of
    intermediate certificates the trust anchor has endorsed.

  - Name/usage validation - webpki can determine if a certificate is valid for
    a given DNS name or IP address by considering the allowed usage of the
    certificate and additional constraints.

Limitations

webpki offers a minimal feature set tailored to the needs of Rustls. Notably it
does not offer:

  - Support for self-signed certificates
  - Certificate or keypair generation
  - Access to arbitrary certificate extensions
  - Parsing/representation of certificate subjects, or human-friendly display of
    these fields

For these tasks you may prefer using webpki in combination with libraries like
x509-parser and
rcgen.

Changelog

Release history can be found on GitHub.

Demo

See https://github.com/rustls/rustls#example-code for an example of using
webpki.

License

See LICENSE. This project happily accepts pull requests without any
formal copyright/contributor license agreement.

Bug Reporting

Please refer to the SECURITY policy for security issues. All
other bugs should be reported as GitHub issues.
