Skip to main content
Version: 0.2.10

Crypto API: X.509 / PKIX (noxtls-x509)

noxtls-x509 provides parsing, hostname checks, key format conversion, and chain validation. It re-exports PEM conversion helpers from noxtls-pem.

Parse and match APIs

pub fn noxtls_parse_certificate(input: &[u8]) -> Result<Certificate<'_>>
pub fn noxtls_certificate_matches_hostname(cert: &Certificate<'_>, hostname: &str) -> bool
  • noxtls_parse_certificate reads DER X.509 and extracts core fields/extensions.
  • noxtls_certificate_matches_hostname checks SAN dNSName first, then subject CN fallback.

Chain validation APIs

pub fn noxtls_validate_certificate_chain<'a>(
    leaf: &Certificate<'a>,
    intermediates: &[Certificate<'a>],
    trust_anchors: &[Certificate<'a>],
    now: &str,
) -> core::result::Result<ValidationReport, ValidationError>
pub fn noxtls_validate_certificate_chain_with_options<'a>(
    leaf: &Certificate<'a>,
    intermediates: &[Certificate<'a>],
    trust_anchors: &[Certificate<'a>],
    now: &str,
    options: &ValidationOptions,
) -> core::result::Result<ValidationReport, ValidationError>
pub fn noxtls_validate_certificate_chain_strict<'a>(
    leaf: &Certificate<'a>,
    intermediates: &[Certificate<'a>],
    trust_anchors: &[Certificate<'a>],
    now: &str,
) -> core::result::Result<ValidationReport, ValidationError>
pub fn noxtls_verify_certificate_signature(
    certificate: &Certificate<'_>,
    issuer: &Certificate<'_>,
) -> core::result::Result<(), ValidationError>
  • now: validation timestamp string (UTCTime/GeneralizedTime form expected by validator).
  • with_options enables policy/revocation behavior tuning.

Key and format conversion APIs

pub fn noxtls_rsa_public_key_from_spki_der(der: &[u8]) -> Result<RsaPublicKey>
pub fn noxtls_p256_private_key_to_pkcs8_der(private: &P256PrivateKey) -> Result<Vec<u8>>
  • Bridge parsed certificates/keys into noxtls-crypto key types.

PEM bridge APIs (re-exported from noxtls-pem)

pub fn noxtls_certificate_der_to_pem(der: &[u8]) -> Result<String>
pub fn noxtls_certificate_pem_to_der(pem: &str) -> Result<Vec<u8>>
pub fn noxtls_certificate_chain_pem_to_der_blocks(pem: &str) -> Result<Vec<Vec<u8>>>
pub fn noxtls_pem_to_der_blocks(pem: &str, label: &str) -> Result<Vec<Vec<u8>>>
  • Use noxtls_certificate_chain_pem_to_der_blocks when a chain file contains multiple cert blocks.

Integration notes

  • Keep trust anchors minimal and explicit per deployment.
  • Validate hostname immediately after successful chain validation.
  • Normalize on DER internally to reduce parser/conversion overhead.