Struct X509 

pub struct X509 { /* private fields */ }

An X.509 certificate (X509*).

Cloneable via EVP_X509_up_ref; wrapping in Arc<X509> is safe.

Implementations

impl X509

pub fn from_pem(pem: &[u8]) -> Result<Self, ErrorStack>

Load a certificate from PEM bytes.

Errors

pub fn from_pem_in(_ctx: &Arc<LibCtx>, pem: &[u8]) -> Result<Self, ErrorStack>

Load a certificate from PEM bytes, accepting a library context for API symmetry with other from_pem_in methods.

OpenSSL 3.5 does not expose a libctx-aware PEM_read_bio_X509_ex variant, so this calls the standard PEM_read_bio_X509. The ctx parameter is accepted but unused. Certificate parsing itself does not require provider dispatch; provider-bound operations use the context stored in the key extracted from the certificate.

Errors

pub fn new_in(ctx: &Arc<LibCtx>) -> Result<Self, ErrorStack>

Create a new, empty X509 object bound to the given library context.

Use this instead of the implicit-context X509Builder::new when you need the certificate to be associated with a FIPS-isolated or otherwise explicit LibCtx. The propq (property query) argument is NULL, meaning default provider properties are used.

Errors

Returns Err if OpenSSL cannot allocate the certificate structure.

pub fn from_der(der: &[u8]) -> Result<Self, ErrorStack>

Load a certificate from DER bytes.

Zero-copy: parses from the caller’s slice without an intermediate buffer.

Errors

Returns Err if the DER is malformed, or if der.len() exceeds i64::MAX.

pub fn to_pem(&self) -> Result<Vec<u8>, ErrorStack>

Serialise to PEM.

Errors

pub fn to_der(&self) -> Result<Vec<u8>, ErrorStack>

Serialise to DER.

Zero-copy: writes into a freshly allocated Vec<u8> without going through an OpenSSL-owned buffer.

Errors

pub fn subject_name(&self) -> X509Name<'_>

Subject distinguished name (borrowed).

pub fn issuer_name(&self) -> X509Name<'_>

Issuer distinguished name (borrowed).

pub fn serial_number(&self) -> Option<i64>

Serial number as a signed 64-bit integer.

Returns None if the serial number is too large to fit in i64.

pub fn serial_number_bytes(&self) -> Option<Vec<u8>>

Serial number as a big-endian byte slice.

Complementary to Self::serial_number for serials that exceed i64::MAX. The bytes are the raw content octets of the DER INTEGER, not including the tag or length.

Returns None if the serial field is absent.

pub fn not_before_str(&self) -> Option<String>

Validity notBefore as a human-readable UTC string.

The format is "Mmm DD HH:MM:SS YYYY GMT" (OpenSSL default). Returns None if the field is absent or cannot be printed.

pub fn not_after_str(&self) -> Option<String>

Validity notAfter as a human-readable UTC string.

Returns None if the field is absent or cannot be printed.

pub fn not_before_tm(&self) -> Option<BrokenDownTime>

Validity notBefore as a structured BrokenDownTime in UTC.

Returns None if the field is absent or cannot be parsed.

pub fn not_after_tm(&self) -> Option<BrokenDownTime>

Validity notAfter as a structured BrokenDownTime in UTC.

Returns None if the field is absent or cannot be parsed.

pub fn is_valid_now(&self) -> bool

Returns true if the current time is within [notBefore, notAfter].

pub fn public_key(&self) -> Result<Pkey<Public>, ErrorStack>

Extract the public key (owned Pkey<Public>).

Calls X509_get_pubkey — the returned key is independently reference-counted.

Errors

pub fn public_key_is_a(&self, alg: &CStr) -> bool

Check whether the certificate’s public key uses the named algorithm.

Uses X509_get0_pubkey — no reference-count increment. Call Self::public_key if you need an owned crate::pkey::Pkey handle.

Returns false if the certificate has no public key or if the algorithm name does not match.

pub fn public_key_bits(&self) -> Option<u32>

Bit size of the certificate’s public key.

Uses X509_get0_pubkey — no reference-count increment.

Returns None if the certificate has no public key.

pub fn signature_info(&self) -> Result<SignatureInfo, ErrorStack>

Inspect the signature algorithm used in this certificate.

Calls X509_get_signature_info to decode the signature algorithm fields embedded in the certificate’s signatureAlgorithm and signature structures.

md_nid is 0 (NID_undef) for algorithms that have no separate pre-hash step, such as Ed25519 and ML-DSA (post-quantum lattice signatures defined in FIPS 204). Always check for 0 before using md_nid as a digest identifier.

Errors

Returns Err if OpenSSL cannot decode the signature algorithm (e.g. the certificate’s signature field is absent or uses an unrecognised OID).

pub fn verify(&self, key: &Pkey<Public>) -> Result<bool, ErrorStack>

Verify this certificate was signed by key.

Returns Ok(true) if the signature is valid, Ok(false) if not, or Err on a fatal error.

Errors

pub fn is_self_signed(&self) -> bool

Returns true if the certificate is self-signed.

pub fn extension_count(&self) -> usize

Number of extensions in this certificate.

pub fn extension(&self, idx: usize) -> Option<X509Extension<'_>>

Access extension by index (0-based).

Returns None if idx is out of range.

pub fn extension_by_nid(&self, nid: i32) -> Option<X509Extension<'_>>

Find the first extension with the given NID.

Returns None if no such extension exists.

pub fn extension_der(&self, nid: i32) -> Option<&[u8]>

Return the DER-encoded value of the first extension with the given NID.

Returns None if the extension is not present. The returned byte slice is borrowed from the certificate’s internal storage — zero-copy, no allocation — and is valid for 'self’s lifetime.

To iterate all extensions or access criticality flags, use Self::extension_by_nid or Self::extension instead.

Trait Implementations

impl Clone for X509

fn clone(&self) -> Self

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Drop for X509

fn drop(&mut self)

Executes the destructor for this type.

impl Send for X509

impl Sync for X509