Expand description
Welcome to the documentation for verdict, a formally verified
X.509 certificate validation library (developed using Verus).
You can also find a CLI tool and more details about Verdict at our GitHub repo.
This is still a very experimental tool, so the API here is likely rough around the edges and subject to change.
An example usage of verdict:
use verdict::{ChromePolicy, RootStore, Task, Validator};
const ROOTS: &[u8] = include_bytes!("../tests/roots.pem");
const CHAIN: &[u8] = include_bytes!("../tests/chains/google.pem");
const HOSTNAME: &str = "<hostname>";
const TIMESTAMP: u64 = 1725029869;
let roots = RootStore::from_pem(ROOTS).unwrap();
let validator = Validator::from_roots(ChromePolicy::default(), &roots).unwrap();
let task = Task::new_server_auth(Some(HOSTNAME), TIMESTAMP);
let valid = validator.validate_pem(CHAIN, &task).unwrap();Here, both the root certificates and certificate chain are
loaded in PEM format.
The result in valid indicates whether Chromium’s X.509
validation policy that we modeled in Verdict (ChromePolicy)
considers the certificate chain valid (agsinst the provided root
store, hostname, and timestamp).
We have also modeled the X.509 validation policies in
Firefox (FirefoxPolicy) and OpenSSL (OpenSSLPolicy).
Structs§
- Chrome
Policy - A model of Chromium’s X.509 validation policy around Aug, 2020.
- Exec
Attribute - Corresponds to
AttributeTypeAndValuein X.509 - Exec
Authority Info Access - Exec
Authority KeyIdentifier - Exec
Basic Constraints - Exec
Certificate Policies - Exec
Distinguished Name - Exec
Extended KeyUsage - Exec
Extension - Exec
KeyUsage - Exec
Name Constraints - Exec
Signature Algorithm - Exec
Subject AltName - Exec
Subject KeyIdentifier - Firefox
Policy - A model of Firefox’s X.509 validation policy around Aug, 2020.
- OpenSSL
Policy - A model of OpenSSL’s X.509 validation policy around Nov, 2024.
- Root
Store - A collection of trusted root certificates.
- Task
- A task includes auxiliary information needed for policy execution, such as hostname, purpose (e.g., server/client authentication), and current time.
- Validator
- A formally verified X.509 certificate validation engine.
Enums§
- Exec
Extended KeyUsage Type - Exec
General Name - Exec
Subject Key - Parse
Error - Parser errors
- Validation
Error - Errors in validation, parsing, and policy execution.
Traits§
- Policy
- Common trait for all policies (e.g.
ChromePolicy).
Functions§
- decode_
base64 - Decodes a Base64-encoded sequence of bytes.
- parse_
x509_ der - Parses the given bytes in ASN.1 DER format
to a
x509::CertificateValue.
Type Aliases§
- Certificate
- An intermediate representation of X.509 certificates used in policy execution.
- Result
- Common
Resulttype for Verdict APIs