ddn.crypto.x509.certificate

X.509 Certificate Parsing and Representation (RFC 5280).

Provides types and functions for parsing X.509 certificates from DER or PEM format, extracting public keys, and accessing certificate fields and extensions.

Copyright

License

BSD-3-Clause

enum GeneralNameType KeyUsage X509Version

struct AttributeTypeAndValue BasicConstraints DistinguishedName GeneralName RDN Validity X509Extension

class X509Certificate

fn escapeRdn hexDigit isLeapYear oidToShortName parseBasicConstraints parseDistinguishedName parseExtendedKeyUsage parseExtensions parseKeyUsage parseStringValue parseSubjectAltName parseSubjectPublicKeyInfo parseTime parseTimeInt parseValidity parseX509Certificate parseX509CertificatePem toUnixTime wrapInSequence

Types 11

enumX509Version : ubyte

X.509 certificate version.

The version field indicates the syntax version of the certificate.

V1 = 0Version 1 (default, no extensions)

V2 = 1Version 2 (adds issuer/subject unique IDs)

V3 = 2Version 3 (adds extensions)

enumKeyUsage : ushort

Key usage flags as defined in RFC 5280 Section 4.2.1.3.

These flags indicate the purpose of the public key contained in the certificate.

DIGITAL_SIGNATURE = 0x8000For signing other certificates

NON_REPUDIATION = 0x4000For key agreement protocols

KEY_ENCIPHERMENT = 0x2000For encrypting keys

DATA_ENCIPHERMENT = 0x1000For encrypting data directly

KEY_AGREEMENT = 0x0800For key agreement

KEY_CERT_SIGN = 0x0400For verifying certificate signatures

CRL_SIGN = 0x0200For verifying CRL signatures

ENCIPHER_ONLY = 0x0100For key agreement encipher only

DECIPHER_ONLY = 0x0080For key agreement decipher only

enumGeneralNameType : ubyte

General name type for Subject Alternative Name extension.

OTHER_NAME = 0Another name (OID + value)

RFC822_NAME = 1RFC 822 email address

DNS_NAME = 2DNS hostname

X400_ADDRESS = 3X.400 address

DIRECTORY_NAME = 4X.500 directory name

EDI_PARTY_NAME = 5EDI party name

URI = 6Uniform Resource Identifier

IP_ADDRESS = 7IP address (4 or 16 bytes)

REGISTERED_ID = 8Registered ID (OID)

structDistinguishedName

Represents an X.500 Distinguished Name (DN).

A DN is an ordered sequence of Relative Distinguished Names (RDNs), each containing one or more attribute type-value pairs.

Fields

RDN[] rdnsThe RDN components in order

Methods

string getAttribute(string oid) const pure nothrow @safeReturns the first value for the given OID, or null if not found.

string commonName() @property const pure nothrow @safeReturns the Common Name (CN) attribute, or null if not present.

string organization() @property const pure nothrow @safeReturns the Organization (O) attribute, or null if not present.

string country() @property const pure nothrow @safeReturns the Country (C) attribute, or null if not present.

string toString() const pure @safeConverts the DN to a human-readable string in RFC 2253 format.

structRDN

A Relative Distinguished Name, containing one or more attributes.

Fields

AttributeTypeAndValue[] attributesThe attribute type-value pairs in this RDN

structAttributeTypeAndValue

An attribute type-value pair within an RDN.

Fields

string oidThe attribute type OID in dotted-decimal form

string valueThe attribute value as a string

structValidity

Certificate validity period.

Fields

long notBeforeThe time the certificate becomes valid (Unix timestamp)

long notAfterThe time the certificate expires (Unix timestamp)

Methods

bool isValidAt(long unixTime) const pure nothrow @safe @nogcChecks if the given time falls within the validity period.

structGeneralName

A general name from the Subject Alternative Name extension.

Fields

GeneralNameType typeThe type of this general name

string valueThe value (interpretation depends on type)

ubyte[] ipBytesFor IP addresses, the raw bytes

structBasicConstraints

Basic Constraints extension data.

Fields

bool isCAWhether this certificate is a CA certificate

int pathLenConstraintMaximum path length (number of intermediate CAs allowed), -1 if not specified

structX509Extension

An X.509 certificate extension.

Fields

string oidThe extension OID in dotted-decimal form

bool criticalWhether the extension is marked critical

ubyte[] valueThe raw extension value bytes (DER-encoded)

classX509Certificate

Represents a parsed X.509 certificate.

This class provides access to all certificate fields, extensions, and the subject public key. It supports parsing from DER or PEM format.

Fields

X509Version certVersionThe certificate version (v1, v2, or v3)

ubyte[] serialNumberThe certificate serial number as big-endian bytes

string signatureAlgorithmThe signature algorithm OID used by the issuer

ubyte[] signatureParametersThe signature algorithm parameters (may be empty)

DistinguishedName issuerThe issuer Distinguished Name

Validity validityThe certificate validity period

DistinguishedName subjectThe subject Distinguished Name

string publicKeyAlgorithmThe subject public key algorithm OID

ubyte[] publicKeyParametersThe subject public key algorithm parameters (e.g., curve OID for EC)

ubyte[] publicKeyBitsThe subject public key bits

ubyte[] subjectPublicKeyInfoThe raw SubjectPublicKeyInfo DER bytes

X509Extension[] extensionsThe certificate extensions (empty for v1/v2 certs)

ubyte[] signatureValueThe signature value

ubyte[] tbsCertificateDerThe raw TBSCertificate DER bytes (for signature verification)

ubyte[] rawDerThe complete certificate DER bytes

Methods

PublicKey getPublicKey() constExtracts and returns the subject public key.

X509Extension getExtension(string oid) const pure nothrow @safeFinds an extension by OID.

bool hasExtension(string oid) const pure nothrow @safeChecks if an extension with the given OID exists.

BasicConstraints getBasicConstraints() constParses and returns the Basic Constraints extension.

ushort getKeyUsage() constParses and returns the Key Usage extension.

GeneralName[] getSubjectAltNames() const @trustedParses and returns the Subject Alternative Name extension.

string[] getExtendedKeyUsage() constParses and returns the Extended Key Usage extension.

string[] getDnsNames() constReturns the DNS names from the Subject Alternative Name extension.

bool isCA() @property constChecks if this is a CA certificate.

bool isSelfSigned() @property constChecks if the certificate is self-signed (issuer equals subject).

string serialNumberHex() const pure @safeReturns the serial number as a hexadecimal string.

string toPem() const @safeEncodes the certificate to PEM format.

Functions 19

fnX509Certificate parseX509Certificate(const(ubyte)[] der)Parses an X.509 certificate from DER-encoded bytes.

fnX509Certificate parseX509CertificatePem(string pem)Parses an X.509 certificate from PEM format.

private fnDistinguishedName parseDistinguishedName(ref DerReader reader)Parses a Distinguished Name from the current position in the reader.

private fnValidity parseValidity(ref DerReader reader)Parses a Validity structure.

private fnlong parseTime(Asn1Value tlv)Parses a Time value (UTCTime or GeneralizedTime) to Unix timestamp.

private fnvoid parseSubjectPublicKeyInfo(const(ubyte)[] content, X509Certificate cert)Parses SubjectPublicKeyInfo and populates certificate fields.

private fnX509Extension[] parseExtensions(const(ubyte)[] content)Parses the extensions sequence.

private fnBasicConstraints parseBasicConstraints(const(ubyte)[] value)Parses a Basic Constraints extension value.

private fnushort parseKeyUsage(const(ubyte)[] value)Parses a Key Usage extension value.

private fnGeneralName[] parseSubjectAltName(const(ubyte)[] value)Parses a Subject Alternative Name extension value.

private fnstring[] parseExtendedKeyUsage(const(ubyte)[] value)Parses an Extended Key Usage extension value.

private fnstring parseStringValue(Asn1Value tlv) pureParses an ASN.1 string value (UTF8String, PrintableString, etc.).

private fnubyte[] wrapInSequence(const(ubyte)[] content) pure @safeWraps content in a SEQUENCE TLV.

private fnstring oidToShortName(string oid) pure nothrow @safeConverts an OID to a short name for DN display.

private fnstring escapeRdn(string value) pure @safeEscapes special characters in an RDN value for RFC 2253 output.

private fnint parseTimeInt(string s) pure @safeParses a 2 or 4 digit integer from a time string.

private fnlong toUnixTime(int year, int month, int day, int hour, int minute, int second) pure nothrow @safeConverts date components to Unix timestamp (assumes UTC).

private fnbool isLeapYear(int year) pure nothrow @safe @nogcChecks if a year is a leap year.

private fnchar hexDigit(ubyte nibble) pure nothrow @safe @nogcConverts a nibble to a hex character.