Talks - William Woodruff: Building a Rusty path validation library for PyCA Cryptography

X.509 is a critical but complex building block for internet security, particularly for HTTPS/TLS, serving as a public key conveyance and identity binding format

Most X.509 implementations are based on OpenSSL (75% market share) which has significant baggage, security issues, and complex API surface that can lead to vulnerabilities

The new PyCA Cryptography path validation library was built in Rust, focusing on:

• Minimality - implementing only commonly used parts
• Correctness - extensive testing through X.509 Limbo test suite
• Speed - 60% faster than OpenSSL for path validation
• Clean API design with good defaults

Major challenges in X.509 implementation include:

• Complex graph traversal for chain validation
• Parsing ambiguities and edge cases
• Name constraints handling
• Serial number validation
• Time handling issues
• Self-signed certificate quirks

Key improvements over existing implementations:

• Pure Rust implementation for core validation logic
• Aggressive caching of parsed keys
• Separation of server vs client validation APIs
• Better handling of name constraints
• Explicit rejection of older X.509 formats
• Focus on RFC 5280 and CABF profiles only

The new implementation found bugs in other major implementations including Go’s crypto library and GNU TLS

Future work includes:

• Adding revocation checking (CRL/OCSP)
• Supporting additional algorithms like DSA
• Expanding test coverage through X.509 Limbo
• Improving performance further

The implementation is production-ready and available via pip install cryptography