MMS • Sergio De Simone
Article originally posted on InfoQ. Visit InfoQ
The Swift team has just released two new server-side packages that aim to provide developers a faster and safer implementation of X.509 certificates, including their underlying ASN.1 DER encoding/decoding mechanism.
According to the Swift team, the new packages will eventually replace the existing X.509 implementation based on BoringSSL, written in C and included in the
swift-nio-ssl package. This should bring significant performance improvements for TLS-based applications as well as memory safety thanks to the use of Swift.
The Swift Certificate package makes it possible to serialize, deserialize, create, and interact with X.509 certificates, enabling the creation of certificate verifiers, authentication mechanisms, as well as to interact with certificate authorities. The package includes a default verifier and a number of built-in verifier policies.
Server-side applications make frequent use of X.509 certificates. At a minimum, most web servers will load a TLS certificate to secure their network connections. Many more complex use cases exist, from dynamically provisioning TLS certificates using ACME to validating identities using x5c. This makes a fully-featured X.509 library a powerful asset for a server-side ecosystem.
The second package announced by the Swift team provides support for ASN.1, which is a requirement in order to use X.509 certificates. It includes an implementation of the common ASN.1 currency types and of DER serialization and deserialization. ASN.1 is a very flexible format, albeit a complex one allowing for recursive references, default and optional values, and more.
In this case, too, the Swift team emphasizes the advantages of a Swift-based implementation thanks to its memory safety guarantees:
Making this parser safe is particularly valuable as a major goal of DER parsers is to parse untrusted user input. Memory safety bugs in ASN.1 parsing commonly lead to high severity issues.
X.509 lies at the foundation of public key infrastructures and certificates and is used in many internet protocols, including TLS/SSL. Typical use cases for X.509 include verifying an actor’s identity through a certification authority, signing a document to attest its authorship, and more.
ASN.1, also known as Abstract Syntax Notation One, is an abstract language used to define file formats and data structures in a language-agnostic way. An ASN.1 interface definition can be automatically translated into a number of different programming languages and use a binary format based on a set of encoding rules, such as the Basic Encoding Rules (BER), the Distinguished Encoding Rules (DER), and so on. Other popular interface definition languages used in networking applications are Protocol Buffers and Apache Thrift.