arti/crates/tor-cert/README.md

# tor-cert

Implementation for Tor certificates

## Overview

The `tor-cert` crate implements the binary certificate types
documented in Tor's cert-spec.txt, which are used when
authenticating Tor channels.  (Eventually, support for onion service
certificate support will get added too.)

This crate is part of
[Arti](https://gitlab.torproject.org/tpo/core/arti/), a project to
implement [Tor](https://www.torproject.org/) in Rust.

There are other types of certificate used by Tor as well, and they
are implemented in other places.  In particular, see
[`tor-netdoc::doc::authcert`] for the certificate types used by
authorities in the directory protocol.

### Design notes

The `tor-cert` code is in its own separate crate because it is
required by several other higher-level crates that do not depend
upon each other.  For example, [`tor-netdoc`] parses encoded
certificates from router descriptors, while [`tor-proto`] uses
certificates when authenticating relays.

## Examples

Parsing, validating, and inspecting a certificate:

```rust
use base64ct::{Base64, Encoding as _};
use tor_cert::*;
use tor_checkable::*;
// Taken from a random relay on the Tor network.
let cert_base64 =
 "AQQABrntAThPWJ4nFH1L77Ar+emd4GPXZTPUYzIwmR2H6Zod5TvXAQAgBAC+vzqh
  VFO1SGATubxcrZzrsNr+8hrsdZtyGg/Dde/TqaY1FNbeMqtAPMziWOd6txzShER4
  qc/haDk5V45Qfk6kjcKw+k7cPwyJeu+UF/azdoqcszHRnUHRXpiPzudPoA4=";
// Remove the whitespace, so base64 doesn't choke on it.
let cert_base64: String = cert_base64.split_whitespace().collect();
// Decode the base64.
let cert_bin = Base64::decode_vec(&cert_base64).unwrap();

// Decode the cert and check its signature.
let cert = Ed25519Cert::decode(&cert_bin).unwrap()
    .check_key(None).unwrap()
    .check_signature().unwrap()
    .dangerously_assume_timely();
let signed_key = cert.subject_key();
```

License: MIT OR Apache-2.0