upki implements platform-independent browser-grade certificate infrastructure.
The first goal of this project is to provide reliable, privacy-preserving and efficient certificate revocation building on foundational work by Mozilla.
Later goals include intermediate preloading, certificate transparency enforcement, replicating common root distrust processes, and supporting deployment of Merkle Tree Certificates.
This is for checking revocation status for certificates issued by publicly-trusted
authorities. It uses crlite-clubcard. This requires
a data set that updates several times per day. upki therefore includes a synchronization
component, which fetches updated data. You can run upki fetch to do this at any time,
but ideally it is run system-wide as arranged by packagers.
There are a number of interfaces available:
This is useful for monitoring, testing and alerting purposes.
$ curl -w '%{certs}' https://google.com | upki revocation check
(...)
NotRevokedTODO
Rustls integration
The rustls-upki crate provides a rustls
server certificate verifier that checks the server certificate's revocation status.
See the documentation or example code:
~/src/upki/rustls-upki$ cargo -q run --example simpleclient revoked.r6.roots.globalsign.com
Error: Custom { kind: InvalidData, error: InvalidCertificate(Revoked) }See PACKAGING.md.
upki is distributed under the following two licenses:
- Apache License version 2.0.
- MIT license.
These are included as LICENSE-APACHE and LICENSE-MIT respectively. You may use this software under the terms of any of these licenses, at your option.