Expand description
cacrt — curated, no_std/no-alloc access to DER-encoded CA root
certificates by their OpenSSL subject hash.
The crate embeds a curated set of trusted root CA certificates (see
CURATION.md for the acceptance rules) and exposes a tiny, allocation-free
API to look them up and iterate over them. All parsing, hashing and curation
happen at build time; at runtime this crate is pure &'static data and
integer comparisons.
§OpenSSL hash names
Certificates are addressable by the same name OpenSSL’s c_rehash/openssl rehash uses for files in a hash directory, e.g. "062cdee6.0". The eight
hex digits are the subject-name hash (SHA-1 over the canonicalized subject,
first four bytes little-endian) and the trailing number disambiguates
certificates that share a subject hash.
// Look one up by its OpenSSL hash name.
if let Some(ca) = cacrt::lookup("062cdee6.0") {
assert_eq!(ca.subject_hash(), 0x062cdee6);
let _der: &[u8] = ca.der();
}
// Iterate over every embedded CA.
for ca in cacrt::all() {
let _ = (ca.subject_hash(), ca.label());
}§Building certificate chains
To find the issuer of a certificate without hashing at runtime, match the
issuer’s raw DER Name against each CA’s subject with find_by_subject.
Structs§
- Cert
- A single embedded CA root certificate.
- Hash
Name - The OpenSSL hash name of a certificate, formatted on demand as
"%08x.%d".
Functions§
- all
- All embedded CA certificates, sorted by subject hash then sequence number.
- find_
by_ subject - All certificates whose subject
Nameexactly equalssubject_der(the raw DERSEQUENCE). Useful for resolving an issuer during chain building without hashing at runtime. - len
- Number of embedded CA certificates.
- lookup
- Look up a certificate by its OpenSSL hash name, e.g.
"062cdee6.0". - lookup_
by_ hash - Every certificate sharing the given subject hash, as a contiguous slice (empty if none). Within the slice, entries are ordered by sequence number.