synta 0.2.2

ASN.1 parser, decoder, and encoder library with DER/BER support and C FFI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

# Library Comparison — Format Benchmarks

Two distinct benchmark groups measure certificate formatting:

1. **`library_comparison_format` / `post_quantum_comparison_format`** — DER bytes → full
   human-readable text.  Analogous to `openssl asn1parse` or `openssl x509 -text`.

2. **`library_comparison_format_fields` / `post_quantum_comparison_format_fields`** — parse +
   format five specific fields as strings: issuer DN, subject DN, signature algorithm OID,
   notBefore, notAfter.

```bash
# Full-text format benchmarks
cargo bench -p synta-bench --bench comparison --features bench-compare -- comparison_format
```

## What Each Library Formats

The groups are equalised so each library produces a comparable amount of output:

| Library | Full-cert format covers |
|---|---|
| `synta_text` | Full DER walk — every TLV including raw hex of extension values and key bytes |
| `synta_openssl` | Full DER walk, openssl-asn1parse style — truncates values > 8 bytes to ellipsis |
| `x509-parser` | Parse + format: version, serial (hex), signature alg, issuer, validity, subject, SPKI alg, all extension OIDs + critical flags |
| `x509-cert` | Same field set as x509-parser |

The remaining asymmetry: synta `Text` mode hex-encodes every byte of raw extension values and
large key fields; x509-parser and x509-cert print extension OIDs and critical flags only, not
the raw value bytes.  This is the fairest comparison the respective APIs permit.

---

## Full-Certificate Format — Traditional X.509

(`library_comparison_format` Criterion group)

| Certificate | synta\_text | x509-parser | synta\_openssl | x509-cert |
|---|---|---|---|---|
| cert\_00 (NoPolicies) | 3.50 µs | 4.41 µs | 7.94 µs | 11.27 µs |
| cert\_01 (SamePolicies-1) | 3.68 µs | 4.81 µs | 8.63 µs | 11.51 µs |
| cert\_02 (SamePolicies-2) | 3.65 µs | 4.86 µs | 8.48 µs | 11.53 µs |
| cert\_03 (anyPolicy) | 3.55 µs | 4.75 µs | 8.47 µs | 11.51 µs |
| cert\_04 (AnyPolicyEE) | 3.48 µs | 4.74 µs | 8.52 µs | 11.42 µs |
| **Average** | **3.57 µs** | **4.71 µs** | **8.41 µs** | **11.45 µs** |

**`synta_text` is faster than x509-parser** despite formatting more bytes per certificate.
x509-parser must fully decode and allocate each extension value internally (building typed Rust
structs) even when only printing the OID; synta_text just walks raw DER bytes without any
intermediate allocation.

**`synta_openssl` is slower than `synta_text`** because of per-element fixed-width decimal
column formatting overhead (`offset:d=depth hl=N l=N` prefix written via `fmt::Write` on every
TLV element).

**`x509-cert`'s result is dominated by its parse cost** (~10+ µs for the DER parse alone);
formatting is incremental above that.

---

## Full-Certificate Format — Post-Quantum (ML-DSA)

(`post_quantum_comparison_format` Criterion group)

| Certificate | x509-parser | synta\_openssl | x509-cert | synta\_text |
|---|---|---|---|---|
| ML-DSA-44 (3,992 B) | 4.36 µs | 6.82 µs | 8.79 µs | 7.82 µs |
| ML-DSA-65 (5,521 B) | 4.36 µs | 6.77 µs | 8.79 µs | 10.14 µs |
| ML-DSA-87 (7,479 B) | 4.33 µs | 6.84 µs | 8.76 µs | **13.38 µs** |

`synta_text` grows **linearly with certificate size** because it hex-encodes every byte of the
ML-DSA public key BIT STRING (~1,300–2,600 bytes across the three parameter sets).

The other three formatters are **flat across all ML-DSA sizes**:

- `synta_openssl` truncates values longer than 8 bytes (matching openssl asn1parse behaviour),
  so the large key BIT STRING appears as `[HEX DUMP]` rather than thousands of hex digits.
- `x509-parser` and `x509-cert` access the public key as an opaque `SubjectPublicKeyInfo`
  reference and print only the algorithm OID — no raw key bytes are formatted.

---

## Five-Field String Format — Traditional X.509

(`library_comparison_format_fields` Criterion group)

Parse + format issuer DN, subject DN, signature algorithm OID, notBefore, notAfter.

| Certificate | synta | x509-parser | x509-cert |
|---|---|---|---|
| cert\_00 (NoPolicies) | 1.49 µs | 3.64 µs | 10.70 µs |
| cert\_01 (SamePolicies-1) | 1.50 µs | 3.93 µs | 10.88 µs |
| cert\_02 (SamePolicies-2) | 1.51 µs | 4.02 µs | 11.13 µs |
| cert\_03 (anyPolicy) | 1.52 µs | 4.03 µs | 11.00 µs |
| cert\_04 (AnyPolicyEE) | 1.52 µs | 3.97 µs | 11.03 µs |
| **Average** | **1.51 µs** | **3.92 µs** | **10.95 µs** |

synta is **2.6× faster than x509-parser** and **7.3× faster than x509-cert** for field-level
string formatting of traditional certificates.

---

## Five-Field String Format — Post-Quantum (ML-DSA)

(`post_quantum_comparison_format_fields` Criterion group)

| Certificate | synta | x509-parser | x509-cert |
|---|---|---|---|
| ML-DSA-44 (3,992 B) | 1.23 µs | 3.24 µs | 7.92 µs |
| ML-DSA-65 (5,521 B) | 1.25 µs | 3.26 µs | 8.12 µs |
| ML-DSA-87 (7,479 B) | 1.26 µs | 3.36 µs | 7.86 µs |
| **Average** | **1.25 µs** | **3.29 µs** | **7.97 µs** |

All three libraries are **flat across ML-DSA sizes** because field-level formatting does not
touch the large public key bytes — only the DN bytes, algorithm OID, and timestamp strings are
formatted.

synta is **2.6× faster than x509-parser** and **6.4× faster than x509-cert** for field-level
string formatting of ML-DSA certificates.

synta's field-formatting time is also slightly *lower* for ML-DSA than for traditional
certificates (1.25 µs vs 1.51 µs) because the ML-DSA test certificates have shorter
Distinguished Names (one attribute each) compared to the PKITS certificates used for the
traditional benchmark (multiple attributes per RDN).