synta 0.2.5

ASN.1 parser, decoder, and encoder library with DER/BER support and C FFI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

# PKCS#7 and PKCS#12 Certificate Extraction

```bash
cargo bench -p synta-bench --bench pkcs_formats
```

These benchmarks measure the cost of extracting X.509 certificates from PKCS#7 SignedData
blobs and PKCS#12 PFX archives — the two container formats used for CA bundles, trust store
imports, and inter-system certificate transfer.

## Test Inputs

| Name | Format | Size | Certs |
|------|--------|------|-------|
| `amazon_roots` | PKCS#7 DER | 1,848 B | 2 |
| `pem_isrg` | PKCS#7 PEM | 1,992 B | 1 |
| `unencrypted_3certs` | PKCS#12 DER | 3,539 B | 3 |
| `unencrypted_1cert_with_key` | PKCS#12 DER | 756 B | 1 cert + private key |

## Rust-Level Results (Criterion, release build)

| Benchmark | Time |
|-----------|------|
| `pkcs7/synta/amazon_roots` | **814 ns** |
| `pkcs7/synta/pem_isrg` | **4.13 µs** |
| `pkcs12/synta/unencrypted_3certs` | **1.13 µs** |
| `pkcs12/synta/unencrypted_1cert_with_key` | **667 ns** |

## Python vs cryptography (bench_pkcs.py, CPython 3.14+)

| Operation | `synta` | `cryptography` | Speedup |
|-----------|---------|----------------|---------|
| PKCS#7 DER (amazon_roots) | **1.55 µs** | 48.3 µs | ~31× |
| PKCS#7 PEM (pem_isrg) | **4.47 µs** | 37.4 µs | ~8× |
| PKCS#12 unencrypted (3 certs) | **2.11 µs** | 159.7 µs | ~76× |
| PKCS#12 unencrypted (1 cert + key) | **1.06 µs** |||

The PyO3 boundary adds ~0.7–0.8 µs over the Rust-level times for the DER cases; PEM cases
are comparable because the base-64 decode dominates the parse cost for both layers.

## Why These Numbers Differ

**PKCS#7 DER:** synta walks the SignedData SEQUENCE with a single-pass forward scan,
collecting raw DER certificate byte spans with no intermediate allocation per certificate.
The ~814 ns Rust / ~1.55 µs Python cost grows sub-linearly with the number of embedded
certificates. `cryptography` constructs a full `PKCS7` object plus a Python list of
`x509.Certificate` objects, allocating Python heap objects for each embedded cert.

**PKCS#7 PEM:** both synta and `cryptography` must base-64 decode the PEM armor before the
DER parse. The PEM decode alone accounts for ~3 µs, which is why the PEM ratio (8×) is
lower than the DER ratio (31×). The DER parse cost after decoding is the same as the DER
case.

**PKCS#12:** synta uses a pure-Rust PKCS#12 parser that identifies certificate bags in a
single forward pass through the `PFX → AuthenticatedSafe → SafeContents` nesting. No MAC
verification or key decryption is performed when only certificate extraction is requested.
`cryptography` calls OpenSSL `PKCS12_parse()`, which verifies the integrity MAC, decrypts
the full archive (even when the password is absent / empty), and constructs key objects —
all mandatory steps in the OpenSSL PKCS#12 API regardless of what the caller requests.

## Reproducing

```bash
# Rust (Criterion)
cargo bench -p synta-bench --bench pkcs_formats

# Python vs cryptography
python python/bench_pkcs.py
```