synta 0.2.5

ASN.1 parser, decoder, and encoder library with DER/BER support and C FFI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

# Best Practices

Guidelines for using synta-codegen effectively in production environments.

## Schema design

### Use descriptive type names

**Good:**
```asn1
UserIdentifier ::= INTEGER (1..999999)
EmailAddress ::= IA5String (SIZE (5..255))
```

**Avoid:**
```asn1
UID ::= INTEGER    -- Too short, unclear
String1 ::= IA5String  -- Generic, unclear purpose
```

### Leverage constraints for validation

**Good:**
```asn1
Port ::= INTEGER (1..65535)
Username ::= IA5String (SIZE (3..32) FROM ("a".."z" | "A".."Z" | "0".."9" | "-" | "_"))
```

**Avoid:**
```asn1
Port ::= INTEGER     -- No validation
Username ::= IA5String  -- Allows any string
```

### Use named values for constants

```asn1
Protocol ::= INTEGER {
    tcp(6),
    udp(17),
    sctp(132)
}
```

Usage:
```rust
let proto = Protocol::TCP;  // Type-safe constant
```

### Design for extensibility

```asn1
Request ::= SEQUENCE {
    version     INTEGER,
    messageId   INTEGER,
    payload     CHOICE {
        v1  [0] RequestV1,
        v2  [1] RequestV2
        -- Future versions can be added without breaking compatibility
    }
}
```

### Avoid deep nesting

**Good:**
```asn1
Address ::= SEQUENCE {
    street  IA5String,
    city    IA5String,
    zip     IA5String
}

User ::= SEQUENCE {
    name    IA5String,
    address Address  -- Separate named type
}
```

**Avoid:** deeply nested anonymous inline SEQUENCEs — they generate
`/* nested sequence */` comments in codegen and are harder to reference.

## Code generation

### Use build scripts for automation

```rust
// build.rs
fn main() {
    println!("cargo:rerun-if-changed=schemas/");
    // use synta-codegen library API — see codegen/overview.md
}
```

### Version control generated code

Committing generated code to version control makes changes reviewable in PRs
and eliminates a generation step in CI/CD.

Add to `.gitignore` exceptions:

```gitignore
# Don't ignore generated code
!src/generated/*.rs
```

### Document generation commands

**Makefile:**
```makefile
.PHONY: generate
generate:
	synta-codegen schemas/base.asn1 --crate-imports -o src/base.rs
	synta-codegen schemas/user.asn1 --crate-imports -o src/user.rs
	cargo fmt
```

## Project organization

### Recommended directory structure

```
my-protocol/
├── Cargo.toml
├── build.rs               # Auto-generation (optional)
├── schemas/               # ASN.1 source files
│   ├── base-types.asn1
│   ├── messages.asn1
│   └── extensions.asn1
├── src/
│   ├── lib.rs
│   ├── base_types.rs      # Generated
│   ├── messages.rs        # Generated
│   └── utils.rs           # Hand-written utilities
└── tests/
    └── integration.rs
```

### Separate generated and manual code

```
src/
├── generated/    # All generated code
│   ├── mod.rs
│   ├── user.rs
│   └── auth.rs
└── manual/       # Hand-written code
    ├── mod.rs
    ├── client.rs
    └── server.rs
```

### Use feature flags appropriately

```toml
[features]
default = ["std"]
std = []
# PATTERN constraint validation: add regex and once_cell to your crate,
# not to synta (synta does not have a "regex" feature)
regex-validation = ["dep:regex", "dep:once_cell"]

[dependencies]
synta = { version = "0.1" }
regex = { version = "1.10", optional = true }
once_cell = { version = "1.19", optional = true }
```

## Performance

### Use `new_unchecked` for trusted data

```rust
// Trusted source (already validated in DB)
let user_id = UserId::new_unchecked(db_value);

// Untrusted source (network input)
let user_id = UserId::new(untrusted_value)?;
```

### Cache validated instances

```rust
use std::collections::HashMap;

let mut port_cache: HashMap<u16, Port> = HashMap::new();
let port = port_cache.entry(raw_value)
    .or_insert_with(|| Port::new(raw_value).expect("invalid port"));
```

### Minimize constraint complexity

**Good:**
```asn1
ValidPort ::= INTEGER (1024..65535)
```

**Avoid (slower to validate):**
```asn1
ManyPorts ::= INTEGER (8001|8002|8003|...|8100)
```

### Reuse encode buffers for hot paths

```rust
let mut buffer = Vec::with_capacity(1024);
for item in &items {
    buffer.clear();
    let mut encoder = Encoder::new(Encoding::Der);
    encoder.encode(item)?;
    buffer.extend_from_slice(&encoder.finish()?);
    send(&buffer);
}
```

## Testing

### Test roundtrip encoding

```rust
use synta::{Decoder, Encoder, Encoding};

#[test]
fn test_user_roundtrip() {
    let user = User {
        id: Integer::from(42),
        username: IA5String::new("alice".to_string()).unwrap(),
        active: Boolean::new(true),
    };
    let mut encoder = Encoder::new(Encoding::Der);
    encoder.encode(&user).unwrap();
    let encoded = encoder.finish().unwrap();
    let mut decoder = Decoder::new(&encoded, Encoding::Der);
    let decoded: User = decoder.decode().unwrap();
    assert_eq!(user, decoded);
}
```

### Test constraint validation

```rust
#[test]
fn test_constraint_validation() {
    assert!(UserId::new(Integer::from(100)).is_ok());
    assert!(UserId::new(Integer::from(0)).is_err());      // too small
    assert!(UserId::new(Integer::from(1000000)).is_err()); // too large
}
```

### Test with real-world data

```rust
use synta::{Decoder, Encoding};
use synta_certificate::Certificate;

#[test]
fn test_parse_real_certificate() {
    let cert_bytes = include_bytes!("../test-data/real-cert.der");
    let mut decoder = Decoder::new(cert_bytes, Encoding::Der);
    let cert: Certificate = decoder.decode()
        .expect("Failed to parse real certificate");
    // cert.tbs_certificate.version is Option<Integer>
    assert_eq!(cert.tbs_certificate.version.as_ref().map(|v| v.as_i64().unwrap()), Some(2));
}
```

### Fuzz testing

```rust
#[test]
fn fuzz_decode_doesnt_panic() {
    use synta::{Decoder, Encoding};
    for _ in 0..1000 {
        let random_data: Vec<u8> = (0..100).map(|_| rand::random()).collect();
        let _ = Decoder::new(&random_data, Encoding::Der).decode::<User>();
        // May error, but must not panic
    }
}
```

## Maintenance

### Use semantic versioning for schema changes

**Breaking changes:**
- Removing fields from SEQUENCE
- Changing field types
- Removing variants from CHOICE
- Tightening constraints

**Non-breaking changes:**
- Adding OPTIONAL fields
- Adding CHOICE variants
- Adding DEFAULT values
- Loosening constraints

### Regenerate after schema updates

```bash
make generate
cargo test
git diff src/generated/   # Review changes
git commit -am "Regenerate after schema update"
```

## Security

### Validate all external input

```rust,ignore
use synta::{Decoder, Encoding};

fn handle_network_message(bytes: &[u8]) -> Result<User> {
    let user: User = Decoder::new(bytes, Encoding::Der).decode()?;
    // Additional business logic validation
    if user.id.value() == 0 {
        return Err("User ID cannot be zero".into());
    }
    Ok(user)
}
```

### Use constrained types for security-sensitive fields

```asn1
Password ::= OCTET STRING (SIZE (8..128))  -- Enforce min/max length
Age ::= INTEGER (0..150)                    -- No negative or absurd values
```

### Limit resource usage

Use `DecoderConfig` when parsing untrusted data to prevent resource exhaustion:

```rust
use synta::{Decoder, DecoderConfig, Encoding};

let bytes: &[u8] = &[];
let config = DecoderConfig {
    max_depth: 16,
    max_sequence_elements: 1_000,
    max_length: 1 * 1024 * 1024, // 1 MiB
};
let mut decoder = Decoder::new_with_config(bytes, Encoding::Der, &config);
```

### Sanitize error messages

```rust
fn safe_error(e: synta::Error) -> String {
    match e {
        synta::Error::InvalidEncoding { .. } => "Invalid data format".to_string(),
        _ => "Internal error".to_string(),
    }
}
```

## Summary checklist

**Schema design:**
- [ ] Descriptive type names
- [ ] Constraints for validation
- [ ] Named values for constants
- [ ] Extensibility (CHOICE variants, OPTIONAL fields)
- [ ] No deep nesting

**Code generation:**
- [ ] Build scripts for automation
- [ ] Generated code in version control
- [ ] Documented generation commands

**Performance:**
- [ ] `new_unchecked` for trusted data
- [ ] Cached validated instances
- [ ] Reused encode buffers

**Testing:**
- [ ] Roundtrip encode/decode test
- [ ] Constraint validation tests
- [ ] Real-world data tests

**Security:**
- [ ] All external input validated
- [ ] Constrained types for security fields
- [ ] `DecoderConfig` limits for untrusted input
- [ ] Error messages sanitized