synta 0.2.6

ASN.1 parser, decoder, and encoder library with DER/BER support and C FFI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

# PKI Workflow

This tutorial walks through a complete PKI workflow using `synta-certificate`:
parsing a certificate, checking a CRL, and inspecting an OCSP response.

## Adding the dependency

```toml
[dependencies]
synta-certificate = "0.1"
synta = "0.1"
```

The `openssl` feature is enabled by default, so no extra flags are needed for
certificate building and chain verification.  To use the NSS backend instead:

```toml
[dependencies]
synta-certificate = { version = "0.1", default-features = false, features = ["std", "derive", "nss"] }
```

## Parsing a certificate

```rust,ignore
use synta::{Decoder, Encoding};
use synta_certificate::{Certificate, format_dn, identify_signature_algorithm};

let der = std::fs::read("cert.der")?;
let mut decoder = Decoder::new(&der, Encoding::Der);
let cert: Certificate = decoder.decode()?;

let tbs = &cert.tbs_certificate;

// Serial number (eagerly decoded)
println!("Serial: {:?}", tbs.serial_number);

// Issuer and subject are stored as zero-copy RawDer<'a> spans
let issuer_str  = format_dn(tbs.issuer.as_bytes());
let subject_str = format_dn(tbs.subject.as_bytes());
println!("Issuer:  {}", issuer_str);
println!("Subject: {}", subject_str);

// Signature algorithm
let alg_name = identify_signature_algorithm(&cert.signature_algorithm.algorithm);
println!("Algorithm: {}", alg_name);
```

## Subject Alternative Names

```rust,ignore
use synta_certificate::Certificate;

let cert: Certificate = /* ... */;

for (tag, content) in cert.subject_alt_names() {
    match tag {
        2 => println!("DNS: {}", String::from_utf8_lossy(&content)),
        7 if content.len() == 4 => {
            let octets: [u8; 4] = content.try_into().unwrap();
            println!("IP: {}", std::net::Ipv4Addr::from(octets));
        }
        1 => println!("Email: {}", String::from_utf8_lossy(&content)),
        _ => println!("tag={} len={}", tag, content.len()),
    }
}
```

## Parsing DN attributes

```rust,ignore
use synta_certificate::parse_name_attrs;

let attrs = parse_name_attrs(cert.tbs_certificate.subject.as_bytes());
for (oid, value) in &attrs {
    println!("{} = {}", oid, value);
}
// e.g. "2.5.4.3 = example.com", "2.5.4.10 = Example Inc"
```

## PEM encoding and decoding

```rust,ignore
use synta_certificate::{pem_to_der, der_to_pem};

// Decode: may contain multiple blocks (e.g. a certificate chain)
let pem_bytes = std::fs::read("chain.pem")?;
let ders: Vec<Vec<u8>> = pem_to_der(&pem_bytes);

// Encode: standard RFC 7468 format, 64-char lines
let pem_output = der_to_pem("CERTIFICATE", &der_bytes);
std::fs::write("cert.pem", &pem_output)?;
```

## Parsing a CRL

```rust,ignore
use synta::{Decoder, Encoding};
use synta_certificate::crl::CertificateList;

let der = std::fs::read("revoked.crl")?;
let mut dec = Decoder::new(&der, Encoding::Der);
let crl: CertificateList = dec.decode()?;

let tbs = &crl.tbs_cert_list;
let issuer_str = format_dn(tbs.issuer.as_bytes());
println!("CRL issuer: {}", issuer_str);
println!("This update: {:?}", tbs.this_update);

let revoked = tbs.revoked_certificates.as_ref().map_or(0, |v| v.len());
println!("Revoked entries: {}", revoked);
```

## Parsing a CSR

```rust,ignore
use synta::{Decoder, Encoding};
use synta_certificate::csr::CertificationRequest;

let der = std::fs::read("request.csr")?;
let mut dec = Decoder::new(&der, Encoding::Der);
let csr: CertificationRequest = dec.decode()?;

let info = &csr.certification_request_info;
println!("Subject: {:?}", info.subject);
println!("Version: {:?}", info.version);
```

## Parsing an OCSP response

```rust,ignore
use synta::{Decoder, Encoding};
use synta_certificate::ocsp::OCSPResponse;

let der = std::fs::read("response.der")?;
let mut dec = Decoder::new(&der, Encoding::Der);
let resp: OCSPResponse = dec.decode()?;

println!("Status: {:?}", resp.response_status);
if let Some(rb) = &resp.response_bytes {
    println!("Response type OID: {:?}", rb.response_type);
}
```

## Generating a key and building a certificate

`PrivateKeyBuilder` generates keys through the active backend without exposing
backend-specific types.  It works with both the `openssl` and `nss` features:

```rust,ignore
use synta::{Integer, UtcTime};
use synta_certificate::{CertificateBuilder, PrivateKeyBuilder, x509_types::Time};

let issuer_der:  &[u8] = /* DER-encoded Name SEQUENCE */;
let subject_der: &[u8] = /* DER-encoded Name SEQUENCE */;

// Generate a P-256 key — no backend type appears in caller code
let key      = PrivateKeyBuilder::ec("P-256").generate().expect("key gen failed");
let spki_der = key.public_key_spki_der().expect("SPKI failed");
let signer   = key.as_signer("sha256");

let cert_der: Vec<u8> = CertificateBuilder::new()
    .issuer_name(issuer_der)
    .subject_name(subject_der)
    .public_key_der(&spki_der)
    .serial_number(Integer::from(1i64))
    .not_valid_before(Time::UtcTime(UtcTime::new(2024, 1, 1, 0, 0, 0).unwrap()))
    .not_valid_after(Time::UtcTime(UtcTime::new(2025, 1, 1, 0, 0, 0).unwrap()))
    .sign(signer.as_ref())
    .expect("certificate signing failed");
```

When you already hold an OpenSSL `PKey`, use `OpensslCertificateSigner` directly
(requires the `openssl` feature):

```rust,ignore
use synta_certificate::{CertificateBuilder, OpensslCertificateSigner};

let pkey: native_ossl::pkey::Pkey<native_ossl::pkey::Private> = /* existing OpenSSL private key */;
let signer = OpensslCertificateSigner::new(&pkey, "sha256");

let cert_der: Vec<u8> = CertificateBuilder::new()
    /* … set fields … */
    .sign(&signer)
    .expect("certificate signing failed");
```

For ML-DSA keys, pass an optional FIPS 204 §5.2 context string via `with_context`:

```rust,ignore
// ML-DSA key with optional FIPS 204 §5.2 context string
use synta_certificate::OpensslCertificateSigner;

let pkey: native_ossl::pkey::Pkey<native_ossl::pkey::Private> = /* ML-DSA-44/65/87 key */;
let signer = OpensslCertificateSigner::new(&pkey, "")
    .with_context(b"application-v1"); // domain-separating context; omit for default signing

let cert_der: Vec<u8> = CertificateBuilder::new()
    /* … set fields … */
    .sign(&signer)
    .expect("certificate signing failed");
```

## Building a CSR

```rust,ignore
use synta_certificate::{CsrBuilder, PrivateKeyBuilder};

let key    = PrivateKeyBuilder::rsa(3072).generate()?;
let spki   = key.public_key_spki_der()?;
let signer = key.as_signer("sha256");

let csr_der: Vec<u8> = CsrBuilder::new()
    .subject_name(subject_der)
    .public_key_der(&spki)
    .sign(signer.as_ref())
    .expect("CSR signing failed");
```

## Building a PKCS#12 archive

```rust,ignore
use synta_certificate::{Pkcs12Builder, OpensslPkcs12Encryptor};

let pfx_der: Vec<u8> = Pkcs12Builder::new()
    .certificate(&cert_der)
    .private_key(&key_der)
    .build(b"s3cr3t", &OpensslPkcs12Encryptor::new())
    .expect("PKCS#12 build failed");

std::fs::write("keystore.p12", &pfx_der)?;
```

## Loading a key from a hardware token (PKCS#11)

When private key material lives in an HSM or smart card, use
`BackendPrivateKey::from_pkcs11_uri` to obtain a key reference without
extracting the key material.  The `pkcs11-provider` OpenSSL provider (or an
equivalent NSS PKCS#11 module) must be configured in the system OpenSSL
configuration before calling this function.

```rust,ignore
use synta_certificate::{BackendPrivateKey, CertificateBuilder};

// The URI identifies the token, object label, and (optionally) a PIN.
let key = BackendPrivateKey::from_pkcs11_uri(
    "pkcs11:token=MyHSM;object=ca-signing-key;type=private?pin-value=1234"
)?;

// The public SPKI bytes are extracted from the token; private material stays
// inside the HSM for all signing operations.
let spki_der = key.public_key_spki_der()?;
let signer   = key.as_signer("sha256");

let cert_der: Vec<u8> = CertificateBuilder::new()
    .issuer_name(issuer_der)
    .subject_name(subject_der)
    .public_key_der(&spki_der)
    /* … other fields … */
    .sign(signer.as_ref())
    .expect("certificate signing failed");
```

See [PKI: Keys — PKCS#11 URI](../pki/keys.md#pkcs11-uri--hardware-token-keys) for
the URI format and structured attribute access via `Pkcs11Uri`.

## Verifying a certificate chain

See [PKI: Verification](../pki/verification.md) for the full chain verification
API including trust store setup, policy configuration, and revocation checking.

## Next steps

- [PKI: Certificate](../pki/certificate.md) — full Certificate API reference
- [PKI: Keys](../pki/keys.md) — public key decoding and algorithm identification
- [PKI: Extensions](../pki/extensions.md) — extension access and encoding helpers
- [PKI: Verification](../pki/verification.md) — RFC 5280 path validation