Skip to main content

Crate synta_certificate

Crate synta_certificate 

Source
Expand description

X.509 Certificate Structures

This crate provides typed X.509 certificate structures based on RFC 5280. The structures are auto-generated from ASN.1 schemas using synta-codegen.

§Features

  • Complete X.509 v3 certificate structures
  • Based on RFC 5280 (Internet X.509 Public Key Infrastructure)
  • Auto-generated from ASN.1 schema
  • X.509v3 extension parsing and formatting
  • Support for post-quantum algorithms (ML-DSA, ML-KEM)
  • Helper functions for algorithm identification

§Two Certificate variants

§Borrowed (crate root) — parse-only workloads

The types at the crate root use zero-copy borrowed representations:

  • signature_value, subject_public_key: BitStringRef<'a> — borrow from the input buffer
  • issuer, subject: RawDer<'a> — raw DER bytes, decoded lazily on demand
  • extensions: Option<RawDer<'a>> — raw DER bytes for the extensions sequence
  • extn_value: OctetStringRef<'a> — zero-copy
use synta_certificate::Certificate;
use synta::{Decoder, Encoding};

let mut decoder = Decoder::new(der_bytes, Encoding::Der);
let cert: Certificate = decoder.decode().unwrap();
println!("Serial: {:?}", cert.tbs_certificate.serial_number);

§Owned (owned) — constructing certificates programmatically

The types in owned use heap-allocating representations:

  • signature_value, subject_public_key: BitString — owned byte buffer
  • issuer, subject: Name<'a> — fully parsed distinguished name
  • extensions: Option<Vec<Extension>> — owned extension list
  • extn_value: OctetString — owned byte buffer
use synta_certificate::owned::{Certificate, TBSCertificate, AlgorithmIdentifier, Name};
use synta::BitString;

// Build a certificate without encode+decode workarounds
let cert = Certificate {
    signature_value: BitString::new(sig_bytes.to_vec(), 0).unwrap(),
    // ... other fields
};

Re-exports§

pub use crypto::token_manager::Pkcs11KeyInfo;
pub use crypto::token_manager::SlotInfo;
pub use crypto::token_manager::TokenManager;
pub use name::decode_string_value;
pub use name::format_dn;
pub use name::format_dn_slash;
pub use name::parse_name_attrs;
pub use name::NameBuilder;
pub use pubkey::decode_public_key_info;
pub use pubkey::PublicKeyInfo;
pub use pem::decode_base64;
pub use pem::der_to_pem;
pub use pem::encode_base64;
pub use pem::pem_blocks;
pub use pem::pem_to_der;
pub use time_utils::parse_generalized_time;
pub use time_utils::parse_time;
pub use pkcs1_types::RsaPublicKey;
pub use mldsa_types::MlDsa44PrivateKey;
pub use mldsa_types::MlDsa44PrivateKeyBoth;
pub use mldsa_types::MlDsa44PublicKey;
pub use mldsa_types::MlDsa65PrivateKey;
pub use mldsa_types::MlDsa65PrivateKeyBoth;
pub use mldsa_types::MlDsa65PublicKey;
pub use mldsa_types::MlDsa87PrivateKey;
pub use mldsa_types::MlDsa87PrivateKeyBoth;
pub use mldsa_types::MlDsa87PublicKey;
pub use crmf_builder::CertReqMessagesBuilder;
pub use crmf_builder::CertReqMsgBuilder;
pub use crmf_builder::PUB_METHOD_DONT_CARE;
pub use crmf_builder::PUB_METHOD_LDAP;
pub use crmf_builder::PUB_METHOD_WEB;
pub use crmf_builder::PUB_METHOD_X500;
pub use cmp_builder::CMPMessageBuilder;
pub use crypto::constant_time_eq;
pub use crypto::default_key_id_hasher;
pub use crypto::default_signature_verifier;
pub use crypto::BackendPrivateKey;
pub use crypto::BackendPublicKey;
pub use crypto::BlockCipherProvider;
pub use crypto::CertificateSigner;
pub use crypto::CmsDecryptor;
pub use crypto::CmsEncryptor;
pub use crypto::DataHasher;
pub use crypto::Encryptor;
pub use crypto::EnvelopedDataDecryptor;
pub use crypto::ErasedCertificateSigner;
pub use crypto::ErasedDataHasher;
pub use crypto::ErasedHmacProvider;
pub use crypto::ErasedKeyIdHasher;
pub use crypto::ErasedSignatureVerifier;
pub use crypto::ErasedStreamingHasher;
pub use crypto::ErasedStreamingHmacProvider;
pub use crypto::HashState;
pub use crypto::HmacProvider;
pub use crypto::HmacState;
pub use crypto::KeyDecryptor;
pub use crypto::KeyEncryptor;
pub use crypto::KeyIdHasher;
pub use crypto::KeyIdMethod;
pub use crypto::KeySpec;
pub use crypto::KeyWrapAlgorithm;
pub use crypto::NoCmsDecryptor;
pub use crypto::NoCrypto;
pub use crypto::NoCryptoError;
pub use crypto::NoEncryptor;
pub use crypto::NoEncryptorError;
pub use crypto::NoEnvelopedDataDecryptor;
pub use crypto::NoEnvelopedDataDecryptorError;
pub use crypto::NoKeyIdHasher;
pub use crypto::NoKeyIdHasherError;
pub use crypto::NoPkcs12Encryptor;
pub use crypto::NoSignatureVerifier;
pub use crypto::NoSignatureVerifierError;
pub use crypto::NoSigner;
pub use crypto::NoSignerError;
pub use crypto::NoSymmetricCrypto;
pub use crypto::Pbkdf2Provider;
pub use crypto::Pkcs12Decryptor;
pub use crypto::Pkcs12Encryptor;
pub use crypto::PrivateKey;
pub use crypto::PrivateKeyBuilder;
pub use crypto::PrivateKeyError;
pub use crypto::RsaPrivateComponents;
pub use crypto::SecureRandom;
pub use crypto::SignatureVerifier;
pub use crypto::StreamingHasher;
pub use crypto::StreamingHmacProvider;
pub use crypto::UnsignedCertificateSigner;
pub use crypto::default_create_enveloped_data;
pub use crypto::default_prepare_enveloped_data;
pub use crypto::DefaultCrypto;
pub use crypto::DefaultCryptoError;
pub use crypto::DefaultEnvelopedDataDecryptor;
pub use crypto::hkdf_expand;
pub use crypto::hkdf_extract;
pub use crypto::hmac_output_len;
pub use pkcs7::certs_from_pkcs7;
pub use pkcs7::Pkcs7Error;
pub use pkcs12::certs_from_pkcs12;
pub use pkcs12::keys_from_pkcs12;
pub use pkcs12::pki_from_pkcs12;
pub use pkcs12::Pkcs12Error;
pub use pkcs12::Pkcs12Pki;
pub use pkcs12_builder::Pkcs12Builder;
pub use pkcs12_builder::Pkcs12BuilderError;
pub use enveloped_data_builder::EnvelopedDataBuilder;
pub use enveloped_data_builder::EnvelopedDataBuilderError;
pub use openssl_backend::create_enveloped_data;
pub use openssl_backend::prepare_enveloped_data;
pub use openssl_backend::OpensslCertificateSigner;
pub use openssl_backend::OpensslCertificateSignerError;
pub use openssl_backend::OpensslDecryptor;
pub use openssl_backend::OpensslDecryptorError;
pub use openssl_backend::OpensslEncryptor;
pub use openssl_backend::OpensslEncryptorError;
pub use openssl_backend::OpensslEnvelopedDataDecryptor;
pub use openssl_backend::OpensslKeyError;
pub use openssl_backend::OpensslKeyIdHasher;
pub use openssl_backend::OpensslKeyIdHasherError;
pub use openssl_backend::OpensslPkcs12Encryptor;
pub use openssl_backend::OpensslPrivateKey;
pub use openssl_backend::OpensslRsaOaepDecryptor;
pub use openssl_backend::OpensslRsaOaepEncryptor;
pub use openssl_backend::OpensslRsaPkcs1Decryptor;
pub use openssl_backend::OpensslRsaPkcs1Encryptor;
pub use openssl_backend::OpensslSignatureVerifier;
pub use openssl_backend::OpensslSymmetricCrypto;
pub use openssl_backend::OpensslSymmetricError;
pub use openssl_backend::OpensslVerifierError;
pub use openssl_backend::Pkcs12Cipher;
pub use openssl_backend::Pkcs12Config;
pub use openssl_backend::Pkcs12HmacAlgorithm;
pub use ext_builder::encode_authority_key_identifier;
pub use ext_builder::encode_basic_constraints;
pub use ext_builder::encode_key_usage;
pub use ext_builder::encode_subject_key_identifier;
pub use ext_builder::AuthorityInformationAccessBuilder;
pub use ext_builder::CRLDistributionPointsBuilder;
pub use ext_builder::CertificatePoliciesBuilder;
pub use ext_builder::ExtendedKeyUsageBuilder;
pub use ext_builder::IssuerAlternativeNameBuilder;
pub use ext_builder::IssuingDistributionPointBuilder;
pub use ext_builder::NameConstraintsBuilder;
pub use ext_builder::SubjectAlternativeNameBuilder;
pub use builder::BuilderError;
pub use builder::CertificateBuilder;
pub use csr_builder::CsrBuilder;
pub use csr_builder::CsrBuilderError;
pub use ac_builder::AttributeCertificateBuilder;
pub use crl_builder::CertificateListBuilder;
pub use ocsp_builder::OCSPResponseBuilder;
pub use ocsp_builder::SingleResponseSpec;
pub use ocsp_request_builder::CertIDSpec;
pub use ocsp_request_builder::OCSPRequestBuilder;
pub use tsp_builder::TimeStampReqBuilder;
pub use ess_builder::ESSSecurityLabelBuilder;
pub use ess_builder::ReceiptRequestBuilder;
pub use ess_builder::SigningCertificateBuilder;
pub use pkcs5_builder::Pbes2ParamsBuilder;
pub use pkcs5_builder::Pbkdf2ParamsBuilder;
pub use logotype_builder::LogotypeDetailsSpec;
pub use logotype_builder::LogotypeExtnBuilder;
pub use ace88_builder::AuthenticationContextsBuilder;
pub use reader::read_pki_blocks;
pub use reader::PkiDecryptor;
pub use reader::ReadAnyError;
pub use general_name::GeneralNameSpec;

Modules§

ac_builder
Builder for RFC 5755 Attribute Certificate TBS encoding.
ace88_builder
Builder for RFC 7773 Authentication Context certificate extension (ACE-88).
ace88_types
RFC 7773 Authentication Context Certificate Extension (ACE-88, 1988 syntax).
acme_types
RFC 8737: ACME TLS-ALPN-01 identifier extension (id-pe-acmeIdentifier).
alg_info_types
RFC 5912 AlgorithmInformation-2009 — algorithm information object classes and the parameterized AlgorithmIdentifier type for 2009-syntax modules.
attribute_cert_types
RFC 5755 X.509 Attribute Certificate v2 types.
builder
X.509 v3 certificate builder.
cbor_content_types
RFC 8769 CBOR content type OID constants for CMS.
cert_image_module_types
RFC 9399 §A.1 Certificate Image OID module.
cmp_builder
Builder for CMP (RFC 9810 / RFC 4210) PKI messages.
cmp_types
RFC 9810 Certificate Management Protocol (CMP) v3 types.
cms_2009_types
RFC 5911 CryptographicMessageSyntax-2009 OID constants and structural types.
cms_2010_types
RFC 5652 / RFC 6268 Cryptographic Message Syntax (CMS) 2010 types.
cms_cek_hkdf_sha256_2023_types
S/MIME v3.1 message types and OIDs (RFC 8551).
cms_gmac_algorithms_types
CMS CEK-HKDF-SHA256 Algorithm OID (RFC 9709).
cms_kem_types
RFC 9629 §6.2 CMS KEM Recipient Info types.
cms_ori_for_psk_2019_types
PKCS#12 PBMAC1 MAC parameters (RFC 9879).
cms_rfc5652_types
RFC 5652 Cryptographic Message Syntax (CMS) full structure types.
crl
X.509 Certificate Revocation List (RFC 5280 §5) types.
crl_builder
Builder for RFC 5280 §5 Certificate Revocation List TBS encoding.
crmf_builder
Builder for CRMF (RFC 4211) certificate request messages.
crmf_types
RFC 4211 Certificate Request Message Format (CRMF) types.
crypto
Crypto trait abstractions and backend-agnostic key types.
csr
PKCS #10 Certificate Signing Request (RFC 2986) types.
csr_builder
PKCS #10 Certificate Signing Request (RFC 2986) builder.
delegated_cred_extn_types
RFC 9345 DelegatedCredentialExtn — DelegationUsage certificate extension.
enveloped_data_builder
CMS EnvelopedData (RFC 5652 §6) builder.
ess_builder
Builders for RFC 2634 Extended Security Services (ESS) structures.
ess_types
RFC 2634 Extended Security Services (ESS) types.
ext_builder
DER encoders for common X.509 v3 extension values.
general_name
Context-specific tag numbers for the GeneralName CHOICE type (RFC 5280 §4.2.1.6).
hkdf_oid_2019_types
CMS GMAC Algorithm OIDs and parameters (RFC 9044).
kem_alg_info_types
RFC 9629 §6.1 KEM Algorithm Information Object Class.
logotype_builder
Builder for RFC 9399 Logotype certificate extension (OID 1.3.6.1.5.5.7.1.12).
logotype_cert_extn_types
RFC 9399 §A.1 Logotype certificate extension types (1988 ASN.1 syntax).
mldsa_types
ML-DSA key structure types (RFC 9881 / FIPS 204).
ms_pki_types
Microsoft PKI OID constants and AD CS extension structures.
name
X.509 Distinguished Name formatting and building.
names
Human-readable algorithm name strings.
nf_type_cert_extn_types
RFC 9310 NFTypeCertExtn — Network Function type certificate extension.
no_rev_avail_extn_types
RFC 9608 NoRevAvailExtn — noRevAvail certificate extension (OID 2.5.29.56).
ocsp
Online Certificate Status Protocol (RFC 6960) types.
ocsp_2024_08_types
RFC 9654 OCSP-2024-08 — updated OCSP module in 2008 ASN.1 syntax.
ocsp_2024_88_types
RFC 9654 OCSP-2024-88 — updated OCSP module in 1988 ASN.1 syntax.
ocsp_builder
Builder for RFC 6960 OCSP response encoding.
ocsp_request_builder
Builder for RFC 6960 OCSP request encoding.
oids
Well-known algorithm and attribute OID component arrays.
openssl_backend
OpenSSL-backed crate::Pkcs12Decryptor and crate::SignatureVerifier implementations.
owned
Owned X.509 types for constructing certificates programmatically.
pem
pk_validation_attr_types
RFC 8479 PrivateKeyValidationAttrV1 — private key validation attribute.
pkcs7
pkcs1_types
PKCS #1 RSA key structures and algorithm parameters (RFC 8017).
pkcs5_builder
Builders for PKCS #5 v2.1 (RFC 8018) parameter structures.
pkcs5_types
PKCS #5 v2.1 parameter types and OID constants (RFC 8018).
pkcs7_types
CMS / PKCS#7 OID constants and ContentInfo type.
pkcs8_types
PKCS #8 private key structure types.
pkcs9_types
PKCS #9 attribute type OID constants.
pkcs12
pkcs11_mgmt
PKCS#11 token management via the cryptoki crate.
pkcs12_builder
PKCS#12 PFX archive builder.
pkcs12_pbmac1_2023_types
RPKI signed manifest types (RFC 9286).
pkcs12_types
PKCS#12 OID constants and parameter types.
pkinit_types
PKINIT OID constants and protocol structures.
pkix1_explicit_types
RFC 5912 PKIX1Explicit-2009 — 2009-syntax restatement of the RFC 5280 explicit-tags module, using information object classes and parameterized types.
pkix1_implicit_types
RFC 5912 PKIX1Implicit-2009 — 2009-syntax restatement of the RFC 5280 implicit-tags module, defining X.509v3 certificate extension structures.
pkix1_pss_oaep_alg_2009_types
RFC 5912 §8 PKIX1-PSS-OAEP-Algorithms-2009 — RSA-PSS and RSA-OAEP.
pkix_common_types
RFC 5912 PKIX-CommonTypes-2009 — information object class definitions and parameterized helper types used across the 2009-syntax PKIX module suite.
pkix_test_cert_policies_types
RFC 7229 test certificate policy OIDs.
pkixalgs_2009_types
RFC 5912 PKIXAlgs-2009 — 2009-syntax restatement of RFC 3279 / RFC 5480 public key and signature algorithm parameters.
pkixalgs_types
RFC 3279 algorithm parameter and signature types (DSA, DH, ECDSA).
pubkey
Public key algorithm identification and decoded key data.
reader
Format-agnostic PKI data reader.
rfc9925_types
RFC 9925 Unsigned X.509 Certificate OID constants.
rpc_with_tls_2021_types
CMS OtherRecipientInfo for Pre-Shared Key (RFC 8696).
rpki_manifest_types
FileAndHash for RPKI signed object manifest content type.
slh_dsa_module_2024_types
RFC 9814 SLH-DSA (SPHINCS+) X.509 key-container types.
smime_v3dot1_types
for S/MIME 4.0 message handling.
time_utils
Shared time-string parsing helpers for the builder modules.
tls_feature_module_types
RFC 7633 TLS-Feature-Module-2015 — TLS features certificate extension.
tsp_builder
Builder for RFC 3161 Time-Stamp Protocol (TSP) request encoding.
tsp_types
RFC 3161 Time-Stamp Protocol (TSP) types.
x509_ml_dsa_2025_types
RFC 9881 X.509 ML-DSA (CRYSTALS-Dilithium) algorithm identifier module.
x509_ml_kem_2025_types
RFC 9935 ML-KEM (CRYSTALS-Kyber) X.509 key-container types.

Structs§

AccessDescription
AlgorithmIdentifier
AttributeTypeAndValue
AuthorityKeyIdentifier
BasicConstraints
CertByteRanges
Byte ranges within a DER-encoded Certificate needed for signature verification.
Certificate
DistributionPoint
EDIPartyName
Extension
GeneralSubtree
IssuingDistributionPoint
NameConstraints
OtherName
Pkcs11Uri
RFC 7512 pkcs11: URI — holds the verbatim URI string and decoded attributes (token label, object label, CKA_ID, PIN). Returned by Pkcs11Uri for HSM-backed keys. A parsed pkcs11: URI — holds both the original string and the decoded attributes so callers never need to re-parse.
Pkcs11UriAttributes
RFC 7512 pkcs11: URI — holds the verbatim URI string and decoded attributes (token label, object label, CKA_ID, PIN). Returned by Pkcs11Uri for HSM-backed keys. Parsed attributes from a pkcs11: URI (RFC 7512).
PolicyConstraints
PolicyInformation
PolicyMappingsElement
PolicyQualifierInfo
SubjectPublicKeyInfo
TBSCertificate
Validity

Enums§

DirectoryString
DistributionPointName
GeneralName
Name
Time

Constants§

ANSI_X962
ANSI_X962_CURVES
ANSI_X962_KEY_TYPE
ANSI_X962_SIGNATURES
ANY_EXTENDED_KEY_USAGE
CERTICOM_CURVE
DOMAIN_COMPONENT
ECDSA_WITH_SHA1
ECDSA_WITH_SHA256
ECDSA_WITH_SHA384
ECDSA_WITH_SHA512
EC_PUBLIC_KEY
GOOGLE_ARC
GOOGLE_CT
HASH_ALGS
ID_AD
ID_AD_CA_ISSUERS
ID_AD_OCSP
ID_ALG
ID_AT
ID_AT_BUSINESS_CATEGORY
ID_AT_COMMON_NAME
ID_AT_COUNTRY_NAME
ID_AT_DN_QUALIFIER
ID_AT_GENERATION_QUALIFIER
ID_AT_GIVEN_NAME
ID_AT_INITIALS
ID_AT_LOCALITY_NAME
ID_AT_ORGANIZATIONAL_UNIT_NAME
ID_AT_ORGANIZATION_IDENTIFIER
ID_AT_ORGANIZATION_NAME
ID_AT_POSTAL_CODE
ID_AT_PSEUDONYM
ID_AT_SERIAL_NUMBER
ID_AT_STATE_OR_PROVINCE_NAME
ID_AT_STREET_ADDRESS
ID_AT_SURNAME
ID_AT_TITLE
ID_CE
ID_CE_AUTHORITY_KEY_IDENTIFIER
ID_CE_BASIC_CONSTRAINTS
ID_CE_CERTIFICATE_ISSUER
ID_CE_CERTIFICATE_POLICIES
ID_CE_C_RLDISTRIBUTION_POINTS
ID_CE_C_RLNUMBER
ID_CE_C_RLREASON
ID_CE_DELTA_CRLINDICATOR
ID_CE_EXT_KEY_USAGE
ID_CE_FRESHEST_CRL
ID_CE_INHIBIT_ANY_POLICY
ID_CE_INVALIDITY_DATE
ID_CE_ISSUER_ALT_NAME
ID_CE_ISSUING_DISTRIBUTION_POINT
ID_CE_KEY_USAGE
ID_CE_NAME_CONSTRAINTS
ID_CE_POLICY_CONSTRAINTS
ID_CE_POLICY_MAPPINGS
ID_CE_PRIVATE_KEY_USAGE_PERIOD
ID_CE_SUBJECT_ALT_NAME
ID_CE_SUBJECT_DIRECTORY_ATTRIBUTES
ID_CE_SUBJECT_KEY_IDENTIFIER
ID_CT_SCTS
ID_DSA
ID_ED448
ID_ED25519
ID_EMAIL_ADDRESS
ID_KP
ID_KP_CLIENT_AUTH
ID_KP_CODE_SIGNING
ID_KP_EMAIL_PROTECTION
ID_KP_OCSPSIGNING
ID_KP_SERVER_AUTH
ID_KP_TIME_STAMPING
ID_MLDSA44_ECDSA_P256_SHA256
ID_MLDSA44_ED25519_SHA512
ID_MLDSA44_RSA2048_PKCS15_SHA256
ID_MLDSA44_RSA2048_PSS_SHA256
ID_MLDSA65_ECDSA_BRAINPOOL_P256R1_SHA512
ID_MLDSA65_ECDSA_P256_SHA512
ID_MLDSA65_ECDSA_P384_SHA512
ID_MLDSA65_ED25519_SHA512
ID_MLDSA65_RSA3072_PKCS15_SHA512
ID_MLDSA65_RSA3072_PSS_SHA512
ID_MLDSA65_RSA4096_PKCS15_SHA512
ID_MLDSA65_RSA4096_PSS_SHA512
ID_MLDSA87_ECDSA_BRAINPOOL_P384R1_SHA512
ID_MLDSA87_ECDSA_P384_SHA512
ID_MLDSA87_ECDSA_P521_SHA512
ID_MLDSA87_ED448_SHAKE256
ID_MLDSA87_RSA3072_PSS_SHA512
ID_MLDSA87_RSA4096_PSS_SHA512
ID_ML_DSA_44
ID_ML_DSA_65
ID_ML_DSA_87
ID_ML_KEM_512
ID_ML_KEM_768
ID_ML_KEM_1024
ID_PE
ID_PE_AUTHORITY_INFO_ACCESS
ID_PE_SUBJECT_INFO_ACCESS
ID_SHA1
ID_SHA3_224
ID_SHA3_256
ID_SHA3_384
ID_SHA3_512
ID_SHA224
ID_SHA256
ID_SHA384
ID_SHA512
ID_SHA512_224
ID_SHA512_256
ID_SHAKE128
ID_SHAKE256
ID_SLH_DSA_SHA2_128F
ID_SLH_DSA_SHA2_128S
ID_SLH_DSA_SHA2_192F
ID_SLH_DSA_SHA2_192S
ID_SLH_DSA_SHA2_256F
ID_SLH_DSA_SHA2_256S
ID_SLH_DSA_SHAKE_128F
ID_SLH_DSA_SHAKE_128S
ID_SLH_DSA_SHAKE_192F
ID_SLH_DSA_SHAKE_192S
ID_SLH_DSA_SHAKE_256F
ID_SLH_DSA_SHAKE_256S
KEM_ALGS
KEY_USAGE_C_RLSIGN
Bit position for cRLSign in KeyUsage
KEY_USAGE_DATA_ENCIPHERMENT
Bit position for dataEncipherment in KeyUsage
KEY_USAGE_DECIPHER_ONLY
Bit position for decipherOnly in KeyUsage
KEY_USAGE_DIGITAL_SIGNATURE
Bit position for digitalSignature in KeyUsage
KEY_USAGE_ENCIPHER_ONLY
Bit position for encipherOnly in KeyUsage
KEY_USAGE_KEY_AGREEMENT
Bit position for keyAgreement in KeyUsage
KEY_USAGE_KEY_CERT_SIGN
Bit position for keyCertSign in KeyUsage
KEY_USAGE_KEY_ENCIPHERMENT
Bit position for keyEncipherment in KeyUsage
KEY_USAGE_NON_REPUDIATION
Bit position for nonRepudiation in KeyUsage
MD5_WITH_RSA
NIST_ALGORITHMS
OIW_SECSIG_ALGORITHMS
PKCS_1
PKCS_9
PRIME256V1
REASON_FLAGS_AFFILIATION_CHANGED
Bit position for affiliationChanged in ReasonFlags
REASON_FLAGS_A_ACOMPROMISE
Bit position for aACompromise in ReasonFlags
REASON_FLAGS_CERTIFICATE_HOLD
Bit position for certificateHold in ReasonFlags
REASON_FLAGS_CESSATION_OF_OPERATION
Bit position for cessationOfOperation in ReasonFlags
REASON_FLAGS_C_ACOMPROMISE
Bit position for cACompromise in ReasonFlags
REASON_FLAGS_KEY_COMPROMISE
Bit position for keyCompromise in ReasonFlags
REASON_FLAGS_PRIVILEGE_WITHDRAWN
Bit position for privilegeWithdrawn in ReasonFlags
REASON_FLAGS_SUPERSEDED
Bit position for superseded in ReasonFlags
REASON_FLAGS_UNUSED
Bit position for unused in ReasonFlags
RSA_ENCRYPTION
SECP256K1
SECP384R1
SECP521R1
SHA1_WITH_RSA
SHA256_WITH_RSA
SHA384_WITH_RSA
SHA512_WITH_RSA
SIG_ALGS
UID

Functions§

cert_byte_ranges
Extract the byte ranges required for certificate signature verification from a DER-encoded Certificate.
decode_extensions
Decode the raw DER bytes of an Extensions SEQUENCE OF into a Vec<Extension>.
default_block_cipher_provider
Return the default BlockCipherProvider for the active crypto backend.
default_data_hasher
Return the default DataHasher for the active crypto backend.
default_hmac_provider
Return the default HmacProvider for the active crypto backend.
default_pbkdf2_provider
Return the default Pbkdf2Provider for the active crypto backend.
default_secure_random
Return the default SecureRandom for the active crypto backend.
default_streaming_hasher
Return the default StreamingHasher for the active crypto backend.
default_streaming_hmac_provider
Return the default StreamingHmacProvider for the active crypto backend.
digest_alg_id
Return the AlgorithmIdentifier for a named hash (digest) algorithm.
ec_curve_key_bits
Return the key size in bits for a well-known EC named curve OID.
ec_curve_nist_name
Return the NIST curve name for a well-known EC named curve OID.
ec_curve_short_name
Return the short ASN.1 name for a well-known EC named curve OID.
encode_general_names
Encode a list of (tag_number, content_bytes) pairs as a DER SEQUENCE OF GeneralName.
extension_oid_name
Return the display name for a well-known X.509v3 extension OID.
find_extension_value
Single-pass scan of a DER-encoded SEQUENCE OF Extension, returning the extnValue content bytes of the first extension whose extnId matches oid. Stops as soon as the matching extension is found without decoding the remainder of the sequence.
format_extension_value
Format the human-readable content of a well-known X.509v3 extension value.
identify_public_key_algorithm
Return the canonical display name for a public key algorithm OID, if known.
identify_signature_algorithm
Return the canonical display name for a signature algorithm OID.
key_usage_bit
Test one bit in a KeyUsage BIT STRING.
list_pkcs11_slots
List all PKCS#11 token slots using the active module.
merge_object_label
RFC 7512 pkcs11: URI — holds the verbatim URI string and decoded attributes (token label, object label, CKA_ID, PIN). Returned by Pkcs11Uri for HSM-backed keys. Insert object=<label> into the path portion of a pkcs11: URI, replacing any existing object= segment.
parse_general_names
Parse a DER-encoded SEQUENCE OF GeneralName into raw (tag_number, content) pairs.
pct_encode_path
RFC 7512 pkcs11: URI — holds the verbatim URI string and decoded attributes (token label, object label, CKA_ID, PIN). Returned by Pkcs11Uri for HSM-backed keys. Percent-encode a string value for use in a PKCS#11 URI path component.
pkcs11_manager
Return a Pkcs11Manager using the active module (resolved from PKCS11_MODULE_PATH env var or /usr/lib64/pkcs11/p11-kit-proxy.so).
signing_algorithm_der
Build and DER-encode a signing AlgorithmIdentifier from a key type OID and a hash algorithm name.
validate_envelope
Validate the outer Certificate SEQUENCE envelope without fully decoding.

Type Aliases§

AttributeType
AttributeValue
AuthorityInfoAccessSyntax
CRLDistributionPoints
CertificatePolicies
CertificateSerialNumber
ExtendedKeyUsage
Extensions
FreshestCRL
GeneralNames
GeneralSubtrees
InhibitAnyPolicy
IssuerAltName
KeyPurposeId
KeyUsage
PolicyMappings
RDNSequence
ReasonFlags
RelativeDistinguishedName
SubjectAltName
SubjectInfoAccessSyntax
SubjectKeyIdentifier
UniqueIdentifier
Version