Expand description
Deterministic X.509 fixture policy helpers.
This crate centralizes reusable policy used by X.509 fixture producers:
- X.509 negative-policy types used by fixture generators
- re-exports of X.509 spec models from
uselesskey-core-x509-spec - re-exports of deterministic derivation helpers from
uselesskey-core-x509-derive
§Examples
Create an expired certificate spec using X509Negative:
use uselesskey_core_x509::{X509Negative, X509Spec, NotBeforeOffset};
let base = X509Spec::self_signed("example.com");
let expired = X509Negative::Expired.apply_to_spec(&base);
assert_eq!(expired.not_before_offset, NotBeforeOffset::DaysAgo(395));
assert_eq!(expired.validity_days, 365);Build a chain spec and apply a hostname-mismatch negative:
use uselesskey_core_x509::{ChainNegative, ChainSpec};
let base = ChainSpec::new("api.example.com");
let neg = ChainNegative::HostnameMismatch {
wrong_hostname: "evil.example.com".to_string(),
};
let modified = neg.apply_to_spec(&base);
assert_eq!(modified.leaf_cn, "evil.example.com");Structs§
- Chain
Spec - Specification for generating a three-level X.509 certificate chain (root CA -> intermediate CA -> leaf).
- KeyUsage
- Key usage flags for X.509 certificates.
- X509
Spec - Specification for generating an X.509 certificate.
Enums§
- Chain
Negative - Types of invalid certificate chains for negative testing.
- NotBefore
Offset - Offset for the not_before field.
- X509
Negative - Types of invalid X.509 certificates for negative testing.
Constants§
- BASE_
TIME_ EPOCH_ UNIX - 2025-01-01T00:00:00Z used as the deterministic X.509 epoch.
- BASE_
TIME_ WINDOW_ DAYS - Number of days in the deterministic base-time window.
- SERIAL_
NUMBER_ BYTES - Fixed serial-number byte length for deterministic certificate/CRL serials.
Functions§
- deterministic_
base_ time - Deterministic base time from a pre-configured BLAKE3 hasher.
- deterministic_
base_ time_ from_ parts - Compute deterministic base time from length-prefixed identity parts.
- deterministic_
serial_ number - Deterministic serial number derived from seed material.
- write_
len_ prefixed - Write a length-prefixed byte slice into a BLAKE3 hasher.