Expand description
Deterministic X.509 derivation helpers.
This crate centralizes deterministic logic shared by X.509 fixture producers:
- deterministic base-time derivation from stable identity inputs
- deterministic positive serial number generation
- length-prefixed hashing to avoid input-boundary collisions
§Examples
Derive a deterministic base time from identity parts:
use uselesskey_core_x509_derive::{
deterministic_base_time_from_parts, BASE_TIME_EPOCH_UNIX, BASE_TIME_WINDOW_DAYS,
};
use time::OffsetDateTime;
let t = deterministic_base_time_from_parts(&[b"my-label", b"leaf"]);
let epoch = OffsetDateTime::from_unix_timestamp(BASE_TIME_EPOCH_UNIX).unwrap();
let max = epoch + time::Duration::days(i64::from(BASE_TIME_WINDOW_DAYS));
assert!(t >= epoch && t < max);Generate a deterministic serial number from a seed:
use uselesskey_core_x509_derive::{deterministic_serial_number, SERIAL_NUMBER_BYTES};
use uselesskey_core_seed::Seed;
let serial = deterministic_serial_number(Seed::new([42u8; 32]));
let bytes = serial.to_bytes();
assert_eq!(bytes.len(), SERIAL_NUMBER_BYTES);
assert_eq!(bytes[0] & 0x80, 0, "high bit must be cleared");Constants§
- BASE_
TIME_ EPOCH_ UNIX - 2025-01-01T00:00:00Z used as the deterministic X.509 epoch.
- BASE_
TIME_ WINDOW_ DAYS - Number of days in the deterministic base-time window.
- SERIAL_
NUMBER_ BYTES - Fixed serial-number byte length for deterministic certificate/CRL serials.
Functions§
- deterministic_
base_ time - Deterministic base time from a pre-configured BLAKE3 hasher.
- deterministic_
base_ time_ from_ parts - Compute deterministic base time from length-prefixed identity parts.
- deterministic_
serial_ number - Deterministic serial number derived from seed material.
- write_
len_ prefixed - Write a length-prefixed byte slice into a BLAKE3 hasher.