Synta

Table of Contents generated with DocToc

• Installation
• Quick Start
• Features
  • Core ASN.1 codec
  • [Code generation (synta-codegen)](#code-generation-synta-codegen)
  • [X.509 PKI (synta-certificate)](#x509-pki-synta-certificate)
  • [CBOR codec (synta-cbor)](#cbor-codec-synta-cbor)
  • Protocol schemas
  • [X.509 path validation (synta-x509-verification)](#x509-path-validation-synta-x509-verification)
  • Language bindings
• Documentation
• Testing
• Performance
• License

High-performance Rust library for ASN.1 parsing, encoding, and decoding.

~0.48 µs per X.509 certificate parse-only — 3.1× faster than the next-best pure-Rust implementation, 18× faster than NSS. See docs/performance.md.

Installation

[dependencies]
synta = "0.1"

# With serde Serialize/Deserialize support
synta = { version = "0.1", features = ["serde"] }

# no_std with alloc
synta = { version = "0.1", default-features = false, features = ["alloc"] }

Quick Start

Decode and encode a primitive type:

use synta::{Decoder, Encoder, Encoding, Integer};

let data = &[0x02, 0x01, 0x2A]; // DER INTEGER 42
let mut decoder = Decoder::new(data, Encoding::Der);
let value: Integer = decoder.decode().unwrap();
assert_eq!(value.as_i64().unwrap(), 42);

let mut encoder = Encoder::new(Encoding::Der);
encoder.encode(&value).unwrap();
assert_eq!(encoder.finish().unwrap(), data);

Typed parsing with derive macros — the recommended approach for production use:

use synta::{Decoder, Encoding, Integer, ObjectIdentifier};
use synta_derive::Asn1Sequence;

#[derive(Asn1Sequence)]
struct AlgorithmIdentifier {
    pub algorithm: ObjectIdentifier,
    #[asn1(optional)]
    pub parameters: Option<Integer>,
}

let mut decoder = Decoder::new(der_bytes, Encoding::Der);
let alg: AlgorithmIdentifier = decoder.decode()?;

Typed decoding generates compile-time-specialised, inlined decode paths and is 3.3× faster than equivalent generic Element traversal.

See docs/tutorial.md for a step-by-step introduction and docs/usage.md for the full API guide.

Features

Core ASN.1 codec

• Typed parsing — Asn1Sequence, Asn1Choice, Asn1Set derive macros generate compile-time-specialised decoders; 3.3× faster than generic Element traversal
• Zero-copy — RawDer<'a>, OctetStringRef<'a>, BitStringRef<'a> borrow from the input buffer with no allocation for large fields
• Encoding rules — DER, BER, and CER all supported
• no_std — core functionality works in embedded environments with the alloc feature; see docs/no_std.md
• Serde — optional Serialize/Deserialize via features = ["serde"]

Code generation (synta-codegen)

• Compiles ASN.1 schema files to ready-to-use Rust or C structs
• Supports ASN.1 Information Object Class parsing, configurable derive-macro gating (DeriveMode), and RawDer output for ANY fields

X.509 PKI (synta-certificate)

• Parsing — X.509 v3 certificates, CRLs (RFC 5280), CSRs (RFC 2986), OCSP responses (RFC 6960)
• Builders — CertificateBuilder, CsrBuilder, Pkcs12Builder, CertificateListBuilder, OCSPResponseBuilder, AttributeCertificateBuilder, CertReqMsgBuilder, CMPMessageBuilder with pluggable signer and encryptor traits; OpensslCertificateSigner and OpensslPkcs12Encryptor backends
• Bundle formats — PKCS#7 SignedData certificate extraction; PKCS#12 certificate/private-key extraction and creation
• CMS full suite — SignedData, EnvelopedData (one-call create_enveloped_data or two-step prepare_enveloped_data + builder for originator info), EncryptedData (AES-CBC encrypt/decrypt), DigestedData, KEM recipient info; requires openssl feature for crypto
• Schema types — RFC 3279 algorithm parameters, Attribute Certificates (RFC 5755), CRMF (RFC 4211), CMP v3 (RFC 9810)
• Helpers — DN formatting and attribute parsing, SAN parsing, zero-alloc algorithm identification, PEM encode/decode

CBOR codec (synta-cbor)

• CborEncode / CborDecode traits — CBOR-specific codec API, separate from the DER/BER Encode/Decode traits
• CborEncoder / CborDecoder — streaming wrappers over ciborium_ll for writing and reading CBOR headers and bodies
• ToCbor / FromCbor — blanket convenience traits (like ToDer / FromDer) that serialise to / from Vec<u8>
• Full type coverage: all ASN.1 primitives, string types, time types, constructed types, ObjectIdentifier (RFC 9090 tag 111), tagged types
• Optional certificate feature: unwrap_cms_cbor CMS helper requires synta-certificate

Protocol schemas

• Kerberos V5 — RFC 4120/4121/4178/6113 types; typed flag wrappers for KDCOptions, TicketFlags, APOptions; principal, time, address, and GSS token helpers (synta-krb5)
• Merkle Tree Certificates — draft-ietf-plants-merkle-tree-certs issuance log builder, inclusion proof generation and verification, trust anchor management with cosignature support (synta-mtc)

X.509 path validation (synta-x509-verification)

• RFC 5280 §6 + CABF Baseline Requirements chain verification
• Crypto-agnostic via SignatureVerifier plug-in trait; OpenSSL backend available
• Name constraint enforcement (DNS, IP, RFC 822 email)
• Configurable extension policy and trust store
• OCSP revocation checking via OcspStore
• Python bindings in synta.x509 (TrustStore, VerificationPolicy, verify_server_certificate, verify_client_certificate)

Language bindings

C/C++ FFI (synta-ffi) — 100+ exported functions covering:

• ASN.1 primitives, string types, time types, constructed types, OIDs
• X.509 certificates, CRLs (RFC 5280), PKCS#10 CSRs, OCSP responses (RFC 6960)
• PEM encode/decode; PKCS#7 and PKCS#12 certificate extraction
• Full CMS: ContentInfo, SignedData, EnvelopedData, EncryptedData (AES-CBC, openssl feature), DigestedData
• Header auto-generated at include/synta.h by cbindgen

Python (synta-python) — PyO3-based, Python 3.8+ stable ABI:

• Certificate, CertificationRequest, CertificateList, OCSPResponse, PublicKey, PrivateKey (with ML-DSA/ML-KEM key generation, sign, verify, KEM encapsulate/decapsulate)
• Builders: CertificateBuilder, CsrBuilder, CertificateListBuilder, OCSPResponseBuilder, AttributeCertificateBuilder, CertReqMsgBuilder/CertReqMessagesBuilder, CMPMessageBuilder; PKCS#12: load_pkcs12_*, create_pkcs12
• synta.cms — full CMS suite: ContentInfo, SignedData, EnvelopedData, EnvelopedDataBuilder, EncryptedData, DigestedData, KEM recipient info
• synta.kem — KEM recipient info types (KEMRecipientInfo, CMSORIforKEMOtherInfo) and ML-KEM OID constants (RFC 9629)
• synta.pkcs8 — PKCS #8 / RFC 5958 private key parsing (OneAsymmetricKey / PrivateKeyInfo)
• synta.pkcs9 — PKCS #9 attribute OID constants (13 OIDs from RFC 2985 / RFC 5652)
• synta.x509 — RFC 5280 / CABF chain verification; synta.krb5 — Kerberos V5 / PKINIT types
• synta.oids — well-known OID constants and algorithm identification helpers

Documentation

Testing

cargo test                             # core library
cargo test --workspace --all-features  # full workspace

# Full CI pipeline: fmt, clippy, doc, C tests, Python tests, benchmarks
./contrib/ci/local-ci.sh all
./contrib/ci/local-ci.sh clippy        # individual job
./contrib/ci/local-ci.sh --valgrind c-test test

See contrib/ci/README.md for all available jobs and flags.

Performance

X.509 certificate parsing (traditional RSA/ECDSA, avg of 5 certs):

Parse time is size-independent: 7 KB post-quantum ML-DSA certificates parse as fast as 900 B traditional ones. Full data including post-quantum, CA store throughput, and methodology: docs/performance.md.

License

Apache-2.0 or MIT, at your option. See LICENSE-APACHE and LICENSE-MIT.