Skip to content

feat(native): certificates extension pack with zero-copy API adaptation#187

Merged
JeromySt merged 3 commits intousers/jstatia/native_ports_finalfrom
native_certificates
Apr 3, 2026
Merged

feat(native): certificates extension pack with zero-copy API adaptation#187
JeromySt merged 3 commits intousers/jstatia/native_ports_finalfrom
native_certificates

Conversation

@JeromySt
Copy link
Copy Markdown
Member

@JeromySt JeromySt commented Apr 2, 2026

Phase 4 staged merge: certificates and certificates_local extension packs from native_ports, adapted for the zero-copy architecture on native_ports_final.

Crates Added (4)

Crate Purpose
\cose_sign1_certificates\ X.509 chain building, signing service, validation trust pack, x5t/x5chain header contributor
\cose_sign1_certificates_local\ Ephemeral cert creation, PEM/DER/PFX loaders, chain factory, software key provider
\cose_sign1_certificates_ffi\ C-ABI projection for certificates
\cose_sign1_certificates_local_ffi\ C-ABI projection for local certs

C/C++ Projections

  • \certificates.h/hpp: Trust pack registration, fluent policy builder helpers (RequireX509ChainTrusted, RequireLeafSubjectEq, etc.)
  • \certificates_local.h/hpp: RAII factory wrappers (EphemeralCertificateFactory, CertificateChainFactory), cert loading helpers

Zero-Copy API Adaptations

  • \CoseHeaderValue::Bytes/Raw\ now use \ArcSlice\ — all construction sites updated with .into()\
  • \LazyHeaderMap\ access via .headers()\ for \get_bytes_one_or_many()\
  • \ExplicitCertificateChainBuilder\ uses \Arc<Vec<Vec>>\ to avoid deep-cloning certificate chains
  • Test updated for lazy header parsing (parse succeeds, \ ry_headers()\ fails on invalid CBOR)

Quality Improvements

  • SAFETY docs on all unsafe FFI blocks and inline // SAFETY:\ comments
  • \cose_status_t\ includes \cose.h\ instead of redefining (fixes ODR conflict)

  • elease()\ methods on RAII C++ wrappers for ownership transfer
  • Clippy fixes: #[derive(Default)], .is_multiple_of(), type alias for complex return
  • [lints.rust]\ coverage_nightly cfg in all Cargo.toml files

Test Results

6,669 tests, 0 failures. Clippy clean. Cargo fmt clean.

@Jstatia
feat(native): certificates extension pack with zero-copy API adaptation
7bf9d90 
Phase 4 staged merge: certificates and certificates_local extension packs
from native_ports, adapted for the zero-copy architecture on native_ports_final.

Rust crates (4):
  - cose_sign1_certificates: X.509 chain building, signing service,
    validation trust pack, x5t/x5chain header contributor
  - cose_sign1_certificates_local: Ephemeral cert creation, PEM/DER/PFX
    loaders, chain factory, software key provider
  - cose_sign1_certificates_ffi: C-ABI projection for certificates
  - cose_sign1_certificates_local_ffi: C-ABI projection for local certs

C/C++ projections:
  - certificates.h/hpp: Trust pack registration, policy builder helpers
  - certificates_local.h/hpp: RAII factory wrappers, cert loading

Zero-copy API adaptations:
  - CoseHeaderValue::Bytes/Raw now use ArcSlice (not Vec<u8>)
  - LazyHeaderMap access via .headers() for get_bytes_one_or_many()
  - ExplicitCertificateChainBuilder uses Arc<Vec<Vec<u8>>> to avoid
    deep-cloning certificate chains
  - Test data uses .into() for Vec<u8> -> ArcSlice conversion

Quality improvements:
  - SAFETY docs on all unsafe FFI blocks
  - cose_status_t includes cose.h instead of redefining
  - release() methods on RAII C++ wrappers
  - Clippy fixes: derive Default, is_multiple_of(), type alias
  - LazyHeaderMap test updated for deferred header parsing
  - [lints.rust] coverage_nightly cfg in all Cargo.toml files

6,669 tests, 0 failures. Clippy clean.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JeromySt JeromySt force-pushed the native_certificates branch 9 times, most recently from fa090f5 to 9c3c588 Compare April 3, 2026 01:35
@Jstatia
feat(certificates): port extension pack with deep zero-copy
1c2eb86 
Phase 4 of native Rust migration: certificates + certificates_local + 2 FFI crates.

Zero-copy design:
- parse_message_chain() returns Vec<ArcSlice> (Arc refcount bumps, no data copies)
- ParsedCert::der uses ArcSlice instead of Arc<Vec<u8>> (eliminates double-indirection)
- extract_x5chain() returns Vec<ArcSlice> for zero-copy header extraction
- Signing key resolver stores ArcSlice cert_arc (zero-copy from message buffer)
- Header extraction uses get_arc_slices_one_or_many() (no allocation on hot path)
- Counter-signature path threads Arc<[u8]> for zero-copy via from_sub_slice()
- try_parse_cose_signature_headers returns borrowed slices (no Vec copies)
- try_read_x5chain uses ArcSlice::from_sub_slice() pointer arithmetic
- Added ArcSlice::from_sub_slice() to primitives for Arc-backed zero-copy

Quality improvements:
- .to_string() replaced with .into() on all string literal error paths
- SAFETY docs on all unsafe FFI blocks
- Chain builder uses Arc::unwrap_or_clone() for move-or-clone optimization
- C header: removed cose_status_t redefinition conflict
- C++ RAII: added release() methods, removed #define workaround hack
- FFI naming: cose_sign1_certificates_key_from_cert_der (correct tier prefix)
- coverage(off) removed from 7 testable FFI functions
- Module docs with architecture diagrams and V2 mapping cross-refs
- @see cross-refs and ownership docs on C/C++ headers
- FFI crate local_ffi: added test = false per FFI standards
- Clippy clean, fmt clean, all 6,669 tests passing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JeromySt JeromySt force-pushed the native_certificates branch from 9c3c588 to 1c2eb86 Compare April 3, 2026 03:22
@Jstatia
chore: dynamic FFI crate discovery + add certificates description
0118232 
- Replace hard-coded FFI crate list in collect-coverage-asan.ps1 with
  dynamic discovery via cargo metadata (any crate ending in '_ffi')
- Add description field to certificates Cargo.toml for workspace consistency

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@JeromySt JeromySt marked this pull request as ready for review April 3, 2026 04:29
@JeromySt JeromySt merged commit 1c7f17c into users/jstatia/native_ports_final Apr 3, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JeromySt JeromySt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JeromySt @Jstatia