refactor(x509): split self-signed cert builder into SRP submodules#694
Conversation
`load_inner_with_spec` in `cert.rs` mixed RSA key material setup, time derivation, CA constraints, key-usage flags, EKU, and SAN sorting in one 107-line closure. Extract the work into two submodules that mirror the pattern already established for `chain/`: - `cert/material.rs` — RSA keypair generation + rcgen `KeyPair` adapter - `cert/params.rs` — `CertificateParams` builder, with private helpers for not-before offset, CA constraint, key-usage purposes, TLS EKU, and sorted/deduplicated DNS SANs The orchestrating closure shrinks from 107 to 23 lines. Cache domain, derivation inputs, and serial-number RNG sequence are unchanged, so existing deterministic outputs (covered by the four `snapshots_x509` insta tests) are byte-stable.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
load_inner_with_specincrates/uselesskey-x509/src/cert.rswas a 107-line closure that mixed six distinct responsibilities: RSA key material setup, deterministic time derivation, CA constraint setting, key-usage flag assembly, EKU assignment, and SAN sort/dedup. This PR splits it into two SRP submodules that mirror the pattern already established forchain/.Changes
cert/material.rs— RSA keypair generation and adaptation into an rcgenKeyPair(parallelschain/material.rs).cert/params.rs—CertificateParamsbuilder, with private helpers for not-before offset, CA constraint, key-usage purposes, TLS EKU, and sorted/deduplicated DNS SANs (parallelschain/params.rs).cert.rs—load_inner_with_specshrinks from 107 lines to 23 lines of pure orchestration. Unused imports (rcgen::*,rustls_pki_types,uselesskey_rsa::*,time::Duration,srp::derive::*) are dropped.NotBeforeOffsetmoves into the test module since it is no longer used at module scope.Cache domain (
DOMAIN_X509_CERT), derivation inputs, key-label derivation ({label}-key), and serial-number RNG sequence are all preserved, so deterministic outputs are byte-stable.Test plan
cargo build -p uselesskey-x509— cleancargo clippy -p uselesskey-x509 --all-targets -- -D warnings— cleancargo fmt --check -p uselesskey-x509— cleancargo test -p uselesskey-x509— all unit, integration, and doctests passcargo test -p uselesskey-x509 --test snapshots_x509— all 4 insta snapshots pass (this is the strongest signal: PEM shape, key PEM shape, DER lengths, and full cert metadata are byte-stable)cargo build --workspace— clean (no downstream consumers broken)Generated by Claude Code