From 8ac817b0b51f2dc8215f85ecf67a7e0a3ab38281 Mon Sep 17 00:00:00 2001
From: Oleksandr Tkachenko <108659113+altkdf@users.noreply.github.com>
Date: Wed, 23 Oct 2024 16:57:36 +0200
Subject: [PATCH] Add a X.509 certificate example (#998)

Adds an example in rust for generating X.509 certificates using threshold Ed25519 and threshold ECDSA with curve secp256k1.
The example canister generates a root CA certificate.
The example canister generates child certificates for user-provided certificate signing requests.
Closes CRP-2583.
---
 .../workflows/provision-pocket-ic-server.sh   |    2 +-
 .github/workflows/rust-x509-example.yml       |   45 +
 motoko/parallel_calls/multi_subnet/Cargo.toml |    2 +-
 rust/guards/Cargo.toml                        |    2 +-
 .../src/multi_subnet/Cargo.toml               |    2 +-
 rust/threshold-schnorr/Cargo.lock             |  357 ++-
 rust/threshold-schnorr/Makefile               |    7 +-
 .../src/schnorr_example_rust/Cargo.toml       |    4 +-
 .../src/schnorr_example_rust/src/wasm_only.rs |    6 +-
 .../src/schnorr_example_rust/tests/tests.rs   |   27 +-
 rust/x509/Cargo.lock                          | 2524 +++++++++++++++++
 rust/x509/Cargo.toml                          |   11 +
 rust/x509/README.md                           |  450 +++
 rust/x509/dfx.json                            |    9 +
 rust/x509/src/x509_example_rust/Cargo.toml    |   33 +
 .../src/all_architectures.rs                  |   55 +
 rust/x509/src/x509_example_rust/src/lib.rs    |    9 +
 .../src/x509_example_rust/src/wasm_only.rs    |  501 ++++
 .../x509_example_rust/src/wasm_only/signer.rs |  141 +
 .../x509/src/x509_example_rust/tests/tests.rs |  271 ++
 .../src/x509_example_rust/x509_example.did    |   11 +
 21 files changed, 4313 insertions(+), 156 deletions(-)
 create mode 100644 .github/workflows/rust-x509-example.yml
 create mode 100644 rust/x509/Cargo.lock
 create mode 100644 rust/x509/Cargo.toml
 create mode 100644 rust/x509/README.md
 create mode 100644 rust/x509/dfx.json
 create mode 100644 rust/x509/src/x509_example_rust/Cargo.toml
 create mode 100644 rust/x509/src/x509_example_rust/src/all_architectures.rs
 create mode 100644 rust/x509/src/x509_example_rust/src/lib.rs
 create mode 100644 rust/x509/src/x509_example_rust/src/wasm_only.rs
 create mode 100644 rust/x509/src/x509_example_rust/src/wasm_only/signer.rs
 create mode 100644 rust/x509/src/x509_example_rust/tests/tests.rs
 create mode 100644 rust/x509/src/x509_example_rust/x509_example.did

diff --git a/.github/workflows/provision-pocket-ic-server.sh b/.github/workflows/provision-pocket-ic-server.sh
index 04220e582..3d4c10186 100755
--- a/.github/workflows/provision-pocket-ic-server.sh
+++ b/.github/workflows/provision-pocket-ic-server.sh
@@ -2,7 +2,7 @@
 
 set -ex
 
-POCKET_IC_SERVER_VERSION=${POCKET_IC_SERVER_VERSION:=5.0.0}
+POCKET_IC_SERVER_VERSION=${POCKET_IC_SERVER_VERSION:=6.0.0}
 POCKET_IC_SERVER_PATH=${POCKET_IC_SERVER_PATH:="${HOME}/bin/pocket-ic-server"}
 
 if [[ $OSTYPE == "linux-gnu"* ]] || [[ $RUNNER_OS == "Linux" ]]
diff --git a/.github/workflows/rust-x509-example.yml b/.github/workflows/rust-x509-example.yml
new file mode 100644
index 000000000..ba313a660
--- /dev/null
+++ b/.github/workflows/rust-x509-example.yml
@@ -0,0 +1,45 @@
+# Known failure: https://dfinity.atlassian.net/browse/EM-7
+name: rust-x509
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    paths:
+      - rust/x509/**
+      - .github/workflows/provision-darwin.sh
+      - .github/workflows/provision-linux.sh
+      - .github/workflows/provision-pocket-ic-server.sh
+      - .github/workflows/rust-x509-example.yml
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+jobs:
+  rust-x509-darwin:
+    runs-on: macos-12
+    steps:
+      - uses: actions/checkout@v1
+      - name: Provision Darwin
+        run: bash .github/workflows/provision-darwin.sh
+      - name: Provision PocketIC
+        run: bash .github/workflows/provision-pocket-ic-server.sh
+      - name: Rust X.509 Darwin
+        run: |
+          brew install openssl
+          pushd rust/x509
+          dfx build --check
+          cargo test
+  rust-x509-linux:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v1
+      - name: Provision Linux
+        run: bash .github/workflows/provision-linux.sh
+      - name: Provision PocketIC
+        run: bash .github/workflows/provision-pocket-ic-server.sh
+      - name: Rust X.509 Linux
+        run: |
+          sudo apt-get install --yes openssl
+          pushd rust/x509
+          dfx build --check
+          cargo test
diff --git a/motoko/parallel_calls/multi_subnet/Cargo.toml b/motoko/parallel_calls/multi_subnet/Cargo.toml
index 9753984b3..204c580da 100644
--- a/motoko/parallel_calls/multi_subnet/Cargo.toml
+++ b/motoko/parallel_calls/multi_subnet/Cargo.toml
@@ -6,5 +6,5 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-pocket-ic = "4.0.0"
+pocket-ic = "5.0.0"
 candid = "0.10"
diff --git a/rust/guards/Cargo.toml b/rust/guards/Cargo.toml
index e3f421473..1091895c0 100644
--- a/rust/guards/Cargo.toml
+++ b/rust/guards/Cargo.toml
@@ -14,4 +14,4 @@ serde = "1.0"
 
 [dev-dependencies]
 assert_matches = "1.5.0"
-pocket-ic = "4.0.0"
+pocket-ic = "5.0.0"
diff --git a/rust/parallel_calls/src/multi_subnet/Cargo.toml b/rust/parallel_calls/src/multi_subnet/Cargo.toml
index 9753984b3..204c580da 100644
--- a/rust/parallel_calls/src/multi_subnet/Cargo.toml
+++ b/rust/parallel_calls/src/multi_subnet/Cargo.toml
@@ -6,5 +6,5 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-pocket-ic = "4.0.0"
+pocket-ic = "5.0.0"
 candid = "0.10"
diff --git a/rust/threshold-schnorr/Cargo.lock b/rust/threshold-schnorr/Cargo.lock
index 1522b4103..0dc873c73 100644
--- a/rust/threshold-schnorr/Cargo.lock
+++ b/rust/threshold-schnorr/Cargo.lock
@@ -411,6 +411,15 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
 
+[[package]]
+name = "erased-serde"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c138974f9d5e7fe373eb04df7cae98833802ae4b11c24ac7039a21d5af4b26c"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "ff"
 version = "0.13.0"
@@ -664,19 +673,21 @@ dependencies = [
 
 [[package]]
 name = "hyper-rustls"
-version = "0.26.0"
+version = "0.27.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a0bea761b46ae2b24eb4aef630d8d1c398157b6fc29e6350ecf090a0b70c952c"
+checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333"
 dependencies = [
  "futures-util",
  "http",
  "hyper",
  "hyper-util",
  "rustls",
+ "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls",
  "tower-service",
+ "webpki-roots",
 ]
 
 [[package]]
@@ -701,9 +712,9 @@ dependencies = [
 
 [[package]]
 name = "ic-cdk"
-version = "0.13.2"
+version = "0.13.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f8859bc2b863a77750acf199e1fb7e3fc403e1b475855ba13f59cb4e4036d238"
+checksum = "3b1da6a25b045f9da3c9459c0cb2b0700ac368ee16382975a17185a23b9c18ab"
 dependencies = [
  "candid",
  "ic-cdk-macros 0.13.2",
@@ -714,12 +725,12 @@ dependencies = [
 
 [[package]]
 name = "ic-cdk"
-version = "0.15.1"
+version = "0.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "038ff230bf0fc8630943e3c52e989d248a7c89834ccb65da408fabc5817a475b"
+checksum = "dd8ecacd682fa05a985253592963306cb9799622d7b1cce4b1edb89c6ec85be1"
 dependencies = [
  "candid",
- "ic-cdk-macros 0.15.0",
+ "ic-cdk-macros 0.16.0",
  "ic0 0.23.0",
  "serde",
  "serde_bytes",
@@ -741,9 +752,9 @@ dependencies = [
 
 [[package]]
 name = "ic-cdk-macros"
-version = "0.15.0"
+version = "0.16.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3af44fb4ec3a4b18831c9d3303ca8fa2ace846c4022d50cb8df4122635d3782e"
+checksum = "0d4d857135deef20cc7ea8f3869a30cd9cfeb1392b3a81043790b2cd82adc3e0"
 dependencies = [
  "candid",
  "proc-macro2",
@@ -846,9 +857,9 @@ checksum = "884e2677b40cc8c339eaefcb701c32ef1fd2493d71118dc0ca4b6a736c93bd67"
 
 [[package]]
 name = "libc"
-version = "0.2.152"
+version = "0.2.159"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13e3bf6590cbc649f4d1a3eefc9d5d6eb746f5200ffb04e5e142700b8faa56e7"
+checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5"
 
 [[package]]
 name = "lock_api"
@@ -908,13 +919,14 @@ dependencies = [
 
 [[package]]
 name = "mio"
-version = "0.8.11"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c"
+checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec"
 dependencies = [
+ "hermit-abi",
  "libc",
  "wasi",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
@@ -964,16 +976,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "num_cpus"
-version = "1.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
-dependencies = [
- "hermit-abi",
- "libc",
-]
-
 [[package]]
 name = "object"
 version = "0.32.2"
@@ -1021,7 +1023,7 @@ dependencies = [
  "libc",
  "redox_syscall",
  "smallvec",
- "windows-targets 0.52.5",
+ "windows-targets",
 ]
 
 [[package]]
@@ -1080,20 +1082,21 @@ dependencies = [
 
 [[package]]
 name = "pocket-ic"
-version = "4.0.0"
+version = "5.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "629f46b7ab8a8d2fee02220ef8e99ae552c7e220117efa1ce0882ff09c8fb038"
+checksum = "beff607d4dbebff8d003453ced669d2645e905de496ca93713f3d47633357e6c"
 dependencies = [
  "base64 0.13.1",
  "candid",
  "hex",
- "ic-cdk 0.13.2",
+ "ic-cdk 0.13.5",
  "reqwest",
  "schemars",
  "serde",
  "serde_bytes",
  "serde_json",
  "sha2",
+ "slog",
  "tokio",
  "tracing",
  "tracing-appender",
@@ -1106,6 +1109,15 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
 
+[[package]]
+name = "ppv-lite86"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+dependencies = [
+ "zerocopy",
+]
+
 [[package]]
 name = "pretty"
 version = "0.12.3"
@@ -1135,6 +1147,54 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "quinn"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c7c5fdde3cdae7203427dc4f0a68fe0ed09833edc525a03456b153b79828684"
+dependencies = [
+ "bytes",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6"
+dependencies = [
+ "bytes",
+ "rand",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "slab",
+ "thiserror",
+ "tinyvec",
+ "tracing",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fe68c2e9e1a1234e218683dbdf9f9dfcb094113c5ac2b938dfcb9bab4c4140b"
+dependencies = [
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "quote"
 version = "1.0.35"
@@ -1144,6 +1204,27 @@ dependencies = [
  "proc-macro2",
 ]
 
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
 [[package]]
 name = "rand_core"
 version = "0.6.4"
@@ -1208,9 +1289,9 @@ checksum = "adad44e29e4c806119491a7f06f03de4d1af22c3a680dd47f1e6e179439d1f56"
 
 [[package]]
 name = "reqwest"
-version = "0.12.3"
+version = "0.12.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3e6cc1e89e689536eb5aeede61520e874df5a4707df811cd5da4aa5fbb2aae19"
+checksum = "f713147fbe92361e52392c73b8c9e48c04c6625bce969ef54dc901e58e042a7b"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -1232,6 +1313,7 @@ dependencies = [
  "once_cell",
  "percent-encoding",
  "pin-project-lite",
+ "quinn",
  "rustls",
  "rustls-native-certs",
  "rustls-pemfile",
@@ -1251,7 +1333,7 @@ dependencies = [
  "wasm-streams",
  "web-sys",
  "webpki-roots",
- "winreg",
+ "windows-registry",
 ]
 
 [[package]]
@@ -1285,6 +1367,12 @@ version = "0.1.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d626bb9dae77e28219937af045c257c28bfd3f69333c512553507f5f9798cb76"
 
+[[package]]
+name = "rustc-hash"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152"
+
 [[package]]
 name = "rustc_version"
 version = "0.4.0"
@@ -1296,11 +1384,11 @@ dependencies = [
 
 [[package]]
 name = "rustls"
-version = "0.22.4"
+version = "0.23.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8"
 dependencies = [
- "log",
+ "once_cell",
  "ring",
  "rustls-pki-types",
  "rustls-webpki",
@@ -1310,9 +1398,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-native-certs"
-version = "0.7.0"
+version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792"
+checksum = "fcaf18a4f2be7326cd874a5fa579fae794320a0f388d365dca7e480e55f83f8a"
 dependencies = [
  "openssl-probe",
  "rustls-pemfile",
@@ -1339,9 +1427,9 @@ checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
 
 [[package]]
 name = "rustls-webpki"
-version = "0.102.4"
+version = "0.102.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff448f7e92e913c4b7d4c6d8e4540a1724b319b4152b8aef6d4cf8339712b33e"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
 dependencies = [
  "ring",
  "rustls-pki-types",
@@ -1402,7 +1490,7 @@ dependencies = [
  "flate2",
  "getrandom",
  "hex",
- "ic-cdk 0.15.1",
+ "ic-cdk 0.16.0",
  "k256",
  "pocket-ic",
  "serde",
@@ -1470,9 +1558,9 @@ dependencies = [
 
 [[package]]
 name = "serde_bytes"
-version = "0.11.14"
+version = "0.11.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8b8497c313fd43ab992087548117643f6fcd935cbf36f176ffda0aacf9591734"
+checksum = "387cc504cb06bb40a96c8e04e951fe01854cf6bc921053c954e4a606d9675c6a"
 dependencies = [
  "serde",
 ]
@@ -1593,6 +1681,15 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "slog"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
+dependencies = [
+ "erased-serde",
+]
+
 [[package]]
 name = "smallvec"
 version = "1.13.2"
@@ -1668,9 +1765,12 @@ dependencies = [
 
 [[package]]
 name = "sync_wrapper"
-version = "0.1.2"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
+checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
+dependencies = [
+ "futures-core",
+]
 
 [[package]]
 name = "thiserror"
@@ -1750,28 +1850,27 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
 [[package]]
 name = "tokio"
-version = "1.38.0"
+version = "1.40.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba4f4a02a7a80d6f274636f0aa95c7e383b912d41fe721a31f29e29698585a4a"
+checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998"
 dependencies = [
  "backtrace",
  "bytes",
  "libc",
  "mio",
- "num_cpus",
  "parking_lot",
  "pin-project-lite",
  "signal-hook-registry",
  "socket2",
  "tokio-macros",
- "windows-sys 0.48.0",
+ "windows-sys 0.52.0",
 ]
 
 [[package]]
 name = "tokio-macros"
-version = "2.3.0"
+version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a"
+checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1780,9 +1879,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-rustls"
-version = "0.25.0"
+version = "0.26.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
 dependencies = [
  "rustls",
  "rustls-pki-types",
@@ -1791,9 +1890,9 @@ dependencies = [
 
 [[package]]
 name = "tokio-socks"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "51165dfa029d2a65969413a6cc96f354b86b464498702f174a4efa13608fd8c0"
+checksum = "0d4770b8024672c1101b3f6733eab95b18007dbe0847a8afe341fcf79e06043f"
 dependencies = [
  "either",
  "futures-util",
@@ -2147,152 +2246,136 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
 [[package]]
-name = "windows-sys"
-version = "0.48.0"
+name = "windows-registry"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "677d2418bec65e3338edb076e806bc1ec15693c5d0104683f2efe857f61056a9"
+checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0"
 dependencies = [
- "windows-targets 0.48.5",
+ "windows-result",
+ "windows-strings",
+ "windows-targets",
 ]
 
 [[package]]
-name = "windows-sys"
-version = "0.52.0"
+name = "windows-result"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e"
 dependencies = [
- "windows-targets 0.52.5",
+ "windows-targets",
 ]
 
 [[package]]
-name = "windows-targets"
-version = "0.48.5"
+name = "windows-strings"
+version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9a2fa6e2155d7247be68c096456083145c183cbbbc2764150dda45a87197940c"
+checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
 dependencies = [
- "windows_aarch64_gnullvm 0.48.5",
- "windows_aarch64_msvc 0.48.5",
- "windows_i686_gnu 0.48.5",
- "windows_i686_msvc 0.48.5",
- "windows_x86_64_gnu 0.48.5",
- "windows_x86_64_gnullvm 0.48.5",
- "windows_x86_64_msvc 0.48.5",
+ "windows-result",
+ "windows-targets",
 ]
 
 [[package]]
-name = "windows-targets"
-version = "0.52.5"
+name = "windows-sys"
+version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
 dependencies = [
- "windows_aarch64_gnullvm 0.52.5",
- "windows_aarch64_msvc 0.52.5",
- "windows_i686_gnu 0.52.5",
- "windows_i686_gnullvm",
- "windows_i686_msvc 0.52.5",
- "windows_x86_64_gnu 0.52.5",
- "windows_x86_64_gnullvm 0.52.5",
- "windows_x86_64_msvc 0.52.5",
+ "windows-targets",
 ]
 
 [[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.48.5"
+name = "windows-sys"
+version = "0.59.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
 
 [[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.52.5"
+name = "windows-targets"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
 
 [[package]]
-name = "windows_aarch64_msvc"
-version = "0.48.5"
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
 
 [[package]]
 name = "windows_aarch64_msvc"
-version = "0.52.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6"
-
-[[package]]
-name = "windows_i686_gnu"
-version = "0.48.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
 
 [[package]]
 name = "windows_i686_gnu"
-version = "0.52.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
 
 [[package]]
 name = "windows_i686_gnullvm"
-version = "0.52.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9"
-
-[[package]]
-name = "windows_i686_msvc"
-version = "0.48.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
 
 [[package]]
 name = "windows_i686_msvc"
-version = "0.52.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
 
 [[package]]
 name = "windows_x86_64_gnu"
-version = "0.48.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e"
-
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.52.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
 
 [[package]]
 name = "windows_x86_64_gnullvm"
-version = "0.48.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc"
-
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.52.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
 
 [[package]]
 name = "windows_x86_64_msvc"
-version = "0.48.5"
+version = "0.52.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
 
 [[package]]
-name = "windows_x86_64_msvc"
-version = "0.52.5"
+name = "zerocopy"
+version = "0.7.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+dependencies = [
+ "byteorder",
+ "zerocopy-derive",
+]
 
 [[package]]
-name = "winreg"
-version = "0.52.0"
+name = "zerocopy-derive"
+version = "0.7.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a277a57398d4bfa075df44f501a17cfdf8542d224f0d36095a2adc7aee4ef0a5"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
 dependencies = [
- "cfg-if",
- "windows-sys 0.48.0",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
 ]
 
 [[package]]
diff --git a/rust/threshold-schnorr/Makefile b/rust/threshold-schnorr/Makefile
index 07fd3fbfb..c277d4a9e 100644
--- a/rust/threshold-schnorr/Makefile
+++ b/rust/threshold-schnorr/Makefile
@@ -1,6 +1,11 @@
 .PHONY: all
 all: build
 
+.PHONY: build
+.SILENT: build
+build:
+	dfx build --check
+
 .PHONY: deploy
 .SILENT: deploy
 deploy:
@@ -8,7 +13,7 @@ deploy:
 
 .PHONY: test
 .SILENT: test
-test:
+test: build
 	cargo test
 
 .PHONY: clean
diff --git a/rust/threshold-schnorr/src/schnorr_example_rust/Cargo.toml b/rust/threshold-schnorr/src/schnorr_example_rust/Cargo.toml
index 4698d9a1b..25b102505 100644
--- a/rust/threshold-schnorr/src/schnorr_example_rust/Cargo.toml
+++ b/rust/threshold-schnorr/src/schnorr_example_rust/Cargo.toml
@@ -12,7 +12,7 @@ candid = "=0.10.4"
 ed25519-dalek = "2.1"
 getrandom = { version = "0.2", features = ["custom"] }
 hex = "0.4"
-ic-cdk = "0.15"
+ic-cdk = "0.16"
 k256 = { git = "https://github.com/altkdf/elliptic-curves", branch = "schnorr_canister", features = ["schnorr"] }
 sha2 = "0.10"
 serde = "1.0"
@@ -20,4 +20,4 @@ serde_bytes = "0.11"
 
 [dev-dependencies]
 flate2 = "1.0"
-pocket-ic = "4.0.0"
+pocket-ic = "5.0.0"
diff --git a/rust/threshold-schnorr/src/schnorr_example_rust/src/wasm_only.rs b/rust/threshold-schnorr/src/schnorr_example_rust/src/wasm_only.rs
index 1aa02d4db..f9fef1fe7 100644
--- a/rust/threshold-schnorr/src/schnorr_example_rust/src/wasm_only.rs
+++ b/rust/threshold-schnorr/src/schnorr_example_rust/src/wasm_only.rs
@@ -42,7 +42,7 @@ async fn public_key(algorithm: SchnorrAlgorithm) -> Result<PublicKeyReply, Strin
     let request = ManagementCanisterSchnorrPublicKeyRequest {
         canister_id: None,
         derivation_path: vec![ic_cdk::api::caller().as_slice().to_vec()],
-        key_id: SchnorrKeyIds::TestKeyLocalDevelopment.to_key_id(algorithm),
+        key_id: SchnorrKeyIds::TestKey1.to_key_id(algorithm),
     };
 
     let (res,): (ManagementCanisterSchnorrPublicKeyReply,) = ic_cdk::call(
@@ -63,7 +63,7 @@ async fn sign(message: String, algorithm: SchnorrAlgorithm) -> Result<SignatureR
     let internal_request = ManagementCanisterSignatureRequest {
         message: message.as_bytes().to_vec(),
         derivation_path: vec![ic_cdk::api::caller().as_slice().to_vec()],
-        key_id: SchnorrKeyIds::TestKeyLocalDevelopment.to_key_id(algorithm),
+        key_id: SchnorrKeyIds::TestKey1.to_key_id(algorithm),
     };
 
     let (internal_reply,): (ManagementCanisterSignatureReply,) =
@@ -71,7 +71,7 @@ async fn sign(message: String, algorithm: SchnorrAlgorithm) -> Result<SignatureR
             Principal::management_canister(),
             "sign_with_schnorr",
             (internal_request,),
-            25_000_000_000,
+            26_153_846_153,
         )
         .await
         .map_err(|e| format!("sign_with_schnorr failed {e:?}"))?;
diff --git a/rust/threshold-schnorr/src/schnorr_example_rust/tests/tests.rs b/rust/threshold-schnorr/src/schnorr_example_rust/tests/tests.rs
index 5600b14af..1eb1b78cf 100644
--- a/rust/threshold-schnorr/src/schnorr_example_rust/tests/tests.rs
+++ b/rust/threshold-schnorr/src/schnorr_example_rust/tests/tests.rs
@@ -1,5 +1,5 @@
 use candid::{decode_one, encode_args, encode_one, CandidType, Principal};
-use pocket_ic::{PocketIc, WasmResult};
+use pocket_ic::{PocketIc, PocketIcBuilder, WasmResult};
 use schnorr_example_rust::{
     PublicKeyReply, SchnorrAlgorithm, SignatureReply, SignatureVerificationReply,
 };
@@ -11,7 +11,11 @@ fn signing_and_verification_should_work_correctly() {
     const ALGORITHMS: [SchnorrAlgorithm; 2] =
         [SchnorrAlgorithm::Bip340Secp256k1, SchnorrAlgorithm::Ed25519];
 
-    let pic = PocketIc::new();
+    let pic = PocketIcBuilder::new()
+        .with_application_subnet()
+        .with_ii_subnet()
+        .with_fiduciary_subnet()
+        .build();
 
     for algorithm in ALGORITHMS {
         for _trial in 0..5 {
@@ -33,14 +37,19 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
     // Make sure the canister is properly initialized
     fast_forward(&pic, 5);
 
-    let message_hex = hex::encode("Test message");
+    // a message we can reverse to break the signature
+    // currently pocket IC only supports 32B messages for BIP340
+    let message: String = std::iter::repeat('a')
+        .take(16)
+        .chain(std::iter::repeat('b').take(16))
+        .collect();
 
     let sig_reply: Result<SignatureReply, String> = update(
         &pic,
         my_principal,
         example_canister_id,
         "sign",
-        encode_args((message_hex.clone(), algorithm)).unwrap(),
+        encode_args((message.clone(), algorithm)).unwrap(),
     );
 
     let signature_hex = sig_reply.expect("failed to sign").signature_hex;
@@ -63,7 +72,7 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
             "verify",
             encode_args((
                 signature_hex.clone(),
-                message_hex.clone(),
+                message.clone(),
                 public_key_hex.clone(),
                 algorithm,
             ))
@@ -81,7 +90,7 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
             "verify",
             encode_args((
                 clone_and_reverse_chars(&signature_hex),
-                message_hex.clone(),
+                message.clone(),
                 public_key_hex.clone(),
                 algorithm,
             ))
@@ -99,7 +108,7 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
             "verify",
             encode_args((
                 signature_hex.clone(),
-                clone_and_reverse_chars(&message_hex),
+                clone_and_reverse_chars(&message),
                 public_key_hex.clone(),
                 algorithm,
             ))
@@ -117,7 +126,7 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
             "verify",
             encode_args((
                 signature_hex.clone(),
-                message_hex.clone(),
+                message.clone(),
                 clone_and_reverse_chars(&public_key_hex),
                 algorithm,
             ))
@@ -138,7 +147,7 @@ fn test_impl(pic: &PocketIc, algorithm: SchnorrAlgorithm) {
             "verify",
             encode_args((
                 signature_hex.clone(),
-                message_hex.clone(),
+                message.clone(),
                 public_key_hex.clone(),
                 other_algorithm(algorithm),
             ))
diff --git a/rust/x509/Cargo.lock b/rust/x509/Cargo.lock
new file mode 100644
index 000000000..56879d4e7
--- /dev/null
+++ b/rust/x509/Cargo.lock
@@ -0,0 +1,2524 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 3
+
+[[package]]
+name = "addr2line"
+version = "0.24.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f5fb1d8e4442bd405fdfd1dacb42792696b0cf9cb15882e5d097b742a676d375"
+dependencies = [
+ "gimli",
+]
+
+[[package]]
+name = "adler2"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627"
+
+[[package]]
+name = "aho-corasick"
+version = "1.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "anyhow"
+version = "1.0.79"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "080e9890a082662b09c1ad45f567faeeb47f22b5fb23895fbe1e651e718e25ca"
+
+[[package]]
+name = "arrayvec"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "23b62fc65de8e4e7f52534fb52b0f3ed04746ae267519eef2a83941e8085068b"
+
+[[package]]
+name = "atomic-waker"
+version = "1.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
+
+[[package]]
+name = "autocfg"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
+
+[[package]]
+name = "backtrace"
+version = "0.3.74"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a"
+dependencies = [
+ "addr2line",
+ "cfg-if",
+ "libc",
+ "miniz_oxide",
+ "object",
+ "rustc-demangle",
+ "windows-targets",
+]
+
+[[package]]
+name = "base16ct"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
+
+[[package]]
+name = "base64"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
+
+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "binread"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "16598dfc8e6578e9b597d9910ba2e73618385dc9f4b1d43dd92c349d6be6418f"
+dependencies = [
+ "binread_derive",
+ "lazy_static",
+ "rustversion",
+]
+
+[[package]]
+name = "binread_derive"
+version = "2.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d9672209df1714ee804b1f4d4f68c8eb2a90b1f7a07acf472f88ce198ef1fed"
+dependencies = [
+ "either",
+ "proc-macro2",
+ "quote",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "bumpalo"
+version = "3.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+
+[[package]]
+name = "byteorder"
+version = "1.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
+
+[[package]]
+name = "bytes"
+version = "1.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3"
+
+[[package]]
+name = "candid"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7fcd70c7bed52cb20e38dd933c19c0c9abf0302b60db3fa3186e27ec53edf6ad"
+dependencies = [
+ "anyhow",
+ "binread",
+ "byteorder",
+ "candid_derive",
+ "hex",
+ "ic_principal",
+ "leb128",
+ "num-bigint",
+ "num-traits",
+ "paste",
+ "pretty",
+ "serde",
+ "serde_bytes",
+ "stacker",
+ "thiserror",
+]
+
+[[package]]
+name = "candid_derive"
+version = "0.6.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3de398570c386726e7a59d9887b68763c481477f9a043fb998a2e09d428df1a9"
+dependencies = [
+ "lazy_static",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "cc"
+version = "1.0.83"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1174fb0b6ec23863f8b971027804a42614e347eafb0a95bf0b12cdae21fc4d0"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "cfg-if"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
+
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
+
+[[package]]
+name = "cpufeatures"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crc32fast"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d"
+dependencies = [
+ "cfg-if",
+]
+
+[[package]]
+name = "crossbeam-channel"
+version = "0.5.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"
+dependencies = [
+ "crossbeam-utils",
+]
+
+[[package]]
+name = "crossbeam-utils"
+version = "0.8.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+
+[[package]]
+name = "crypto-bigint"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
+dependencies = [
+ "generic-array",
+ "rand_core",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "curve25519-dalek-derive",
+ "digest",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "data-encoding"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e962a19be5cfc3f3bf6dd8f61eb50107f356ad6270fbb3ed41476571db78be5"
+
+[[package]]
+name = "der"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f55bf8e7b65898637379c1b74eb1551107c8294ed26d855ceb9fd1a09cfc9bc0"
+dependencies = [
+ "const-oid",
+ "der_derive",
+ "flagset",
+ "pem-rfc7468",
+ "zeroize",
+]
+
+[[package]]
+name = "der_derive"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8034092389675178f570469e6c3b0465d3d30b4505c294a6550db47f3c17ad18"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "deranged"
+version = "0.3.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4"
+dependencies = [
+ "powerfmt",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "const-oid",
+ "crypto-common",
+ "subtle",
+]
+
+[[package]]
+name = "dyn-clone"
+version = "1.0.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
+
+[[package]]
+name = "ecdsa"
+version = "0.16.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
+dependencies = [
+ "der",
+ "digest",
+ "elliptic-curve",
+ "rfc6979",
+ "signature",
+ "spki",
+]
+
+[[package]]
+name = "ed25519"
+version = "2.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+dependencies = [
+ "pkcs8",
+ "signature",
+]
+
+[[package]]
+name = "ed25519-dalek"
+version = "2.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a3daa8e81a3963a60642bcc1f90a670680bd4a77535faa384e9d1c79d620871"
+dependencies = [
+ "curve25519-dalek",
+ "ed25519",
+ "serde",
+ "sha2",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "either"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a26ae43d7bcc3b814de94796a5e736d4029efb0ee900c12e2d54c993ad1a1e07"
+
+[[package]]
+name = "elliptic-curve"
+version = "0.13.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
+dependencies = [
+ "base16ct",
+ "crypto-bigint",
+ "digest",
+ "ff",
+ "generic-array",
+ "group",
+ "pem-rfc7468",
+ "pkcs8",
+ "rand_core",
+ "sec1",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "equivalent"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+
+[[package]]
+name = "erased-serde"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c138974f9d5e7fe373eb04df7cae98833802ae4b11c24ac7039a21d5af4b26c"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "ff"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ded41244b729663b1e574f1b4fb731469f69f79c17667b5d776b16cda0479449"
+dependencies = [
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
+[[package]]
+name = "flagset"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b3ea1ec5f8307826a5b71094dd91fc04d4ae75d5709b20ad351c7fb4815c86ec"
+
+[[package]]
+name = "fnv"
+version = "1.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
+
+[[package]]
+name = "foreign-types"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
+dependencies = [
+ "foreign-types-shared",
+]
+
+[[package]]
+name = "foreign-types-shared"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
+
+[[package]]
+name = "form_urlencoded"
+version = "1.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
+dependencies = [
+ "percent-encoding",
+]
+
+[[package]]
+name = "futures-channel"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78"
+dependencies = [
+ "futures-core",
+ "futures-sink",
+]
+
+[[package]]
+name = "futures-core"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d"
+
+[[package]]
+name = "futures-io"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a44623e20b9681a318efdd71c299b6b222ed6f231972bfe2f224ebad6311f0c1"
+
+[[package]]
+name = "futures-macro"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "87750cf4b7a4c0625b1529e4c543c2182106e4dedc60a2a6455e00d212c489ac"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "futures-sink"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fb8e00e87438d937621c1c6269e53f536c14d3fbd6a042bb24879e57d474fb5"
+
+[[package]]
+name = "futures-task"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004"
+
+[[package]]
+name = "futures-util"
+version = "0.3.30"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48"
+dependencies = [
+ "futures-core",
+ "futures-io",
+ "futures-macro",
+ "futures-sink",
+ "futures-task",
+ "memchr",
+ "pin-project-lite",
+ "pin-utils",
+ "slab",
+]
+
+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+ "zeroize",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
+[[package]]
+name = "gimli"
+version = "0.31.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32085ea23f3234fc7846555e85283ba4de91e21016dc0455a16286d87a292d64"
+
+[[package]]
+name = "group"
+version = "0.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
+dependencies = [
+ "ff",
+ "rand_core",
+ "subtle",
+]
+
+[[package]]
+name = "h2"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "524e8ac6999421f49a846c2d4411f337e53497d8ec55d67753beffa43c5d9205"
+dependencies = [
+ "atomic-waker",
+ "bytes",
+ "fnv",
+ "futures-core",
+ "futures-sink",
+ "http",
+ "indexmap",
+ "slab",
+ "tokio",
+ "tokio-util",
+ "tracing",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.14.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
+
+[[package]]
+name = "heck"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
+
+[[package]]
+name = "hermit-abi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
+
+[[package]]
+name = "hex"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "hmac"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "http"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "21b9ddb458710bc376481b842f5da65cdf31522de232c1ca8146abce2a358258"
+dependencies = [
+ "bytes",
+ "fnv",
+ "itoa",
+]
+
+[[package]]
+name = "http-body"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184"
+dependencies = [
+ "bytes",
+ "http",
+]
+
+[[package]]
+name = "http-body-util"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793429d76616a256bcb62c2a2ec2bed781c8307e797e2598c50010f2bee2544f"
+dependencies = [
+ "bytes",
+ "futures-util",
+ "http",
+ "http-body",
+ "pin-project-lite",
+]
+
+[[package]]
+name = "httparse"
+version = "1.9.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d71d3574edd2771538b901e6549113b4006ece66150fb69c0fb6d9a2adae946"
+
+[[package]]
+name = "hyper"
+version = "1.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50dfd22e0e76d0f662d429a5f80fcaf3855009297eab6a0a9f8543834744ba05"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "httparse",
+ "itoa",
+ "pin-project-lite",
+ "smallvec",
+ "tokio",
+ "want",
+]
+
+[[package]]
+name = "hyper-rustls"
+version = "0.27.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08afdbb5c31130e3034af566421053ab03787c640246a446327f550d11bcb333"
+dependencies = [
+ "futures-util",
+ "http",
+ "hyper",
+ "hyper-util",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pki-types",
+ "tokio",
+ "tokio-rustls",
+ "tower-service",
+ "webpki-roots",
+]
+
+[[package]]
+name = "hyper-util"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "41296eb09f183ac68eec06e03cdbea2e759633d4067b2f6552fc2e009bcad08b"
+dependencies = [
+ "bytes",
+ "futures-channel",
+ "futures-util",
+ "http",
+ "http-body",
+ "hyper",
+ "pin-project-lite",
+ "socket2",
+ "tokio",
+ "tower-service",
+ "tracing",
+]
+
+[[package]]
+name = "ic-cdk"
+version = "0.13.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3b1da6a25b045f9da3c9459c0cb2b0700ac368ee16382975a17185a23b9c18ab"
+dependencies = [
+ "candid",
+ "ic-cdk-macros 0.13.2",
+ "ic0 0.21.1",
+ "serde",
+ "serde_bytes",
+]
+
+[[package]]
+name = "ic-cdk"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dd8ecacd682fa05a985253592963306cb9799622d7b1cce4b1edb89c6ec85be1"
+dependencies = [
+ "candid",
+ "ic-cdk-macros 0.16.0",
+ "ic0 0.23.0",
+ "serde",
+ "serde_bytes",
+]
+
+[[package]]
+name = "ic-cdk-macros"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a45800053d80a6df839a71aaea5797e723188c0b992618208ca3b941350c7355"
+dependencies = [
+ "candid",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_tokenstream 0.1.7",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "ic-cdk-macros"
+version = "0.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d4d857135deef20cc7ea8f3869a30cd9cfeb1392b3a81043790b2cd82adc3e0"
+dependencies = [
+ "candid",
+ "proc-macro2",
+ "quote",
+ "serde",
+ "serde_tokenstream 0.2.2",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "ic0"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a54b5297861c651551676e8c43df805dad175cc33bc97dbd992edbbb85dcbcdf"
+
+[[package]]
+name = "ic0"
+version = "0.23.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8de254dd67bbd58073e23dc1c8553ba12fa1dc610a19de94ad2bbcd0460c067f"
+
+[[package]]
+name = "ic_principal"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1762deb6f7c8d8c2bdee4b6c5a47b60195b74e9b5280faa5ba29692f8e17429c"
+dependencies = [
+ "crc32fast",
+ "data-encoding",
+ "serde",
+ "sha2",
+ "thiserror",
+]
+
+[[package]]
+name = "idna"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6"
+dependencies = [
+ "unicode-bidi",
+ "unicode-normalization",
+]
+
+[[package]]
+name = "indexmap"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68b900aa2f7301e21c36462b170ee99994de34dff39a4a6a528e80e7376d07e5"
+dependencies = [
+ "equivalent",
+ "hashbrown",
+]
+
+[[package]]
+name = "ipnet"
+version = "2.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "187674a687eed5fe42285b40c6291f9a01517d415fad1c3cbc6a9f778af7fcd4"
+
+[[package]]
+name = "itoa"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
+
+[[package]]
+name = "js-sys"
+version = "0.3.70"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a"
+dependencies = [
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "k256"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "956ff9b67e26e1a6a866cb758f12c6f8746208489e3e4a4b5580802f2f0a587b"
+dependencies = [
+ "cfg-if",
+ "ecdsa",
+ "elliptic-curve",
+ "once_cell",
+ "sha2",
+ "signature",
+]
+
+[[package]]
+name = "lazy_static"
+version = "1.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+
+[[package]]
+name = "leb128"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "884e2677b40cc8c339eaefcb701c32ef1fd2493d71118dc0ca4b6a736c93bd67"
+
+[[package]]
+name = "libc"
+version = "0.2.159"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5"
+
+[[package]]
+name = "lock_api"
+version = "0.4.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "07af8b9cdd281b7915f413fa73f29ebd5d55d0d3f0155584dade1ff18cea1b17"
+dependencies = [
+ "autocfg",
+ "scopeguard",
+]
+
+[[package]]
+name = "log"
+version = "0.4.22"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
+
+[[package]]
+name = "matchers"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8263075bb86c5a1b1427b5ae862e8889656f126e9f77c484496e8b47cf5c5558"
+dependencies = [
+ "regex-automata 0.1.10",
+]
+
+[[package]]
+name = "memchr"
+version = "2.7.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
+
+[[package]]
+name = "mime"
+version = "0.3.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
+
+[[package]]
+name = "mime_guess"
+version = "2.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7c44f8e672c00fe5308fa235f821cb4198414e1c77935c1ab6948d3fd78550e"
+dependencies = [
+ "mime",
+ "unicase",
+]
+
+[[package]]
+name = "miniz_oxide"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1"
+dependencies = [
+ "adler2",
+]
+
+[[package]]
+name = "mio"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec"
+dependencies = [
+ "hermit-abi",
+ "libc",
+ "wasi",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "nu-ansi-term"
+version = "0.46.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77a8165726e8236064dbb45459242600304b42a5ea24ee2948e18e023bf7ba84"
+dependencies = [
+ "overload",
+ "winapi",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+ "serde",
+]
+
+[[package]]
+name = "num-conv"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9"
+
+[[package]]
+name = "num-integer"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+dependencies = [
+ "autocfg",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.19"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "object"
+version = "0.36.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "084f1a5821ac4c651660a94a7153d27ac9d8a53736203f58b31945ded098070a"
+dependencies = [
+ "memchr",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.19.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+
+[[package]]
+name = "openssl"
+version = "0.10.66"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1"
+dependencies = [
+ "bitflags",
+ "cfg-if",
+ "foreign-types",
+ "libc",
+ "once_cell",
+ "openssl-macros",
+ "openssl-sys",
+]
+
+[[package]]
+name = "openssl-macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
+name = "openssl-sys"
+version = "0.9.103"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6"
+dependencies = [
+ "cc",
+ "libc",
+ "pkg-config",
+ "vcpkg",
+]
+
+[[package]]
+name = "overload"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b15813163c1d831bf4a13c3610c05c0d03b39feb07f7e09fa234dac9b15aaf39"
+
+[[package]]
+name = "parking_lot"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1bf18183cf54e8d6059647fc3063646a1801cf30896933ec2311622cc4b9a27"
+dependencies = [
+ "lock_api",
+ "parking_lot_core",
+]
+
+[[package]]
+name = "parking_lot_core"
+version = "0.9.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e401f977ab385c9e4e3ab30627d6f26d00e2c73eef317493c4ec6d468726cf8"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "redox_syscall",
+ "smallvec",
+ "windows-targets",
+]
+
+[[package]]
+name = "paste"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de3145af08024dea9fa9914f381a17b8fc6034dfb00f3a84013f7ff43f29ed4c"
+
+[[package]]
+name = "pem-rfc7468"
+version = "0.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412"
+dependencies = [
+ "base64ct",
+]
+
+[[package]]
+name = "percent-encoding"
+version = "2.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
+
+[[package]]
+name = "pin-project-lite"
+version = "0.2.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bda66fc9667c18cb2758a2ac84d1167245054bcf85d5d1aaa6923f45801bdd02"
+
+[[package]]
+name = "pin-utils"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
+
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
+[[package]]
+name = "pkg-config"
+version = "0.3.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2"
+
+[[package]]
+name = "pocket-ic"
+version = "5.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "beff607d4dbebff8d003453ced669d2645e905de496ca93713f3d47633357e6c"
+dependencies = [
+ "base64 0.13.1",
+ "candid",
+ "hex",
+ "ic-cdk 0.13.5",
+ "reqwest",
+ "schemars",
+ "serde",
+ "serde_bytes",
+ "serde_json",
+ "sha2",
+ "slog",
+ "tokio",
+ "tracing",
+ "tracing-appender",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
+[[package]]
+name = "ppv-lite86"
+version = "0.2.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "pretty"
+version = "0.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b55c4d17d994b637e2f4daf6e5dc5d660d209d5642377d675d7a1c3ab69fa579"
+dependencies = [
+ "arrayvec",
+ "typed-arena",
+ "unicode-width",
+]
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.76"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "psm"
+version = "0.1.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5787f7cda34e3033a72192c018bc5883100330f362ef279a8cbccfce8bb4e874"
+dependencies = [
+ "cc",
+]
+
+[[package]]
+name = "quinn"
+version = "0.11.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c7c5fdde3cdae7203427dc4f0a68fe0ed09833edc525a03456b153b79828684"
+dependencies = [
+ "bytes",
+ "pin-project-lite",
+ "quinn-proto",
+ "quinn-udp",
+ "rustc-hash",
+ "rustls",
+ "socket2",
+ "thiserror",
+ "tokio",
+ "tracing",
+]
+
+[[package]]
+name = "quinn-proto"
+version = "0.11.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fadfaed2cd7f389d0161bb73eeb07b7b78f8691047a6f3e73caaeae55310a4a6"
+dependencies = [
+ "bytes",
+ "rand",
+ "ring",
+ "rustc-hash",
+ "rustls",
+ "slab",
+ "thiserror",
+ "tinyvec",
+ "tracing",
+]
+
+[[package]]
+name = "quinn-udp"
+version = "0.5.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4fe68c2e9e1a1234e218683dbdf9f9dfcb094113c5ac2b938dfcb9bab4c4140b"
+dependencies = [
+ "libc",
+ "once_cell",
+ "socket2",
+ "tracing",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
+[[package]]
+name = "redox_syscall"
+version = "0.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f"
+dependencies = [
+ "bitflags",
+]
+
+[[package]]
+name = "regex"
+version = "1.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38200e5ee88914975b69f657f0801b6f6dccafd44fd9326302a4aaeecfacb1d8"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata 0.4.8",
+ "regex-syntax 0.8.5",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.1.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132"
+dependencies = [
+ "regex-syntax 0.6.29",
+]
+
+[[package]]
+name = "regex-automata"
+version = "0.4.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-syntax 0.8.5",
+]
+
+[[package]]
+name = "regex-syntax"
+version = "0.6.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
+
+[[package]]
+name = "regex-syntax"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
+
+[[package]]
+name = "reqwest"
+version = "0.12.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f713147fbe92361e52392c73b8c9e48c04c6625bce969ef54dc901e58e042a7b"
+dependencies = [
+ "base64 0.22.1",
+ "bytes",
+ "futures-channel",
+ "futures-core",
+ "futures-util",
+ "h2",
+ "http",
+ "http-body",
+ "http-body-util",
+ "hyper",
+ "hyper-rustls",
+ "hyper-util",
+ "ipnet",
+ "js-sys",
+ "log",
+ "mime",
+ "mime_guess",
+ "once_cell",
+ "percent-encoding",
+ "pin-project-lite",
+ "quinn",
+ "rustls",
+ "rustls-native-certs",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "serde",
+ "serde_json",
+ "serde_urlencoded",
+ "sync_wrapper",
+ "tokio",
+ "tokio-rustls",
+ "tokio-socks",
+ "tokio-util",
+ "tower-service",
+ "url",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "wasm-streams",
+ "web-sys",
+ "webpki-roots",
+ "windows-registry",
+]
+
+[[package]]
+name = "rfc6979"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
+dependencies = [
+ "hmac",
+ "subtle",
+]
+
+[[package]]
+name = "ring"
+version = "0.17.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "getrandom",
+ "libc",
+ "spin",
+ "untrusted",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "rustc-demangle"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f"
+
+[[package]]
+name = "rustc-hash"
+version = "2.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152"
+
+[[package]]
+name = "rustc_version"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
+dependencies = [
+ "semver",
+]
+
+[[package]]
+name = "rustls"
+version = "0.23.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2dabaac7466917e566adb06783a81ca48944c6898a1b08b9374106dd671f4c8"
+dependencies = [
+ "once_cell",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "rustls-native-certs"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fcaf18a4f2be7326cd874a5fa579fae794320a0f388d365dca7e480e55f83f8a"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "rustls-pki-types"
+version = "1.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0e696e35370c65c9c541198af4543ccd580cf17fc25d8e05c5a242b202488c55"
+
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4"
+
+[[package]]
+name = "ryu"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
+
+[[package]]
+name = "schannel"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e9aaafd5a2b6e3d657ff009d82fbd630b6bd54dd4eb06f21693925cdf80f9b8b"
+dependencies = [
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "schemars"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09c024468a378b7e36765cd36702b7a90cc3cba11654f6685c8f233408e89e92"
+dependencies = [
+ "dyn-clone",
+ "schemars_derive",
+ "serde",
+ "serde_json",
+]
+
+[[package]]
+name = "schemars_derive"
+version = "0.8.21"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b1eee588578aff73f856ab961cd2f79e36bc45d7ded33a7562adba4667aecc0e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde_derive_internals",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "scopeguard"
+version = "1.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
+
+[[package]]
+name = "sec1"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
+dependencies = [
+ "base16ct",
+ "der",
+ "generic-array",
+ "pkcs8",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.12.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea4a292869320c0272d7bc55a5a6aafaff59b4f63404a003887b679a2e05b4b6"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "semver"
+version = "1.0.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b"
+
+[[package]]
+name = "serde"
+version = "1.0.210"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
+dependencies = [
+ "serde_derive",
+]
+
+[[package]]
+name = "serde_bytes"
+version = "0.11.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "387cc504cb06bb40a96c8e04e951fe01854cf6bc921053c954e4a606d9675c6a"
+dependencies = [
+ "serde",
+]
+
+[[package]]
+name = "serde_derive"
+version = "1.0.210"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "serde_derive_internals"
+version = "0.29.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18d26a20a969b9e3fdf2fc2d9f21eda6c40e2de84c9408bb5d3b05d499aae711"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "serde_json"
+version = "1.0.128"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8"
+dependencies = [
+ "itoa",
+ "memchr",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "serde_tokenstream"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "797ba1d80299b264f3aac68ab5d12e5825a561749db4df7cd7c8083900c5d4e9"
+dependencies = [
+ "proc-macro2",
+ "serde",
+ "syn 1.0.109",
+]
+
+[[package]]
+name = "serde_tokenstream"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64060d864397305347a78851c51588fd283767e7e7589829e8121d65512340f1"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "serde",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "serde_urlencoded"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd"
+dependencies = [
+ "form_urlencoded",
+ "itoa",
+ "ryu",
+ "serde",
+]
+
+[[package]]
+name = "sha1"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sha2"
+version = "0.10.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "793db75ad2bcafc3ffa7c68b215fee268f537982cd901d132f89c6343f3a3dc8"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "digest",
+]
+
+[[package]]
+name = "sharded-slab"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6"
+dependencies = [
+ "lazy_static",
+]
+
+[[package]]
+name = "signal-hook-registry"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "digest",
+ "rand_core",
+]
+
+[[package]]
+name = "slab"
+version = "0.4.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f92a496fb766b417c996b9c5e57daf2f7ad3b0bebe1ccfca4856390e3d3bb67"
+dependencies = [
+ "autocfg",
+]
+
+[[package]]
+name = "slog"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06"
+dependencies = [
+ "erased-serde",
+]
+
+[[package]]
+name = "smallvec"
+version = "1.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
+
+[[package]]
+name = "socket2"
+version = "0.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "spin"
+version = "0.9.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
+
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
+[[package]]
+name = "stacker"
+version = "0.1.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c886bd4480155fd3ef527d45e9ac8dd7118a898a46530b7b94c3e21866259fce"
+dependencies = [
+ "cc",
+ "cfg-if",
+ "libc",
+ "psm",
+ "winapi",
+]
+
+[[package]]
+name = "strum"
+version = "0.26.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8fec0f0aef304996cf250b31b5a10dee7980c85da9d759361292b8bca5a18f06"
+
+[[package]]
+name = "strum_macros"
+version = "0.26.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c6bee85a5a24955dc440386795aa378cd9cf82acd5f764469152d2270e581be"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "rustversion",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "subtle"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
+
+[[package]]
+name = "syn"
+version = "1.0.109"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.48"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0f3531638e407dfc0814761abb7c00a5b54992b849452a0646b7f65c9f770f3f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "sync_wrapper"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7065abeca94b6a8a577f9bd45aa0867a2238b74e8eb67cf10d492bc39351394"
+dependencies = [
+ "futures-core",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.56"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d54378c645627613241d077a3a79db965db602882668f9136ac42af9ecb730ad"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.56"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa0faa943b50f3db30a20aa7e265dbc66076993efed8463e8de414e5d06d3471"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "thread_local"
+version = "1.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8b9ef9bad013ada3808854ceac7b46812a6465ba368859a37e2100283d2d719c"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+]
+
+[[package]]
+name = "time"
+version = "0.3.36"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3"
+
+[[package]]
+name = "time-macros"
+version = "0.2.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3f252a68540fde3a3877aeea552b832b40ab9a69e318efd078774a01ddee1ccf"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
+[[package]]
+name = "tinyvec"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938"
+dependencies = [
+ "tinyvec_macros",
+]
+
+[[package]]
+name = "tinyvec_macros"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
+
+[[package]]
+name = "tls_codec"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a"
+dependencies = [
+ "tls_codec_derive",
+ "zeroize",
+]
+
+[[package]]
+name = "tls_codec_derive"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "tokio"
+version = "1.40.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998"
+dependencies = [
+ "backtrace",
+ "bytes",
+ "libc",
+ "mio",
+ "parking_lot",
+ "pin-project-lite",
+ "signal-hook-registry",
+ "socket2",
+ "tokio-macros",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "tokio-macros"
+version = "2.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "tokio-rustls"
+version = "0.26.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4"
+dependencies = [
+ "rustls",
+ "rustls-pki-types",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-socks"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d4770b8024672c1101b3f6733eab95b18007dbe0847a8afe341fcf79e06043f"
+dependencies = [
+ "either",
+ "futures-util",
+ "thiserror",
+ "tokio",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61e7c3654c13bcd040d4a03abee2c75b1d14a37b423cf5a813ceae1cc903ec6a"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
+]
+
+[[package]]
+name = "tower-service"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
+
+[[package]]
+name = "tracing"
+version = "0.1.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3523ab5a71916ccf420eebdf5521fcef02141234bbc0b8a49f2fdc4544364ef"
+dependencies = [
+ "pin-project-lite",
+ "tracing-attributes",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-appender"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3566e8ce28cc0a3fe42519fc80e6b4c943cc4c8cef275620eb8dac2d3d4e06cf"
+dependencies = [
+ "crossbeam-channel",
+ "thiserror",
+ "time",
+ "tracing-subscriber",
+]
+
+[[package]]
+name = "tracing-attributes"
+version = "0.1.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "tracing-core"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c06d3da6113f116aaee68e4d601191614c9053067f9ab7f6edbcb161237daa54"
+dependencies = [
+ "once_cell",
+ "valuable",
+]
+
+[[package]]
+name = "tracing-log"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
+dependencies = [
+ "log",
+ "once_cell",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-serde"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bc6b213177105856957181934e4920de57730fc69bf42c37ee5bb664d406d9e1"
+dependencies = [
+ "serde",
+ "tracing-core",
+]
+
+[[package]]
+name = "tracing-subscriber"
+version = "0.3.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ad0f048c97dbd9faa9b7df56362b8ebcaa52adb06b498c050d2f4e32f90a7a8b"
+dependencies = [
+ "matchers",
+ "nu-ansi-term",
+ "once_cell",
+ "regex",
+ "serde",
+ "serde_json",
+ "sharded-slab",
+ "smallvec",
+ "thread_local",
+ "tracing",
+ "tracing-core",
+ "tracing-log",
+ "tracing-serde",
+]
+
+[[package]]
+name = "try-lock"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
+
+[[package]]
+name = "typed-arena"
+version = "2.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6af6ae20167a9ece4bcb41af5b80f8a1f1df981f6391189ce00fd257af04126a"
+
+[[package]]
+name = "typenum"
+version = "1.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
+
+[[package]]
+name = "unicase"
+version = "2.7.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f7d2d4dafb69621809a81864c9c1b864479e1235c0dd4e199924b9742439ed89"
+dependencies = [
+ "version_check",
+]
+
+[[package]]
+name = "unicode-bidi"
+version = "0.3.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75"
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+
+[[package]]
+name = "unicode-normalization"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956"
+dependencies = [
+ "tinyvec",
+]
+
+[[package]]
+name = "unicode-width"
+version = "0.1.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e51733f11c9c4f72aa0c160008246859e340b00807569a0da0e7a1079b27ba85"
+
+[[package]]
+name = "untrusted"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1"
+
+[[package]]
+name = "url"
+version = "2.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22784dbdf76fdde8af1aeda5622b546b422b6fc585325248a2bf9f5e41e94d6c"
+dependencies = [
+ "form_urlencoded",
+ "idna",
+ "percent-encoding",
+]
+
+[[package]]
+name = "valuable"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d"
+
+[[package]]
+name = "vcpkg"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
+
+[[package]]
+name = "version_check"
+version = "0.9.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "want"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
+dependencies = [
+ "try-lock",
+]
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
+
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b"
+dependencies = [
+ "bumpalo",
+ "log",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-futures"
+version = "0.4.43"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed"
+dependencies = [
+ "cfg-if",
+ "js-sys",
+ "wasm-bindgen",
+ "web-sys",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.93"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484"
+
+[[package]]
+name = "wasm-streams"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e072d4e72f700fb3443d8fe94a39315df013eef1104903cdb0a2abd322bbecd"
+dependencies = [
+ "futures-util",
+ "js-sys",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
+[[package]]
+name = "web-sys"
+version = "0.3.70"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki-roots"
+version = "0.26.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841c67bff177718f1d4dfefde8d8f0e78f9b6589319ba88312f567fc5841a958"
+dependencies = [
+ "rustls-pki-types",
+]
+
+[[package]]
+name = "winapi"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
+dependencies = [
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
+]
+
+[[package]]
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
+
+[[package]]
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
+
+[[package]]
+name = "windows-registry"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e400001bb720a623c1c69032f8e3e4cf09984deec740f007dd2b03ec864804b0"
+dependencies = [
+ "windows-result",
+ "windows-strings",
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-result"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-strings"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
+dependencies = [
+ "windows-result",
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.52.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets",
+]
+
+[[package]]
+name = "windows-targets"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
+dependencies = [
+ "windows_aarch64_gnullvm",
+ "windows_aarch64_msvc",
+ "windows_i686_gnu",
+ "windows_i686_gnullvm",
+ "windows_i686_msvc",
+ "windows_x86_64_gnu",
+ "windows_x86_64_gnullvm",
+ "windows_x86_64_msvc",
+]
+
+[[package]]
+name = "windows_aarch64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
+
+[[package]]
+name = "windows_aarch64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
+
+[[package]]
+name = "windows_i686_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
+
+[[package]]
+name = "windows_i686_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
+
+[[package]]
+name = "windows_i686_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
+
+[[package]]
+name = "windows_x86_64_gnu"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
+
+[[package]]
+name = "windows_x86_64_gnullvm"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
+
+[[package]]
+name = "windows_x86_64_msvc"
+version = "0.52.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
+
+[[package]]
+name = "x509-cert"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94"
+dependencies = [
+ "const-oid",
+ "der",
+ "sha1",
+ "signature",
+ "spki",
+ "tls_codec",
+]
+
+[[package]]
+name = "x509_example_rust"
+version = "0.1.0"
+dependencies = [
+ "candid",
+ "der",
+ "ecdsa",
+ "ed25519",
+ "ed25519-dalek",
+ "elliptic-curve",
+ "getrandom",
+ "hex",
+ "ic-cdk 0.16.0",
+ "k256",
+ "openssl",
+ "pkcs8",
+ "pocket-ic",
+ "serde",
+ "serde_bytes",
+ "sha2",
+ "signature",
+ "spki",
+ "strum",
+ "strum_macros",
+ "x509-cert",
+]
+
+[[package]]
+name = "zerocopy"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
+dependencies = [
+ "byteorder",
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.7.35"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
+
+[[package]]
+name = "zeroize"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
+dependencies = [
+ "zeroize_derive",
+]
+
+[[package]]
+name = "zeroize_derive"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.48",
+]
diff --git a/rust/x509/Cargo.toml b/rust/x509/Cargo.toml
new file mode 100644
index 000000000..a9039a245
--- /dev/null
+++ b/rust/x509/Cargo.toml
@@ -0,0 +1,11 @@
+[workspace]
+members = [
+    "src/x509_example_rust",
+]
+
+[profile.release]
+lto = true
+opt-level = 'z'
+panic = 'abort'
+
+
diff --git a/rust/x509/README.md b/rust/x509/README.md
new file mode 100644
index 000000000..ef3fc6ed7
--- /dev/null
+++ b/rust/x509/README.md
@@ -0,0 +1,450 @@
+---
+keywords: [advanced, rust, X.509, certificate, certificate signing request, certification authority, ed25519, threshold schnorr, schnorr, threshold ecdsa, ecdsa, secp256k1, signature]
+---
+
+# X.509
+
+[View this sample's code on GitHub](https://github.com/dfinity/examples/tree/master/rust/x509)
+
+## Overview
+
+We present a minimal example canister smart contract for showcasing two use
+cases of [X.509](https://en.wikipedia.org/wiki/X.509).
+1) How to create an X.509 certification authority (CA) certificate, where the CA
+   certificate's private key is a threshold signing key, which is never revealed
+   in cleartext, and cannot be revealed due to the properties of the threshold
+   signature protocols on the Internet Computer. This means that only the
+   canister can sign child certificates.
+2) How to create a child certificate from a certificate signing request (CSR)
+  provided by an external party. The CSR is generated externally, i.e., with a
+  private key generated by the caller.
+
+More specifically, the sample canister:
+
+- Takes a threshold Ed25519 or ECDSA with curve `secp256k1` key name upon
+  initialization, e.g., `(variant { Ed25519 = variant { TestKey1 } })`.
+- Generates a CA certificate via an update call to the `root_ca_certificate`
+  function. The CA certificate is generated only once and afterwards stored in
+  the smart contract.
+- Generates a child certificate with a CSR provided in the PEM format in an
+  update call to the `child_certificate` function.
+- Note that the derivation path of the key that is used to sign the root
+  certificate is hard-coded to be empty.
+
+Currently this canister only produces and accepts certificates with Ed25519
+keys or ECDSA keys using curve `secp256k1`.
+
+This tutorial gives a complete overview of the development, starting with
+downloading
+[`dfx`](https://internetcomputer.org/docs/current/developer-docs/setup/index.md),
+up to the deployment and trying out the code on the mainnet.
+
+
+## Prerequisites
+-   [x] Download and [install the IC
+    SDK](https://internetcomputer.org/docs/current/developer-docs/setup/index.md)
+    if you do not already have it.The minimum version of `dfx` that allows to
+    run this example locally is `0.23.0`.
+-   [x] Clone the example dapp project: `git clone https://github.com/dfinity/examples`
+
+## Getting started
+
+Sample code for `x509-example` is provided in the [examples repository](https://github.com/dfinity/examples), under [`/rust`](https://github.com/dfinity/examples/tree/master/rust/x509) sub-directory.
+
+### Deploy and test the canister locally 
+
+This tutorial will use the Rust version of the canister:
+
+```bash
+cd examples/rust/x509
+dfx start --background
+npm install
+dfx deploy
+```
+
+#### What this does
+- `dfx start --background` starts a local instance of the IC via the IC SDK
+
+If successful, you should see something like this:
+
+```bash
+Deployed canisters.
+URLs:
+  Backend canister via Candid interface:
+    x509_example: http://127.0.0.1:4943/?canisterId=t6rzw-2iaaa-aaaaa-aaama-cai&id=st75y-vaaaa-aaaaa-aaalq-cai
+```
+
+If you open the URL in a web browser, you will see a web UI that shows the
+public methods the canister exposes. Since the canister exposes
+`root_ca_certificate` and `child_certificate` methods, those are rendered in the
+web UI.
+
+### Deploying the canister on the mainnet
+
+To deploy this canister the mainnet, one needs to do two things:
+
+- Acquire cycles (equivalent of "gas" in other blockchains). This is necessary for all canisters.
+- Update the sample source code to have the right key ID. This is unique to this canister.
+
+#### Acquire cycles to deploy
+
+Deploying to the Internet Computer requires [cycles](https://internetcomputer.org/docs/current/developer-docs/setup/cycles). You can get free cycles from the [cycles faucet](https://internetcomputer.org/docs/current/developer-docs/getting-started/cycles/cycles-faucet).
+
+#### Update source code with the right key ID
+
+To deploy the sample code, the canister needs the right key name for the right
+environment. Specifically, one needs to initialize the canister with the key
+name. Here, `dfx deploy` will give a choice of key names.
+
+There are three options that are supported:
+
+* `dfx_test_key`: a default key ID that is used in deploying to a local version
+  of IC (via IC SDK).
+* `test_key_1`: a master **test** key ID that is used in mainnet.
+* `key_1`: a master **production** key ID that is used in mainnet.
+
+Note that `dfx deploy` formats those name in `PascalCase` instead of
+`snake_case` due to the formating of types in `rust`.
+
+#### Deploy to the mainnet via IC SDK
+
+To [deploy via the mainnet](https://internetcomputer.org/docs/current/developer-docs/setup/deploy-mainnet.md), run the following commands:
+
+```bash
+npm install
+dfx deploy --network ic
+```
+If successful, you should see something like this:
+
+```bash
+Deployed canisters.
+URLs:
+  Backend canister via Candid interface:
+    schnorr_example_rust: https://a3gq9-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/?id=736w4-cyaaa-aaaal-qb3wq-cai
+```
+
+In the example above, `x509_example_rust` has the URL https://a3gq9-oaaaa-aaaab-qaa4q-cai.raw.icp0.io/?id=736w4-cyaaa-aaaal-qb3wq-cai and serves up the Candid web UI for this particular canister deployed on mainnet.
+
+## Obtaining root CA certificate
+
+### Using the Candid Web UI
+
+If you deployed your canister locally or to the mainnet, you should have a URL to the Candid web UI where you can access the public methods. We can call the `root_ca_certificate` method.
+
+In the example below, the method returns
+```
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAXmgAwIBAgIBADAFBgMrZXAwazELMAkGA1UEBhMCVVMxKTAnBgNVBAoM
+IFdlYjMgY2VyaXRpZmNhdGlvbiBhdXRob3JpdHkgSW5jMTEwLwYDVQQDDChXZWIz
+IGNlcnRpZmljYXRpb24gYXV0aG9yaXR5IGNvcnBvcmF0aW9uMB4XDTI0MDkyMDE2
+MzY0MloXDTM0MDkxODE2MzY0MlowazELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIFdl
+YjMgY2VyaXRpZmNhdGlvbiBhdXRob3JpdHkgSW5jMTEwLwYDVQQDDChXZWIzIGNl
+cnRpZmljYXRpb24gYXV0aG9yaXR5IGNvcnBvcmF0aW9uMCowBQYDK2VwAyEA8rDQ
+aKVQyUr1vKqf+PzXNjg+mw3t7RPVPB9ctenyQISjQjBAMB0GA1UdDgQWBBTULvca
+cvvKz89izqKDzwWZ6gwdKTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+BjAFBgMrZXADQQBlqWQ+F757rKxPXDccuhQEtrfnLoWf4rHhok/2dLioJ1+ZQda5
+DNH8/kcXoPOm0jyqlVaV1ZhQm63AMwK3gSwC
+-----END CERTIFICATE-----
+```
+as the
+root CA certificate.
+
+```json
+(
+  variant {
+    Ok = record {
+      x509_certificate_string = "-----BEGIN CERTIFICATE-----\nMIIBxzCCAXmgAwIBAgIBADAFBgMrZXAwazELMAkGA1UEBhMCVVMxKTAnBgNVBAoM\nIFdlYjMgY2VyaXRpZmNhdGlvbiBhdXRob3JpdHkgSW5jMTEwLwYDVQQDDChXZWIz\nIGNlcnRpZmljYXRpb24gYXV0aG9yaXR5IGNvcnBvcmF0aW9uMB4XDTI0MDkyMDE2\nMzY0MloXDTM0MDkxODE2MzY0MlowazELMAkGA1UEBhMCVVMxKTAnBgNVBAoMIFdl\nYjMgY2VyaXRpZmNhdGlvbiBhdXRob3JpdHkgSW5jMTEwLwYDVQQDDChXZWIzIGNl\ncnRpZmljYXRpb24gYXV0aG9yaXR5IGNvcnBvcmF0aW9uMCowBQYDK2VwAyEA8rDQ\naKVQyUr1vKqf+PzXNjg+mw3t7RPVPB9ctenyQISjQjBAMB0GA1UdDgQWBBTULvca\ncvvKz89izqKDzwWZ6gwdKTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB\nBjAFBgMrZXADQQBlqWQ+F757rKxPXDccuhQEtrfnLoWf4rHhok/2dLioJ1+ZQda5\nDNH8/kcXoPOm0jyqlVaV1ZhQm63AMwK3gSwC\n-----END CERTIFICATE-----\n";
+    }
+  },
+)
+```
+
+### Code walkthrough
+Open the file `wasm_only.rs`, which will show the following Rust code that
+demonstrates how to obtain a root CA certificate.
+
+#### Obtaining root CA certificate
+
+```rust
+#[update]
+async fn root_ca_certificate() -> Result<X509CertificateString, String> {
+    // if the certificate is already cached, return it
+
+    if let Some(certificate) = ROOT_CA_CERTIFICATE_PEM.with(|inner| inner.get().map(|v| v.clone()))
+    {
+        return Ok(X509CertificateString {
+            x509_certificate_string: certificate,
+        });
+    }
+
+    // if the certificate is not cached, create it and try to cache it
+
+    let serial_number = SerialNumber::from(0u32);
+
+    let subject = Name::from_str(
+        "CN=DEMO Web3 certification authority corporation,O=DEMO Web3 ceritifcation authority Inc,C=US",
+    )
+    .unwrap();
+
+    let newly_constructed_x509_certificate_string = match CA_KEY_INFORMATION
+        .with(|value| *value.borrow())
+    {
+        CaKeyInformation::Ed25519(_) => {
+            let signer = Ed25519Signer::new()
+                .await
+                .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+
+            let subject_public_key =
+                der::asn1::BitString::new(0, root_ca_public_key_bytes().await?)
+                    .map_err(|e| format!("source: {:?}", e.source()))?;
+
+            let pub_key = SubjectPublicKeyInfoOwned {
+                algorithm: signer.signature_algorithm_identifier().unwrap(),
+                subject_public_key,
+            };
+
+            pem_certificate_signed_by_root_ca(
+                Profile::Root,
+                serial_number,
+                validity(),
+                subject,
+                pub_key,
+                signer,
+            )
+            .await
+            .map_err(|e| format!("failed to create root certificate: {e:?}"))?
+        }
+        CaKeyInformation::EcdsaSecp256k1(_) => {
+            let signer = EcdsaSecp256k1Signer::new()
+                .await
+                .map_err(|e| format!("failed to create ECDSA secp256k1 signer: {e:?}"))?;
+
+            let public_key_bytes_compressed = root_ca_public_key_bytes().await?;
+            let public_key_bytes_uncompressed =
+                k256::ecdsa::VerifyingKey::from_sec1_bytes(public_key_bytes_compressed.as_slice())
+                    .map_err(|e| format!("malformed public key: {e:?}"))?
+                    .to_encoded_point(false);
+
+            let subject_public_key =
+                der::asn1::BitString::new(0, public_key_bytes_uncompressed.as_bytes())
+                    .map_err(|e| format!("source: {:?}", e.source()))?;
+
+            let pub_key = SubjectPublicKeyInfoOwned {
+                algorithm: AlgorithmIdentifier {
+                    // Public Key Algorithm: id-ecPublicKey (1.2.840.10045.2.1)
+                    oid: pkcs8::ObjectIdentifier::new_unwrap("1.2.840.10045.2.1"),
+                    parameters: Some(der::Any::from(k256::Secp256k1::OID)),
+                },
+                subject_public_key,
+            };
+
+            pem_certificate_signed_by_root_ca(
+                Profile::Root,
+                serial_number,
+                validity(),
+                subject,
+                pub_key,
+                signer,
+            )
+            .await
+            .map_err(|e| format!("failed to create root certificate: {e:?}"))?
+        }
+    };
+
+    let x509_certificate_string = ROOT_CA_CERTIFICATE_PEM.with(move |inner| {
+        inner
+            .get_or_init(|| newly_constructed_x509_certificate_string)
+            .clone()
+    });
+
+    Ok(X509CertificateString {
+        x509_certificate_string,
+    })
+}
+
+async fn pem_certificate_signed_by_root_ca<Signer>(
+    profile: Profile,
+    serial_number: SerialNumber,
+    validity: Validity,
+    subject: Name,
+    subject_public_key_info: SubjectPublicKeyInfoOwned,
+    signer: Signer,
+) -> Result<String, String>
+where
+    Signer: Sign,
+    Signer: Keypair + DynSignatureAlgorithmIdentifier,
+    Signer::VerifyingKey: EncodePublicKey,
+{
+    let mut builder = CertificateBuilder::new(
+        profile,
+        serial_number,
+        validity,
+        subject,
+        subject_public_key_info,
+        &signer,
+    )
+    .expect("Create certificate");
+
+    let blob = builder
+        .finalize()
+        .map_err(|e| format!("failed to finalize certificate builder: {e:?}"))?;
+
+    let signature = BitString::from_bytes(&signer.sign(&blob).await?)
+        .map_err(|e| format!("wrong signature length: {e:?}"))?;
+
+    let certificate = builder
+        .assemble(signature)
+        .map_err(|e| format!("failed to assemble certificate: {e:?}"))?;
+
+    certificate
+        .to_pem(LineEnding::LF)
+        .map_err(|e| format!("failed to encode certificate: {e:?}"))
+}
+```
+
+In the code above, the canister calls `root_ca_public_key_bytes` which calls
+`schnorr_public_key` method or `ecdsa_public_key` method of the [IC management
+canister](https://internetcomputer.org/docs/current/references/ic-interface-spec/#ic-management-canister)
+(`aaaaa-aa`). Then, inside `pem_certificated_signed_by_root_ca`, the canister
+calls `sign_with_schnorr` method or `sign_with_ecdsa` method of the IC
+management canister inside `Ed25519Signer::sign` or
+`EcdsaSecp256k1Signer::sign`, respectively, in order to produce a certificate
+signature. More details about `Ed25519Signer` and `EcdsaSecp256k1Signer` can be
+found in `wasm_only/signer.rs`.
+
+**The [IC management
+canister](https://internetcomputer.org/docs/current/references/ic-interface-spec/#ic-management-canister)
+is just a facade; it does not exist as a canister (with isolated state, Wasm
+code, etc.). It is an ergonomic way for canisters to call the system API of the
+IC (as if it were a single canister). In the code below, we use the management
+canister to create a Schnorr public key. Canister ID `"aaaaa-aa"`
+declares the IC management canister in the canister code.**
+
+#### Creating a certificate signing request (CSR) and obtaining the signed child certificate
+
+```rust
+#[update]
+async fn child_certificate(
+    certificate_request_info: PemCertificateRequest,
+) -> Result<X509CertificateString, String> {
+    let cert_req =
+        CertReq::from_pem(certificate_request_info.pem_certificate_request.as_bytes())
+            .map_err(|e| format!("failed to parse PEM certificate signing request: {e:?}"))?;
+
+    verify_certificate_request_signature(&cert_req)?;
+
+    if !cert_req.info.attributes.is_empty() {
+        return Err("Attributes are currently not supported in this example".to_string());
+    }
+
+    prove_ownership(&cert_req, ic_cdk::api::caller() /*, ... */)?;
+
+    let root_certificate_pem = root_ca_certificate().await?;
+    let root_certificate =
+        x509_cert::Certificate::from_pem(root_certificate_pem.x509_certificate_string.as_str())
+            .map_err(|e| format!("failed to parse PEM root CA certificate: {e:?}"))?;
+
+    let profile = Profile::Leaf {
+        issuer: root_certificate.tbs_certificate.subject.clone(),
+        enable_key_agreement: false,
+        enable_key_encipherment: false,
+    };
+
+    let serial_number = SerialNumber::from(next_child_certificate_serial_number());
+
+    // For simplicity of this example, let's just use the same validity
+    // period as the root certificate. In a real application, the validity
+    // would normally not start in the past and might end well before the root
+    // certificate validity ends. Also, the validity of the child
+    // ceritifcate should always be in the time frame of the root
+    // certificate's validity.
+    let validity = root_certificate.tbs_certificate.validity.clone();
+
+    let x509_certificate_string = {
+        match CA_KEY_INFORMATION.with(|value| *value.borrow()) {
+            CaKeyInformation::Ed25519(_) => {
+                let signer = Ed25519Signer::new()
+                    .await
+                    .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+                pem_certificate_signed_by_root_ca(
+                    profile,
+                    serial_number,
+                    validity,
+                    cert_req.info.subject.clone(),
+                    cert_req.info.public_key.clone(),
+                    signer,
+                )
+                .await
+                .map_err(|e| format!("failed to create child certificate: {e:?}"))?
+            }
+            CaKeyInformation::EcdsaSecp256k1(_) => {
+                let signer = EcdsaSecp256k1Signer::new()
+                    .await
+                    .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+                pem_certificate_signed_by_root_ca(
+                    profile,
+                    serial_number,
+                    validity,
+                    cert_req.info.subject.clone(),
+                    cert_req.info.public_key.clone(),
+                    signer,
+                )
+                .await
+                .map_err(|e| format!("failed to create child certificate: {e:?}"))?
+            }
+        }
+    };
+
+    Ok(X509CertificateString {
+        x509_certificate_string,
+    })
+}
+```
+
+Similarly to the root CA certificate, child certificates are signed via the
+`pem_certificate_signed_by_root_ca` function. The major difference here is that
+the meta-information about the certificate such as subject and public key
+information are provided via a
+[CSR](https://en.wikipedia.org/wiki/Certificate_signing_request) in the PKCS#10
+format, which is the most widely-used CSR format and can be generate e.g. using
+OpenSSL.
+
+The `child_certificate` API allows for an external user to generate a key pair
+locally, create a CSR, send it in the PEM format to the smart contract, and get
+a X.509 certificate for the CSR, signed with the key of the CA certificate.
+
+Note that, similarly to CA certificates, currently only Ed25519 and ECDSA with
+curve `secp256k1` are supported for child certificates, i.e., also for CSRs.
+
+## Certificate verification
+
+Certificates obtained from the smart contract can be validated e.g. using
+OpenSSL.
+
+To validate the root CA certificate from a locally deployed smart contract, the
+following command can be used.
+```shell
+dfx canister call x509_example_rust root_ca_certificate --output json | jq '.["Ok"].["x509_certificate_string"]' | sed -e 's/\\n/\n/g' -e 's/\"//g' > root_ca_cert.pem && openssl verify -CAfile root_ca_cert.pem root_ca_cert.pem
+```
+
+To create a CSR, the following script could be used.
+```shell
+openssl genpkey -algorithm Ed25519 -out key.pem
+openssl req -new -key key.pem -out request.csr -subj "/CN=Test corporation/O=Test Inc/C=US"
+```
+
+To validate a child certificate, the following command could be used.
+```shell
+CSR=$(cat request.csr)
+dfx canister call x509_example_rust child_certificate "(record { pem_certificate_request = \"$CSR\";  } )" --output json | jq '.["Ok"].["x509_certificate_string"]' | sed -e 's/\\n/\n/g' -e 's/\"//g' > child_cert.pem &&
+openssl verify -CAfile root_ca_cert.pem child_cert.pem
+```
+
+## Conclusion
+
+In this walkthrough, we deployed a sample smart contract that:
+
+* Generated a root CA certificated self-signed with private Ed25519 keys even
+  though **canisters do not hold Schnorr keys themselves**.
+* Requested child certificate signed with the private Ed25519 key of the root CA
+  certificate.
diff --git a/rust/x509/dfx.json b/rust/x509/dfx.json
new file mode 100644
index 000000000..c09abdf5f
--- /dev/null
+++ b/rust/x509/dfx.json
@@ -0,0 +1,9 @@
+{
+  "canisters": {
+    "x509_example_rust": {
+      "candid": "src/x509_example_rust/x509_example.did",
+      "package": "x509_example_rust",
+      "type": "rust"
+    }
+  }
+}
\ No newline at end of file
diff --git a/rust/x509/src/x509_example_rust/Cargo.toml b/rust/x509/src/x509_example_rust/Cargo.toml
new file mode 100644
index 000000000..b45993dae
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/Cargo.toml
@@ -0,0 +1,33 @@
+[package]
+name = "x509_example_rust"
+version = "0.1.0"
+edition = "2018"
+
+[lib]
+path = "src/lib.rs"
+crate-type = ["lib", "cdylib"]
+
+[dependencies]
+candid = "=0.10.4"
+der = { version = "0.7.9", features = ["alloc", "derive", "flagset", "oid"] }
+ecdsa = { version = "0.16.9", features = ["alloc", "pkcs8", "pem"] }
+ed25519 = { version = "2.2.3", features = ["alloc", "pkcs8", "pem"] }
+ed25519-dalek = { version = "2.1.1" }
+elliptic-curve = { version = "0.13.8", features = ["pkcs8"] }
+getrandom = { version = "0.2", features = ["custom"] }
+hex = "0.4"
+ic-cdk = "0.16"
+k256 = "0.13.3"
+pkcs8 = "0.10.2"
+sha2 = "0.10"
+serde = "1.0"
+serde_bytes = "0.11"
+signature = "2.2.0"
+spki = "0.7.3"
+strum = "0.26.3"
+strum_macros = "0.26.3"
+x509-cert = { version = "0.2.5", features = ["builder"] }
+
+[dev-dependencies]
+openssl = "0.10.66"
+pocket-ic = "5.0.0"
diff --git a/rust/x509/src/x509_example_rust/src/all_architectures.rs b/rust/x509/src/x509_example_rust/src/all_architectures.rs
new file mode 100644
index 000000000..24cbc8d17
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/src/all_architectures.rs
@@ -0,0 +1,55 @@
+use candid::CandidType;
+use serde::{Deserialize, Serialize};
+use strum_macros::IntoStaticStr;
+
+#[derive(CandidType, Serialize, Deserialize, Debug, Copy, Clone)]
+pub enum SchnorrAlgorithm {
+    #[serde(rename = "bip340secp256k1")]
+    Bip340Secp256k1,
+    #[serde(rename = "ed25519")]
+    Ed25519,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct PublicKeyReply {
+    pub public_key_hex: String,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct SignatureReply {
+    pub signature_hex: String,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct SignatureVerificationReply {
+    pub is_signature_valid: bool,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug, Clone, Copy, IntoStaticStr)]
+pub enum KeyName {
+    #[allow(unused)]
+    #[strum(serialize = "dfx_test_key")]
+    DfxTestKey,
+    #[allow(unused)]
+    #[strum(serialize = "test_key_1")]
+    TestKey1,
+    #[allow(unused)]
+    #[strum(serialize = "key_1")]
+    Key1,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug, Clone, Copy)]
+pub enum CaKeyInformation {
+    Ed25519(KeyName),
+    EcdsaSecp256k1(KeyName),
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct X509CertificateString {
+    pub x509_certificate_string: String,
+}
+
+#[derive(CandidType, Deserialize, Debug)]
+pub struct PemCertificateRequest {
+    pub pem_certificate_request: String,
+}
diff --git a/rust/x509/src/x509_example_rust/src/lib.rs b/rust/x509/src/x509_example_rust/src/lib.rs
new file mode 100644
index 000000000..707acd8a8
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/src/lib.rs
@@ -0,0 +1,9 @@
+mod all_architectures;
+pub use all_architectures::*;
+
+// We need to compile this crate for integration testing. However, it fails to
+// compile with linking errors on x86 targets, but we only need a few types
+// added above for testing. For generating the canister code, `cargo build
+// --release --target wasm32-unknown-unknown` should be used.
+#[cfg(target_arch = "wasm32")]
+pub mod wasm_only;
diff --git a/rust/x509/src/x509_example_rust/src/wasm_only.rs b/rust/x509/src/x509_example_rust/src/wasm_only.rs
new file mode 100644
index 000000000..4b97ffdf8
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/src/wasm_only.rs
@@ -0,0 +1,501 @@
+use crate::{CaKeyInformation, KeyName, PemCertificateRequest, X509CertificateString};
+
+use super::SchnorrAlgorithm;
+use candid::{CandidType, Principal};
+use der::{asn1::BitString, pem::LineEnding, DecodePem, Encode, EncodePem};
+use ic_cdk::api::management_canister::ecdsa as cdk_ecdsa;
+use ic_cdk::export_candid;
+use ic_cdk::{api::time, init, update};
+use pkcs8::AssociatedOid;
+use serde::{Deserialize, Serialize};
+use signature::Keypair;
+use spki::{AlgorithmIdentifier, DynSignatureAlgorithmIdentifier, EncodePublicKey};
+use std::{
+    cell::OnceCell, cell::RefCell, convert::TryFrom, convert::TryInto, error::Error, ops::Deref,
+    str::FromStr, time::Duration,
+};
+use x509_cert::{
+    builder::{Builder, CertificateBuilder, Profile},
+    name::Name,
+    request::CertReq,
+    serial_number::SerialNumber,
+    spki::SubjectPublicKeyInfoOwned,
+    time::{Time, Validity},
+};
+
+mod signer;
+use signer::{EcdsaSecp256k1Signer, Ed25519Signer, Sign};
+
+type CanisterId = Principal;
+
+impl TryFrom<&CaKeyInformation> for SchnorrKeyId {
+    type Error = String;
+
+    fn try_from(value: &CaKeyInformation) -> Result<Self, Self::Error> {
+        match value {
+            CaKeyInformation::Ed25519(key_name) => Ok(SchnorrKeyId {
+                algorithm: SchnorrAlgorithm::Ed25519,
+                name: String::from(<&'static str>::from(key_name)),
+            }),
+            something_else => Err(format!(
+                "Expected Ed25519 CA key but got {something_else:?}"
+            )),
+        }
+    }
+}
+
+impl TryFrom<&CaKeyInformation> for cdk_ecdsa::EcdsaKeyId {
+    type Error = String;
+
+    fn try_from(value: &CaKeyInformation) -> Result<Self, Self::Error> {
+        match value {
+            CaKeyInformation::EcdsaSecp256k1(key_name) => Ok(cdk_ecdsa::EcdsaKeyId {
+                curve: cdk_ecdsa::EcdsaCurve::Secp256k1,
+                name: String::from(<&'static str>::from(key_name)),
+            }),
+            something_else => Err(format!(
+                "Expected EcdsaSecp256k1 CA key but got {something_else:?}"
+            )),
+        }
+    }
+}
+
+thread_local! {
+    static CA_KEY_INFORMATION: RefCell<CaKeyInformation> = RefCell::new(CaKeyInformation::Ed25519(KeyName::DfxTestKey));
+
+    // cache the public key and certificate to avoid fetching them multiple times
+    static ROOT_CA_PUBLIC_KEY: OnceCell<Vec<u8>> = OnceCell::new();
+    static ROOT_CA_CERTIFICATE_PEM: OnceCell<String> = OnceCell::new();
+
+    static CHILD_CERTIFICATE_SERIAL_NUMBER: RefCell<u32> = RefCell::new(1);
+}
+
+#[init]
+fn init(ca_key_information: CaKeyInformation) {
+    CA_KEY_INFORMATION.with(|value| {
+        *value.borrow_mut() = ca_key_information;
+    });
+}
+
+#[update]
+async fn root_ca_certificate() -> Result<X509CertificateString, String> {
+    // if the certificate is already cached, return it
+
+    if let Some(certificate) = ROOT_CA_CERTIFICATE_PEM.with(|inner| inner.get().map(|v| v.clone()))
+    {
+        return Ok(X509CertificateString {
+            x509_certificate_string: certificate,
+        });
+    }
+
+    // if the certificate is not cached, create it and try to cache it
+
+    let serial_number = SerialNumber::from(1u32);
+
+    let subject = Name::from_str(
+        "CN=Web3 certification authority corporation,O=Web3 ceritifcation authority Inc,C=US",
+    )
+    .unwrap();
+
+    let newly_constructed_x509_certificate_string = match CA_KEY_INFORMATION
+        .with(|value| *value.borrow())
+    {
+        CaKeyInformation::Ed25519(_) => {
+            let signer = Ed25519Signer::new()
+                .await
+                .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+
+            let subject_public_key =
+                der::asn1::BitString::new(0, root_ca_public_key_bytes().await?)
+                    .map_err(|e| format!("source: {:?}", e.source()))?;
+
+            let pub_key = SubjectPublicKeyInfoOwned {
+                algorithm: signer.signature_algorithm_identifier().unwrap(),
+                subject_public_key,
+            };
+
+            pem_certificate_signed_by_root_ca(
+                Profile::Root,
+                serial_number,
+                validity(),
+                subject,
+                pub_key,
+                signer,
+            )
+            .await
+            .map_err(|e| format!("failed to create root certificate: {e:?}"))?
+        }
+        CaKeyInformation::EcdsaSecp256k1(_) => {
+            let signer = EcdsaSecp256k1Signer::new()
+                .await
+                .map_err(|e| format!("failed to create ECDSA secp256k1 signer: {e:?}"))?;
+
+            let public_key_bytes_compressed = root_ca_public_key_bytes().await?;
+            let public_key_bytes_uncompressed =
+                k256::ecdsa::VerifyingKey::from_sec1_bytes(public_key_bytes_compressed.as_slice())
+                    .map_err(|e| format!("malformed public key: {e:?}"))?
+                    .to_encoded_point(false);
+
+            let subject_public_key =
+                der::asn1::BitString::new(0, public_key_bytes_uncompressed.as_bytes())
+                    .map_err(|e| format!("source: {:?}", e.source()))?;
+
+            let pub_key = SubjectPublicKeyInfoOwned {
+                algorithm: AlgorithmIdentifier {
+                    // Public Key Algorithm: id-ecPublicKey (1.2.840.10045.2.1)
+                    oid: pkcs8::ObjectIdentifier::new_unwrap("1.2.840.10045.2.1"),
+                    parameters: Some(der::Any::from(k256::Secp256k1::OID)),
+                },
+                subject_public_key,
+            };
+
+            pem_certificate_signed_by_root_ca(
+                Profile::Root,
+                serial_number,
+                validity(),
+                subject,
+                pub_key,
+                signer,
+            )
+            .await
+            .map_err(|e| format!("failed to create root certificate: {e:?}"))?
+        }
+    };
+
+    let x509_certificate_string = ROOT_CA_CERTIFICATE_PEM.with(move |inner| {
+        inner
+            .get_or_init(|| newly_constructed_x509_certificate_string)
+            .clone()
+    });
+
+    Ok(X509CertificateString {
+        x509_certificate_string,
+    })
+}
+
+#[update]
+async fn child_certificate(
+    certificate_request_info: PemCertificateRequest,
+) -> Result<X509CertificateString, String> {
+    let cert_req =
+        CertReq::from_pem(certificate_request_info.pem_certificate_request.as_bytes())
+            .map_err(|e| format!("failed to parse PEM certificate signing request: {e:?}"))?;
+
+    verify_certificate_request_signature(&cert_req)?;
+
+    if !cert_req.info.attributes.is_empty() {
+        return Err("Attributes are currently not supported in this example".to_string());
+    }
+
+    prove_ownership(&cert_req, ic_cdk::api::caller() /*, ... */)?;
+
+    let root_certificate_pem = root_ca_certificate().await?;
+    let root_certificate =
+        x509_cert::Certificate::from_pem(root_certificate_pem.x509_certificate_string.as_str())
+            .map_err(|e| format!("failed to parse PEM root CA certificate: {e:?}"))?;
+
+    let profile = Profile::Leaf {
+        issuer: root_certificate.tbs_certificate.subject.clone(),
+        enable_key_agreement: false,
+        enable_key_encipherment: false,
+    };
+
+    let serial_number = SerialNumber::from(next_child_certificate_serial_number());
+
+    // For simplicity of this example, let's just use the same validity
+    // period as the root certificate. In a real application, the validity
+    // would normally not start in the past and might end well before the root
+    // certificate validity ends. Also, the validity of the child
+    // ceritifcate should always be in the time frame of the root
+    // certificate's validity.
+    let validity = root_certificate.tbs_certificate.validity.clone();
+
+    let x509_certificate_string = {
+        match CA_KEY_INFORMATION.with(|value| *value.borrow()) {
+            CaKeyInformation::Ed25519(_) => {
+                let signer = Ed25519Signer::new()
+                    .await
+                    .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+                pem_certificate_signed_by_root_ca(
+                    profile,
+                    serial_number,
+                    validity,
+                    cert_req.info.subject.clone(),
+                    cert_req.info.public_key.clone(),
+                    signer,
+                )
+                .await
+                .map_err(|e| format!("failed to create child certificate: {e:?}"))?
+            }
+            CaKeyInformation::EcdsaSecp256k1(_) => {
+                let signer = EcdsaSecp256k1Signer::new()
+                    .await
+                    .map_err(|e| format!("failed to create Ed25519 signer: {e:?}"))?;
+                pem_certificate_signed_by_root_ca(
+                    profile,
+                    serial_number,
+                    validity,
+                    cert_req.info.subject.clone(),
+                    cert_req.info.public_key.clone(),
+                    signer,
+                )
+                .await
+                .map_err(|e| format!("failed to create child certificate: {e:?}"))?
+            }
+        }
+    };
+
+    Ok(X509CertificateString {
+        x509_certificate_string,
+    })
+}
+
+#[derive(CandidType, Serialize, Debug)]
+struct ManagementCanisterSchnorrPublicKeyRequest {
+    pub canister_id: Option<CanisterId>,
+    pub derivation_path: Vec<Vec<u8>>,
+    pub key_id: SchnorrKeyId,
+}
+
+#[derive(CandidType, Deserialize, Debug)]
+struct ManagementCanisterSchnorrPublicKeyReply {
+    pub public_key: Vec<u8>,
+    pub chain_code: Vec<u8>,
+}
+
+#[derive(CandidType, Serialize, Debug, Clone)]
+struct SchnorrKeyId {
+    pub algorithm: SchnorrAlgorithm,
+    pub name: String,
+}
+
+#[derive(CandidType, Serialize, Debug)]
+struct ManagementCanisterSignatureRequest {
+    pub message: Vec<u8>,
+    pub derivation_path: Vec<Vec<u8>>,
+    pub key_id: SchnorrKeyId,
+}
+
+#[derive(CandidType, Deserialize, Debug)]
+struct ManagementCanisterSignatureReply {
+    pub signature: Vec<u8>,
+}
+
+async fn root_ca_public_key_bytes() -> Result<Vec<u8>, String> {
+    // if the public key is already cached, return it
+    if let Some(public_key) = ROOT_CA_PUBLIC_KEY.with(|inner| inner.get().map(|v| v.clone())) {
+        return Ok(public_key);
+    };
+
+    let result = match CA_KEY_INFORMATION.with(|value| *value.borrow()) {
+        CaKeyInformation::Ed25519(_) => {
+            // if the public key is not cached, fetch it from the management canister
+            let request = ManagementCanisterSchnorrPublicKeyRequest {
+                canister_id: None,
+                derivation_path: derivation_path(),
+                key_id: CA_KEY_INFORMATION
+                    .with(|value| SchnorrKeyId::try_from(value.borrow().deref()))?,
+            };
+
+            let (res,): (ManagementCanisterSchnorrPublicKeyReply,) = ic_cdk::call(
+                Principal::management_canister(),
+                "schnorr_public_key",
+                (request,),
+            )
+            .await
+            .map_err(|e| format!("schnorr_public_key failed {}", e.1))?;
+
+            res.public_key
+        }
+        CaKeyInformation::EcdsaSecp256k1(_) => {
+            let args = cdk_ecdsa::EcdsaPublicKeyArgument {
+                canister_id: None,
+                derivation_path: derivation_path(),
+                key_id: CA_KEY_INFORMATION
+                    .with(|value| cdk_ecdsa::EcdsaKeyId::try_from(value.borrow().deref()))?,
+            };
+            let response = cdk_ecdsa::ecdsa_public_key(args)
+                .await
+                .map_err(|e| format!("ecdsa_public_key failed {}", e.1))?;
+            response.0.public_key
+        }
+    };
+
+    // try to initialize the cache with the fetched public key or returne the
+    // cached value, because we were making an async call between the cache
+    // check and cache initialization
+    Ok(ROOT_CA_PUBLIC_KEY.with(move |inner| inner.get_or_init(|| result).clone()))
+}
+
+async fn pem_certificate_signed_by_root_ca<Signer>(
+    profile: Profile,
+    serial_number: SerialNumber,
+    validity: Validity,
+    subject: Name,
+    subject_public_key_info: SubjectPublicKeyInfoOwned,
+    signer: Signer,
+) -> Result<String, String>
+where
+    Signer: Sign,
+    Signer: Keypair + DynSignatureAlgorithmIdentifier,
+    Signer::VerifyingKey: EncodePublicKey,
+{
+    let mut builder = CertificateBuilder::new(
+        profile,
+        serial_number,
+        validity,
+        subject,
+        subject_public_key_info,
+        &signer,
+    )
+    .expect("Create certificate");
+
+    let blob = builder
+        .finalize()
+        .map_err(|e| format!("failed to finalize certificate builder: {e:?}"))?;
+
+    let signature = BitString::from_bytes(&signer.sign(&blob).await?)
+        .map_err(|e| format!("wrong signature length: {e:?}"))?;
+
+    let certificate = builder
+        .assemble(signature)
+        .map_err(|e| format!("failed to assemble certificate: {e:?}"))?;
+
+    certificate
+        .to_pem(LineEnding::LF)
+        .map_err(|e| format!("failed to encode certificate: {e:?}"))
+}
+
+fn verify_certificate_request_signature(certificate_request: &CertReq) -> Result<(), String> {
+    fn certificate_as_message_and_public_key_bytes(
+        certificate_request: &CertReq,
+    ) -> (Vec<u8>, Vec<u8>) {
+        let mut message = vec![];
+        certificate_request
+            .info
+            .encode(&mut message)
+            .expect("failed to encode certificate request info");
+
+        let public_key_bytes = certificate_request
+            .info
+            .public_key
+            .subject_public_key
+            .raw_bytes()
+            .to_vec();
+
+        (message, public_key_bytes)
+    }
+    let result = match &certificate_request.algorithm {
+        AlgorithmIdentifier::<der::Any> {
+            oid: ed25519::pkcs8::ALGORITHM_OID,
+            parameters: None,
+        } => {
+            let (message, public_key_bytes) =
+                certificate_as_message_and_public_key_bytes(certificate_request);
+            verify_ed25519_signature(
+                certificate_request.signature.raw_bytes(),
+                message.as_slice(),
+                public_key_bytes.as_slice(),
+            )
+        }
+        AlgorithmIdentifier::<der::Any> {
+            oid: ecdsa::ECDSA_SHA256_OID,
+            parameters: None, // secp256k1 is non-standard and is sometimes encoded as None
+        } => {
+            let (message, public_key_bytes) =
+                certificate_as_message_and_public_key_bytes(certificate_request);
+            verify_ecdsa_secp256k1_signature(
+                certificate_request.signature.raw_bytes(),
+                message.as_slice(),
+                public_key_bytes.as_slice(),
+            )
+        }
+        _ => Err(format!(
+            "unsupported algorithm: {:?}",
+            certificate_request.algorithm
+        )),
+    };
+
+    result.map_err(|e| format!("failed to verify CRS: {e:?}"))
+}
+
+fn verify_ed25519_signature(
+    signature_bytes: &[u8],
+    message_bytes: &[u8],
+    public_key_bytes: &[u8],
+) -> Result<(), String> {
+    use ed25519_dalek::{Signature, Verifier, VerifyingKey};
+    let verifying_key = VerifyingKey::from_bytes(
+        public_key_bytes
+            .try_into()
+            .map_err(|e| format!("malformed public key: {e:?}"))?,
+    )
+    .map_err(|e| format!("couldn't create veryfing key: {e:?}"))?;
+    let signature = Signature::from_slice(signature_bytes)
+        .map_err(|e| format!("malformed signature: {e:?}"))?;
+    verifying_key
+        .verify(message_bytes, &signature)
+        .map_err(|e| format!("invalid signature: {:?}", e))
+}
+
+fn verify_ecdsa_secp256k1_signature(
+    der_signature_bytes: &[u8],
+    message_bytes: &[u8],
+    public_key_bytes: &[u8],
+) -> Result<(), String> {
+    use k256::ecdsa::{signature::Verifier, Signature, VerifyingKey};
+    let verifying_key = VerifyingKey::from_sec1_bytes(
+        public_key_bytes
+            .try_into()
+            .map_err(|e| format!("malformed public key: {e:?}"))?,
+    )
+    .map_err(|e| format!("couldn't create veryfing key: {e:?}"))?;
+
+    let mut signature = Signature::from_der(der_signature_bytes)
+        .map_err(|e| format!("malformed signature: {e:?}"))?;
+    if let Some(normalized_signature) = signature.normalize_s() {
+        signature = normalized_signature;
+    };
+    let result = verifying_key
+        .verify(message_bytes, &signature)
+        .map_err(|e| format!("invalid signature: {:?}", e));
+    result
+}
+
+fn next_child_certificate_serial_number() -> u32 {
+    CHILD_CERTIFICATE_SERIAL_NUMBER.with(|state| {
+        let mut serial_number = state.borrow_mut();
+        *serial_number += 1;
+        *serial_number
+    })
+}
+
+fn prove_ownership(_cert_req: &CertReq, _caller: Principal /*, ... */) -> Result<(), String> {
+    // ********** This is a placeholder for a real implementation. **********
+    // ********** In a real implementation, the subject would have **********
+    // ********** to prove ownership of the subject name.          **********
+    Ok(())
+}
+
+fn derivation_path() -> Vec<Vec<u8>> {
+    vec![]
+}
+
+fn validity() -> Validity {
+    let not_before_system_time = std::time::SystemTime::UNIX_EPOCH
+        .checked_add(std::time::Duration::from_nanos(time()))
+        .expect("failed to obtain current time");
+    let ten_years = Duration::from_secs(10 * 365 * 24 * 60 * 60);
+    Validity {
+        not_before: Time::try_from(not_before_system_time).expect("failed to convert time"),
+        not_after: Time::try_from(not_before_system_time + ten_years)
+            .expect("failed to convert time"),
+    }
+}
+
+getrandom::register_custom_getrandom!(always_fail);
+pub fn always_fail(_buf: &mut [u8]) -> Result<(), getrandom::Error> {
+    Err(getrandom::Error::UNSUPPORTED)
+}
+
+export_candid!();
diff --git a/rust/x509/src/x509_example_rust/src/wasm_only/signer.rs b/rust/x509/src/x509_example_rust/src/wasm_only/signer.rs
new file mode 100644
index 000000000..a14f22925
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/src/wasm_only/signer.rs
@@ -0,0 +1,141 @@
+use std::{convert::TryFrom, ops::Deref};
+
+use candid::Principal;
+use elliptic_curve::sec1::ToEncodedPoint;
+use ic_cdk::api::management_canister::ecdsa as cdk_ecdsa;
+use sha2::Digest;
+use spki::{AlgorithmIdentifierOwned, DynSignatureAlgorithmIdentifier};
+
+use super::{
+    derivation_path, root_ca_public_key_bytes, ManagementCanisterSignatureReply,
+    ManagementCanisterSignatureRequest, SchnorrKeyId, CA_KEY_INFORMATION,
+};
+
+pub trait Sign {
+    async fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, String>;
+}
+
+pub struct Ed25519Signer {
+    key_id: SchnorrKeyId,
+    public_key: ed25519::pkcs8::PublicKeyBytes,
+}
+
+impl Ed25519Signer {
+    pub async fn new() -> Result<Self, String> {
+        let public_key_raw = <[u8; 32]>::try_from(root_ca_public_key_bytes().await?.as_slice())
+            .map_err(|e| format!("public key has wrong length: {e:?}"))?;
+        let public_key = ed25519::pkcs8::PublicKeyBytes(public_key_raw);
+        Ok(Self {
+            key_id: CA_KEY_INFORMATION
+                .with(|value| SchnorrKeyId::try_from(value.borrow().deref()))?,
+            public_key,
+        })
+    }
+}
+
+impl Sign for Ed25519Signer {
+    async fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, String> {
+        let internal_request = ManagementCanisterSignatureRequest {
+            message: msg.to_vec(),
+            derivation_path: derivation_path(), // empty because there is only one root certificate for everyone in this example
+            key_id: self.key_id.clone(),
+        };
+
+        let (internal_reply,): (ManagementCanisterSignatureReply,) =
+            ic_cdk::api::call::call_with_payment(
+                Principal::management_canister(),
+                "sign_with_schnorr",
+                (internal_request,),
+                26_153_846_153,
+            )
+            .await
+            .map_err(|e| format!("sign_with_schnorr failed {e:?}"))?;
+
+        Ok(internal_reply.signature)
+    }
+}
+
+impl AsRef<ed25519::pkcs8::PublicKeyBytes> for Ed25519Signer {
+    fn as_ref(&self) -> &ed25519::pkcs8::PublicKeyBytes {
+        &self.public_key
+    }
+}
+
+impl signature::KeypairRef for Ed25519Signer {
+    type VerifyingKey = ed25519::pkcs8::PublicKeyBytes;
+}
+
+impl DynSignatureAlgorithmIdentifier for Ed25519Signer {
+    fn signature_algorithm_identifier(&self) -> spki::Result<AlgorithmIdentifierOwned> {
+        Ok(AlgorithmIdentifierOwned {
+            oid: ed25519::pkcs8::ALGORITHM_OID.clone(),
+            parameters: None,
+        })
+    }
+}
+
+pub struct EcdsaSecp256k1Signer {
+    key_id: cdk_ecdsa::EcdsaKeyId,
+    public_key: k256::ecdsa::VerifyingKey,
+}
+
+impl EcdsaSecp256k1Signer {
+    pub async fn new() -> Result<Self, String> {
+        let public_key = k256::ecdsa::VerifyingKey::from_encoded_point(
+            &k256::PublicKey::from_sec1_bytes(&root_ca_public_key_bytes().await?.as_slice())
+                .map_err(|e| format!("malformed public key: {e:?}"))?
+                .to_encoded_point(false),
+        )
+        .unwrap();
+        Ok(Self {
+            key_id: CA_KEY_INFORMATION
+                .with(|value| cdk_ecdsa::EcdsaKeyId::try_from(value.borrow().deref()))?,
+            public_key,
+        })
+    }
+}
+
+impl Sign for EcdsaSecp256k1Signer {
+    async fn sign(&self, msg: &[u8]) -> Result<Vec<u8>, String> {
+        let mut hasher = sha2::Sha256::new();
+        hasher.update(msg);
+
+        let args = cdk_ecdsa::SignWithEcdsaArgument {
+            message_hash: hasher.finalize().to_vec(),
+            derivation_path: derivation_path(),
+            key_id: self.key_id.clone(),
+        };
+
+        let (internal_reply,): (cdk_ecdsa::SignWithEcdsaResponse,) =
+            cdk_ecdsa::sign_with_ecdsa(args)
+                .await
+                .map_err(|e| format!("sign_with_schnorr failed {e:?}"))?;
+
+        Ok(
+            k256::ecdsa::Signature::from_slice(internal_reply.signature.as_slice())
+                .map_err(|e| format!("malformed signature: {e:?}"))?
+                .to_der()
+                .to_bytes()
+                .to_vec(),
+        )
+    }
+}
+
+impl AsRef<k256::ecdsa::VerifyingKey> for EcdsaSecp256k1Signer {
+    fn as_ref(&self) -> &k256::ecdsa::VerifyingKey {
+        &self.public_key
+    }
+}
+
+impl signature::KeypairRef for EcdsaSecp256k1Signer {
+    type VerifyingKey = k256::ecdsa::VerifyingKey;
+}
+
+impl DynSignatureAlgorithmIdentifier for EcdsaSecp256k1Signer {
+    fn signature_algorithm_identifier(&self) -> spki::Result<AlgorithmIdentifierOwned> {
+        Ok(AlgorithmIdentifierOwned {
+            oid: ecdsa::ECDSA_SHA256_OID,
+            parameters: None,
+        })
+    }
+}
diff --git a/rust/x509/src/x509_example_rust/tests/tests.rs b/rust/x509/src/x509_example_rust/tests/tests.rs
new file mode 100644
index 000000000..c54ebb175
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/tests/tests.rs
@@ -0,0 +1,271 @@
+use candid::{decode_one, encode_one, Principal};
+use openssl::{
+    ec::{EcGroup, EcKey},
+    hash::MessageDigest,
+    nid::Nid,
+    pkey::{PKey, PKeyRef, Private},
+    x509::{X509Name, X509Req, X509},
+};
+use pocket_ic::{PocketIc, PocketIcBuilder, WasmResult};
+use std::convert::TryFrom;
+use x509_example_rust::{CaKeyInformation, KeyName, PemCertificateRequest, X509CertificateString};
+
+const WASM_PATH: &str = "../../target/wasm32-unknown-unknown/release/x509_example_rust.wasm";
+
+mod smoke {
+    use super::*;
+
+    #[test]
+    fn should_instantiate_pic() {
+        let _pic = PocketIcBuilder::new()
+            .with_application_subnet()
+            .with_ii_subnet()
+            .with_fiduciary_subnet()
+            .build();
+    }
+
+    #[test]
+    fn should_instantiate_pic_and_canister_id() {
+        let (_pic, _canister_id) =
+            pic_and_canister_id(CaKeyInformation::Ed25519(KeyName::TestKey1));
+    }
+
+    #[test]
+    fn should_fetch_root_ca_certificate() {
+        let (pic, canister_id) = pic_and_canister_id(CaKeyInformation::Ed25519(KeyName::TestKey1));
+        let _root_certificate = fetch_root_ca_certificate(&pic, canister_id);
+    }
+}
+
+mod ed25519 {
+    use super::*;
+
+    #[test]
+    fn root_ca_certificate_should_be_valid() {
+        let (pic, canister_id) = pic_and_canister_id(CaKeyInformation::Ed25519(KeyName::TestKey1));
+
+        let root_certificate = fetch_root_ca_certificate(&pic, canister_id);
+
+        assert!(
+            root_certificate
+                .verify(
+                    &root_certificate
+                        .public_key()
+                        .expect("failed to get public key")
+                )
+                .expect("errors occurred while verifying root certificate"),
+            "failed to verify root certificate"
+        );
+    }
+
+    #[test]
+    fn child_certificate_should_be_valid() {
+        let (pic, canister_id) = pic_and_canister_id(CaKeyInformation::Ed25519(KeyName::TestKey1));
+
+        let root_certificate = fetch_root_ca_certificate(&pic, canister_id);
+
+        for (key, digest_type) in generate_child_keys() {
+            println!("Requesting child certificate with key: {key:?}");
+
+            let req = generate_child_certificate_request(&key, digest_type);
+            req.verify(&key)
+                .expect("failed to verify child certificate request");
+            let pem_req = req
+                .to_pem()
+                .expect("failed to convert child certificate request to PEM");
+
+            let child_certificate = generate_child_certificate(pem_req, &pic, canister_id);
+
+            assert!(
+                child_certificate
+                    .verify(
+                        &root_certificate
+                            .public_key()
+                            .expect("failed to get public key")
+                    )
+                    .expect("errors occurred while verifying child certificate"),
+                "failed to verify child certificate"
+            );
+        }
+    }
+}
+
+mod ecdsa_secp256k1 {
+    use super::*;
+
+    #[test]
+    fn root_ca_certificate_should_be_valid() {
+        let (pic, canister_id) =
+            pic_and_canister_id(CaKeyInformation::EcdsaSecp256k1(KeyName::TestKey1));
+
+        let root_certificate = fetch_root_ca_certificate(&pic, canister_id);
+
+        assert!(
+            root_certificate
+                .verify(
+                    &root_certificate
+                        .public_key()
+                        .expect("failed to get public key")
+                )
+                .expect("errors occurred while verifying root certificate"),
+            "failed to verify root certificate"
+        );
+    }
+
+    #[test]
+    fn child_certificate_should_be_valid() {
+        let (pic, canister_id) =
+            pic_and_canister_id(CaKeyInformation::EcdsaSecp256k1(KeyName::TestKey1));
+
+        let root_certificate = fetch_root_ca_certificate(&pic, canister_id);
+
+        for (key, digest_type) in generate_child_keys() {
+            println!("Requesting child certificate with key: {key:?}");
+
+            let req = generate_child_certificate_request(&key, digest_type);
+            req.verify(&key)
+                .expect("failed to verify child certificate request");
+            let pem_req = req
+                .to_pem()
+                .expect("failed to convert child certificate request to PEM");
+
+            let child_certificate = generate_child_certificate(pem_req, &pic, canister_id);
+
+            assert!(
+                child_certificate
+                    .verify(
+                        &root_certificate
+                            .public_key()
+                            .expect("failed to get public key")
+                    )
+                    .expect("errors occurred while verifying child certificate"),
+                "failed to verify child certificate"
+            );
+        }
+    }
+}
+
+fn pic_and_canister_id(ca_key_information: CaKeyInformation) -> (PocketIc, Principal) {
+    let pic = PocketIcBuilder::new()
+        .with_application_subnet()
+        .with_ii_subnet()
+        .with_fiduciary_subnet()
+        .build();
+
+    let canister_id = pic.create_canister();
+    pic.add_cycles(canister_id, 2_000_000_000_000);
+
+    let wasm = std::fs::read(WASM_PATH).expect("Wasm file not found, run 'dfx build'.");
+
+    pic.install_canister(
+        canister_id,
+        wasm,
+        encode_one(ca_key_information).unwrap(),
+        None,
+    );
+
+    (pic, canister_id)
+}
+
+fn fetch_root_ca_certificate(pic: &PocketIc, canister_id: Principal) -> X509 {
+    let root_certificate_result: Result<X509CertificateString, String> = match pic
+        .update_call(
+            canister_id,
+            Principal::anonymous(),
+            "root_ca_certificate",
+            encode_one(()).unwrap(),
+        )
+        .expect("Failed to call counter canister")
+    {
+        WasmResult::Reply(r) => decode_one(&r).expect("failed to decode reply"),
+        WasmResult::Reject(r) => panic!("Call failed: {:?}", r),
+    };
+
+    let root_certificate_pem = root_certificate_result.expect("failed to compute root certificate");
+
+    X509::from_pem(root_certificate_pem.x509_certificate_string.as_bytes())
+        .expect("failed to decode root certificate")
+}
+
+fn generate_child_certificate(pem_req: Vec<u8>, pic: &PocketIc, canister_id: Principal) -> X509 {
+    let pem_certificate_request = String::from_utf8(pem_req).expect("invalid request encoding");
+    let child_certificate_result: Result<X509CertificateString, String> = match pic
+        .update_call(
+            canister_id,
+            Principal::anonymous(),
+            "child_certificate",
+            encode_one(PemCertificateRequest {
+                pem_certificate_request,
+            })
+            .unwrap(),
+        )
+        .expect("Failed to call counter canister")
+    {
+        WasmResult::Reply(r) => decode_one(&r).expect("failed to decode reply"),
+        WasmResult::Reject(r) => panic!("Call failed: {:?}", r),
+    };
+
+    let child_certificate_text =
+        child_certificate_result.expect("failed to compute child certificate");
+
+    X509::from_pem(child_certificate_text.x509_certificate_string.as_bytes())
+        .expect("failed to decode child certificate")
+}
+
+fn generate_child_certificate_request(
+    key: &PKeyRef<Private>,
+    digest_type: MessageDigest,
+) -> X509Req {
+    let mut builder = X509Name::builder().expect("failed to create X509NameBuilder");
+    builder
+        .append_entry_by_text("CN", "Test Corporation")
+        .expect("failed to append entry");
+    builder
+        .append_entry_by_text("O", "Test Inc")
+        .expect("failed to append entry");
+    builder
+        .append_entry_by_text("C", "US")
+        .expect("failed to append entry");
+    let subject_name = builder.build();
+
+    let mut req_builder = X509Req::builder().expect("failed to create X509Req builder");
+
+    req_builder
+        .set_subject_name(&subject_name)
+        .expect("failed to set subject name");
+    req_builder
+        .set_pubkey(&key)
+        .expect("failed to set public key in child certificate");
+    req_builder
+        .sign(&key, digest_type)
+        .expect("failed to sign X509Req");
+
+    req_builder.build()
+}
+
+fn generate_child_keys() -> Vec<(PKey<Private>, MessageDigest)> {
+    let ed25519_key = PKey::generate_ed25519().expect("failed to generate key");
+
+    let ec_group = EcGroup::from_curve_name(Nid::SECP256K1).expect("failed to create EC group");
+    let ecdsa_key =
+        PKey::from_ec_key(EcKey::generate(&ec_group).expect("failed to generate ECDSA key"))
+            .unwrap();
+
+    vec![
+        (ed25519_key, MessageDigest::null()),
+        (ecdsa_key, MessageDigest::sha256()),
+    ]
+}
+
+#[test]
+fn test_strum_produces_expected_key_names() {
+    assert_eq!(
+        <&'static str>::try_from(KeyName::DfxTestKey),
+        Ok("dfx_test_key")
+    );
+    assert_eq!(
+        <&'static str>::try_from(KeyName::TestKey1),
+        Ok("test_key_1")
+    );
+    assert_eq!(<&'static str>::try_from(KeyName::Key1), Ok("key_1"));
+}
diff --git a/rust/x509/src/x509_example_rust/x509_example.did b/rust/x509/src/x509_example_rust/x509_example.did
new file mode 100644
index 000000000..6a7f782f0
--- /dev/null
+++ b/rust/x509/src/x509_example_rust/x509_example.did
@@ -0,0 +1,11 @@
+type CaKeyInformation = variant { Ed25519 : KeyName; EcdsaSecp256k1 : KeyName };
+type PemCertificateRequest = record { pem_certificate_request : text };
+type PublicKeyReply = record { public_key_hex : text };
+type Result = variant { Ok : X509CertificateString; Err : text };
+type KeyName = variant { TestKey1; Key1; DfxTestKey };
+type X509CertificateString = record { x509_certificate_string : text };
+
+service : (CaKeyInformation) -> {
+  child_certificate : (PemCertificateRequest) -> (Result);
+  root_ca_certificate : () -> (Result);
+}
\ No newline at end of file