wireapp · istankovic · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -425,7 +425,7 @@ impl E2eiEnrollment {
     pub(crate) async fn certificate_response(
         &mut self,
         certificate_chain: String,
-        env: &wire_e2e_identity::prelude::x509::revocation::PkiEnvironment,
+        env: &wire_e2e_identity::x509_check::revocation::PkiEnvironment,
     ) -> Result<Vec<Vec<u8>>> {
         let order = self.valid_order.take().ok_or(Error::OutOfOrderEnrollment(
             "You must first call 'checkOrderResponse()'",

@@ -24,7 +24,7 @@ pub enum Error {
     #[error(transparent)]
     IdentityError(#[from] wire_e2e_identity::prelude::E2eIdentityError),
     #[error(transparent)]
-    X509Error(#[from] wire_e2e_identity::prelude::x509::RustyX509CheckError),
+    X509Error(#[from] wire_e2e_identity::x509_check::RustyX509CheckError),
     #[error(transparent)]
     UrlError(#[from] url::ParseError),
     #[error(transparent)]

@@ -5,7 +5,7 @@ use openmls::{
     group::MlsGroup,
     prelude::{Certificate, MlsCredentialType, Proposal, StagedCommit},
 };
-use wire_e2e_identity::prelude::x509::extract_crl_uris;
+use wire_e2e_identity::x509_check::extract_crl_uris;
 
 use super::{Error, Result};
 use crate::{KeystoreError, RecursiveError, e2e_identity::NewCrlDistributionPoints};

@@ -13,7 +13,7 @@ pub(crate) trait CredentialExt {
     fn extract_identity(
         &self,
         cs: Ciphersuite,
-        env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> Result<WireIdentity>;
     fn extract_public_key(&self) -> Result<Option<Vec<u8>>>;
     fn is_basic(&self) -> bool;
@@ -31,7 +31,7 @@ impl CredentialExt for CredentialWithKey {
     fn extract_identity(
         &self,
         cs: Ciphersuite,
-        env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> Result<WireIdentity> {
         match self.credential.mls_credential() {
             openmls::prelude::MlsCredentialType::X509(cert) => cert.extract_identity(cs, env),
@@ -79,7 +79,7 @@ impl CredentialExt for Credential {
     fn extract_identity(
         &self,
         _cs: Ciphersuite,
-        _env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        _env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> Result<WireIdentity> {
         // This should not be called directly because one does not have the signature public key and hence
         // cannot compute the MLS thumbprint for a Basic credential.
@@ -113,7 +113,7 @@ impl CredentialExt for openmls::prelude::Certificate {
     fn extract_identity(
         &self,
         cs: Ciphersuite,
-        env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> Result<WireIdentity> {
         let leaf = self.certificates.first().ok_or(Error::InvalidIdentity)?;
         let leaf = leaf.as_slice();

@@ -102,7 +102,7 @@ impl<D> Session<D> {
         ciphersuite: Ciphersuite,
         ratchet_tree: RatchetTree,
         credential_type: CredentialType,
-        env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> Result<E2eiConversationState> {
         let credentials = ratchet_tree.iter().filter_map(|n| match n {
             Some(Node::LeafNode(ln)) => Some(ln.credential()),
@@ -117,7 +117,7 @@ impl<D> Session<D> {
         ciphersuite: Ciphersuite,
         credentials: impl Iterator<Item = &'a Credential>,
         _credential_type: CredentialType,
-        env: Option<&wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>,
+        env: Option<&wire_e2e_identity::x509_check::revocation::PkiEnvironment>,
     ) -> E2eiConversationState {
         let mut is_e2ei = false;
         let mut state = E2eiConversationState::Verified;

@@ -107,7 +107,7 @@ impl MlsCryptoProvider {
     }
 
     /// Replaces the PKI env currently in place
-    pub async fn update_pki_env(&self, pki_env: Option<wire_e2e_identity::prelude::x509::revocation::PkiEnvironment>) {
+    pub async fn update_pki_env(&self, pki_env: Option<wire_e2e_identity::x509_check::revocation::PkiEnvironment>) {
         self.pki_env.update_env(pki_env).await
     }
 

@@ -370,14 +370,14 @@ impl X509TestChain {
             .map(|intermediate| intermediate.certificate.clone())
             .collect();
         let crls: Vec<_> = self.crls.values().cloned().collect();
-        let params = wire_e2e_identity::prelude::x509::revocation::PkiEnvironmentParams {
+        let params = wire_e2e_identity::x509_check::revocation::PkiEnvironmentParams {
             trust_roots: &trust_roots,
             intermediates: &intermediates,
             crls: &crls,
             time_of_interest: None,
         };
 
-        let pki_env = wire_e2e_identity::prelude::x509::revocation::PkiEnvironment::init(params).unwrap();
+        let pki_env = wire_e2e_identity::x509_check::revocation::PkiEnvironment::init(params).unwrap();
         backend.update_pki_env(Some(pki_env)).await;
     }
 

@@ -24,7 +24,7 @@ pub enum Error {
     #[error("{0} not found")]
     NotFound(&'static str),
     #[error(transparent)]
-    X509Error(#[from] wire_e2e_identity::prelude::x509::RustyX509CheckError),
+    X509Error(#[from] wire_e2e_identity::x509_check::RustyX509CheckError),
     #[error(transparent)]
     X509CertDerError(#[from] x509_cert::der::Error),
     #[error(transparent)]

@@ -2,7 +2,7 @@ use core_crypto_keystore::{
     entities::{E2eiAcmeCA, E2eiCrl, E2eiIntermediateCert},
     traits::FetchFromDatabase,
 };
-use wire_e2e_identity::prelude::x509::{
+use wire_e2e_identity::x509_check::{
     extract_crl_uris, extract_expiration_from_crl,
     revocation::{PkiEnvironment, PkiEnvironmentParams},
 };

@@ -13,7 +13,7 @@ use std::{
 };
 
 pub use error::{Error, Result};
-use wire_e2e_identity::prelude::x509::extract_crl_uris;
+use wire_e2e_identity::x509_check::extract_crl_uris;
 
 use super::TransactionContext;
 use crate::{

@@ -1,10 +1,8 @@
 use rusty_jwt_tools::prelude::*;
 use x509_cert::{Certificate, anchor::TrustAnchorChoice};
 
-use crate::acme::{
-    error::CertificateError,
-    identifier::CanonicalIdentifier,
-    prelude::*,
+use crate::{
+    acme::{error::CertificateError, identifier::CanonicalIdentifier, prelude::*},
     x509_check::revocation::{PkiEnvironment, PkiEnvironmentParams},
 };
 

@@ -15,7 +15,7 @@ pub enum RustyAcmeError {
     JwtError(#[from] rusty_jwt_tools::prelude::RustyJwtError),
     /// Error related to various X509 processing facilities/tools/checks
     #[error(transparent)]
-    X509CheckError(#[from] crate::acme::x509_check::RustyX509CheckError),
+    X509CheckError(#[from] crate::x509_check::RustyX509CheckError),
     /// Failed mapping an ASN.1 ObjectIdentifier
     #[error(transparent)]
     OidError(#[from] x509_cert::der::oid::Error),

@@ -1,9 +1,8 @@
 use rusty_jwt_tools::prelude::*;
 use x509_cert::der::Decode as _;
 
-use crate::acme::{
-    error::CertificateError,
-    prelude::*,
+use crate::{
+    acme::{error::CertificateError, prelude::*},
     x509_check::{IdentityStatus, revocation::PkiEnvironment},
 };
 
@@ -164,7 +163,7 @@ pub mod tests {
     use wasm_bindgen_test::*;
 
     use super::*;
-    use crate::acme::x509_check::revocation::PkiEnvironmentParams;
+    use crate::x509_check::revocation::PkiEnvironmentParams;
 
     wasm_bindgen_test_configure!(run_in_browser);
 

@@ -9,7 +9,6 @@ mod identifier;
 mod identity;
 mod jws;
 mod order;
-pub mod x509_check;
 
 /// Prelude
 pub mod prelude {
@@ -26,7 +25,6 @@ pub mod prelude {
 
     pub use super::RustyAcme;
     use super::*;
-    pub use crate::acme::x509_check as x509;
 }
 
 pub struct RustyAcme;
@@ -135,12 +135,13 @@ use zeroize::Zeroize;
 
 use crate::{
     acme::prelude::{AcmeChallenge, AcmeIdentifier},
-    prelude::x509::revocation::PkiEnvironment,
+    x509_check::revocation::PkiEnvironment,
 };
 
 pub mod acme;
 mod error;
 mod types;
+pub mod x509_check;
 
 pub mod pki_env;
 pub mod pki_env_hooks;
@@ -161,9 +162,11 @@ pub mod prelude {
             E2eiNewAcmeOrder,
         },
     };
-    pub use crate::acme::prelude::{
-        AcmeDirectory, RustyAcme, RustyAcmeError, WireIdentity, WireIdentityReader, compute_raw_key_thumbprint, x509,
-        x509::IdentityStatus,
+    pub use crate::{
+        acme::prelude::{
+            AcmeDirectory, RustyAcme, RustyAcmeError, WireIdentity, WireIdentityReader, compute_raw_key_thumbprint,
+        },
+        x509_check::IdentityStatus,
     };
 }
 

@@ -12,12 +12,12 @@ use openmls_traits::authentication_service::{CredentialAuthenticationStatus, Cre
 use x509_cert::der::Decode as _;
 
 use crate::{
-    acme::prelude::x509::{
+    error::E2eIdentityError,
+    pki_env_hooks::PkiEnvironmentHooks,
+    x509_check::{
         RustyX509CheckError,
         revocation::{PkiEnvironment as RjtPkiEnvironment, PkiEnvironmentParams},
     },
-    error::E2eIdentityError,
-    pki_env_hooks::PkiEnvironmentHooks,
 };
 
 pub type Result<T> = core::result::Result<T, Error>;
@@ -201,7 +201,7 @@ impl openmls_traits::authentication_service::AuthenticationServiceDelegate for P
                 };
 
                 if let Err(validation_error) = pki_env.validate_cert_and_revocation(&cert) {
-                    use crate::acme::x509_check::{
+                    use crate::x509_check::{
                         RustyX509CheckError,
                         reexports::certval::{Error as CertvalError, PathValidationStatus},
                     };

@@ -15,7 +15,7 @@ use x509_cert::{
     ext::pkix::AuthorityKeyIdentifier,
 };
 
-use crate::acme::x509_check::{RustyX509CheckError, RustyX509CheckResult, revocation::cache::RevocationCache};
+use super::{RustyX509CheckError, RustyX509CheckResult, revocation::cache::RevocationCache};
 
 mod cache;
 mod crl_info;

@@ -11,7 +11,7 @@ use x509_cert::{
     },
 };
 
-use crate::acme::x509_check::RustyX509CheckError;
+use super::RustyX509CheckError;
 
 flagset::flags! {
     enum CrlQuestions: u8 {

@@ -7,7 +7,7 @@ use certval::{CrlScope, CrlSource, ExtensionProcessing, PDVCertificate, PDVExten
 use const_oid::db::rfc5912::ID_CE_AUTHORITY_KEY_IDENTIFIER;
 use x509_cert::{crl::CertificateList, der::Encode};
 
-use crate::acme::x509_check::{
+use crate::x509_check::{
     RustyX509CheckError, RustyX509CheckResult,
     revocation::{
         crl_info::CrlInfo,

@@ -177,7 +177,7 @@ mod alg {
 
 /// Since the acme server is a fork, verify its invariants are respected
 mod acme_server {
-    use wire_e2e_identity::acme::prelude::x509::{
+    use wire_e2e_identity::x509_check::{
         RustyX509CheckError,
         reexports::{certval, certval::PathValidationStatus},
         revocation::{PkiEnvironment, PkiEnvironmentParams},

@@ -15,7 +15,7 @@ use rusty_jwt_tools::{
 };
 use serde_json::{Value, json};
 use url::Url;
-use wire_e2e_identity::acme::prelude::{x509::revocation::PkiEnvironment, *};
+use wire_e2e_identity::{acme::prelude::*, x509_check::revocation::PkiEnvironment};
 use x509_cert::{
     Certificate,
     der::{Decode as _, DecodePem, Encode as _, asn1::Ia5String},