Document the exact filter "key" format

[jcjones]

This line shows that the keys of the bloom filter are the binary concatenation of two binary data fields:

crlite/create_filter_cascade/certs_to_crlite.py

Line 63 in d0b57d3

key = issuerKey + bytearray.fromhex(sHex)

sha256(DER-encoded issuer SPKI) || DER-encoded serial number

The first part, being SHA256, is 256-bits long, whereas the remaining bits are the binary serial number in DER-encoding.

SHA256 Hash of DER Subject Public Key Information

The DER-encoded SPKI of the certificate's issuer is then run through the sha256 algorithm.

So

   * A) signing (probably-intermediate) Certificate Authority
   |
   +--------->  B) End Entity in question

We'd be taking the DER-encoded SPKI of (A), taking sha256 of it, and using that.

Serial

serial is the DER-encoded SerialNumber field from the certificate TBSCertificate data structure.

This issue should save this documentation in-tree.

Examples

One per line. Note that the first 256 bits are the SHA256 of the issuer's SPKI, and the remaining bits are the DER-encoded serial number.

VYZwGiJkq3NNo1YRI2RGiSTI1mqTWG8zDcRf1/KAN6IA4yCQuuNtGYIAAAAAVM+Zvw==
VYZwGiJkq3NNo1YRI2RGiSTI1mqTWG8zDcRf1/KAN6IAyakQEgaRVjEAAAAAVM3usw==
9frFyfDp+D9WCFjQblKwXUi5EgVRtx22594YJETOc/ZsYbPf7Xs6sf0eNzRY/mNvbLIp9g==
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QlRgn9Fue01RWA5VHAY0fug
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QkSf162P2BT6Wry7y01ERiH
Slt48iBVTjuRQJTjbzopminRrHSGtndY0/sj0lFf9QlEWoJId+CLHv/n0y+Px1hf
SDG5orEv8iX6MNenIAxa8nQFNpROB/6+llsZdXHZNqsN3w8Vsrce7ZCm3os1cLa3
tYkfFN27P1GUjH5ME128BCg302dL2iwOYhz5wwFJb518mCjbYqWeCF+TI/6F+TydHhe4aA==

[jcjones]