Crate pkix_path_builder

Expand description

RFC 4158 certification path building for pkix_path.

Accepts an unordered collection of certificates (CertPool) and constructs a valid ordered chain suitable for pkix_path::validate_path.

§Relationship to `pkix-path`

pkix-path validates a caller-ordered &[Certificate]. This crate handles the prior step: discovering and ordering that chain from a bag of certificates when the caller does not know the chain order in advance. Cross-certificates and bridge CA topologies are handled here, not in pkix-path.

§Algorithm

build_path and build_path_with_config perform a single-pass depth-first search up to PathBuilderConfig::max_depth (default DEFAULT_MAX_DEPTH = 10). At each step, candidates are ranked by AKI/SKI match tier (RFC 4158 §3.2) so the most-likely issuer is tried first. Memory is bounded to O(depth) stack frames.

Shortest-first is not guaranteed: for typical pools the first chain found is the shortest, but adversarial pools may yield a deeper chain first. See PathCandidates for the full enumeration contract.

§Spec references

RFC 4158 — Internet X.509 PKI: Certification Path Building
RFC 5280 §6.1 — the validation algorithm this crate feeds into

§`no_std`

This crate is no_std but requires the alloc crate. The extern crate alloc declaration is provided automatically; you do not need to add it yourself, but your target must supply a global allocator (e.g., #[global_allocator]).

§Limitations

Caller supplies the candidate set. CertPool takes a pool of already-loaded certificates. This crate does not fetch missing intermediates from AuthorityInfoAccess URIs; the optional pkix-aia / pkix-aia-http cascade handles that (tracked under PKIX-zkjb).
Output feeds pkix-path. The validation algorithm (RFC 5280 §6.1 signature chain walk, name constraints, policy machinery, revocation) lives in pkix-path and pkix-revocation. This crate’s job ends when it returns an ordered candidate chain.
Known residual divergence. A single bettertls path-building corner case (pathbuilding::tc60) is documented as a known divergence; closing it is a 1.0 release blocker tracked under PKIX-lwr9.4. See pkix-difftest/baseline-limbo-analysis.md.

Structs§

CertPool: An unordered collection of certificates used as input to path building.
PathBuilderConfig: Tunable parameters for path building.
PathCandidates: Iterator over topologically-valid certification paths from a target cert through a candidate pool to one of a set of trust anchors.

Enums§

Error: Errors returned by path building.

Constants§

DEFAULT_DFS_BUDGET: Default DFS node-visit budget per search pass.
DEFAULT_MAX_DEPTH: Default maximum number of intermediate certificates considered.

Functions§

build_first_valid_path: Build a certification path that both (a) is topologically valid through pool to one of anchors and (b) passes pkix_path::validate_path under policy and verifier.
build_first_valid_path_with_config: Build a verifier-validated certification path with caller-provided budget and depth tunables.
build_path: Build a certification path from target through certificates in pool to one of the provided trust anchors.
build_path_candidates: Construct a PathCandidates iterator using the workspace defaults (DEFAULT_MAX_DEPTH, DEFAULT_DFS_BUDGET).
build_path_candidates_with_config: Construct a PathCandidates iterator with caller-provided budget and depth tunables.
build_path_with_config: Build a certification path with caller-provided budget and depth tunables.

Type Aliases§

Result: Result alias for this crate.