pub fn build_first_valid_path<V>(
target: &Certificate,
pool: &CertPool,
anchors: &[TrustAnchor],
policy: &ValidationPolicy,
verifier: &V,
) -> Result<Vec<Certificate>>where
V: SignatureVerifier,Expand description
Build a certification path that both (a) is topologically valid through
pool to one of anchors and (b) passes
pkix_path::validate_path under policy and verifier.
Iterates build_path_candidates until the first candidate chain
validates. Returns the validating chain. If every candidate is rejected
by validate_path, returns Error::NoValidPath carrying the count of
candidates tried and the Display rendering of the last
pkix_path::Error.
§When to use this over build_path
build_path is single-shot: it returns the first DFS candidate without
any knowledge of which signature algorithms verifier actually dispatches
or which intermediates are within their validity window at policy’s
validation time. In adversarial pools — for example, cross-signed graphs
that include an alternative intermediate signed under
ecdsa-with-SHA1 (RFC 5758 §3.2 legacy OID, not dispatched by
pkix_path::DefaultVerifier) — the first DFS yield can be rejected by
validate_path even though a SHA-256-only path exists in the same pool.
build_first_valid_path closes this gap: it iterates
build_path_candidates and tries validate_path per yielded chain,
returning the first chain that survives both passes.
§Errors
Error::NoPathFound— the underlying iterator yielded no candidates at all (no topologically valid chain throughpoolto any anchor). Matchesbuild_path’s behaviour for that case.Error::DepthExceeded/Error::BudgetExceeded— propagated frombuild_path_candidateswhen the iterator surfaces them.Error::NoValidPath— at least one candidate was yielded but none passedvalidate_path. Carriestried(>= 1) and the lastvalidate_patherror rendering.
§Out of scope
- Async / parallel candidate evaluation. Candidates are tried sequentially.
- Caching of
validate_pathfailures across candidates. Each yielded chain is freshly validated. - Promoting
build_pathitself to iterate. The single-shot helper is retained verbatim for backward compatibility; callers opt in to the iterating semantics by using this function.
§Relationship to other path-builder entry points
| Entry point | Verifier? | Returns |
|---|---|---|
build_path | No | First DFS topological candidate (one-shot) |
build_path_candidates | No | Iterator of topological candidates |
build_first_valid_path | Yes | First candidate that passes validate_path |