RFC 5280 X.509 certificate path validation — pure Rust, no_std.

Implements certificate path building and validation per RFC 5280 §6.

Architecture

Cryptographic signature verification is pluggable via [SignatureVerifier]. The default feature set (rustcrypto) wires in RustCrypto backends for RSA-PKCS1v15, P-256 ECDSA, and (with optional features) RSA-PSS, P-384, Ed25519. For FIPS-validated crypto, implement [SignatureVerifier] against wolfcrypt-rustcrypto and disable the rustcrypto feature.

Revocation checking is handled by pkix-revocation. This crate never touches the network — use [pkix_chain::verify_chain] for the combined API.

Limitations

v0.1 does not implement:

• NameConstraints (RFC 5280 §4.2.1.10)
• PolicyConstraints / certificate policy validation (§4.2.1.9, §6.1.5)
• Revocation (use pkix-revocation)
• Cross-certificate path building (RFC 4158)

These are tracked for v0.2+.