Expand description
RFC 5280 X.509 certificate path validation — pure Rust, no_std.
Implements certificate path building and validation per RFC 5280 §6.
§Architecture
Cryptographic signature verification is pluggable via SignatureVerifier.
The default feature set (rustcrypto) wires in RustCrypto backends for
RSA-PKCS1v15-SHA-256 (rsa feature) and ECDSA-P-256-SHA-256 (p256 feature).
P-384 and Ed25519 are planned for v0.2.
For FIPS-validated crypto, implement SignatureVerifier against
wolfcrypt-rustcrypto and disable the rustcrypto feature.
Revocation checking is handled by pkix-revocation. This crate never
touches the network — use pkix_chain::verify_chain for the combined API.
§Limitations
v0.1 does not implement:
- NameConstraints (RFC 5280 §4.2.1.10)
- PolicyConstraints / certificate policy validation (§4.2.1.9, §6.1.5)
- Revocation (use
pkix-revocation) - Cross-certificate path building (RFC 4158)
These are tracked for v0.2+.
Structs§
- Default
Verifier p256orrsa - A
SignatureVerifierthat dispatches to available RustCrypto backends by OID. - Ecdsa
P256 Verifier p256 - ECDSA P-256 with SHA-256 signature verifier.
- RsaPkcs1v15
Sha256 Verifier rsa - RSA with PKCS#1 v1.5 padding and SHA-256 signature verifier.
- Trust
Anchor - A trust anchor used to terminate path validation.
- Validated
Path - The result of a successful certificate path validation.
- Validation
Policy - Policy parameters controlling path validation.
Enums§
- Error
- Errors returned by path validation.
Traits§
- Signature
Verifier - Pluggable signature verification backend.
Functions§
- names_
match - Compare two distinguished names per RFC 4518 string prep rules.
- validate_
path - Validate a certificate chain from subject to a trust anchor.
Type Aliases§
- Result
- Result alias for this crate.