Struct ValidationPolicy 

#[non_exhaustive]
pub struct ValidationPolicy {
    pub max_path_len: u8,
    pub current_time_unix: u64,
    pub enforce_key_usage: bool,
    pub initial_explicit_policy: bool,
    pub initial_any_policy_inhibit: bool,
    pub initial_policy_mapping_inhibit: bool,
    pub initial_policy_set: Vec<ObjectIdentifier>,
    pub max_validity_secs: Option<u64>,
    pub allowed_signature_algs: Option<Vec<ObjectIdentifier>>,
    pub min_rsa_key_bits: Option<u32>,
    pub require_subject_alt_name: bool,
    pub required_leaf_eku: Option<Vec<ObjectIdentifier>>,
}

Policy parameters controlling path validation.

Stability

ValidationPolicy is #[non_exhaustive]. Construct via ValidationPolicy::new or Default + field assignment. Do not use struct literal syntax.

Performance note

Policy objects are intended to be constructed once (e.g., at server startup) and reused for the lifetime of the application. Repeated construction is unnecessary.

Policy enforcement (CertificatePolicies, PolicyMappings, PolicyConstraints, InhibitAnyPolicy) is implemented per RFC 5280 §6.1. Use the initial_explicit_policy, initial_any_policy_inhibit, initial_policy_mapping_inhibit, and initial_policy_set fields to configure the initial policy state.

Limitations

Path-building (RFC 4158 — cross-signed certificates, multiple candidate issuers) is out of scope for v0.1. The caller must supply the complete, ordered chain.

Revocation checking (CRL / OCSP) is out of scope for pkix-path; see pkix-revocation for that functionality.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

max_path_len: u8

Maximum chain depth, not counting the trust anchor. Default: 10.

A chain of [leaf] is depth 0. [leaf, intermediate, root] is depth 1 (one intermediate). Validation fails if depth exceeds this value.

current_time_unix: u64

Current time as seconds since the Unix epoch (1970-01-01T00:00:00Z).

Used to check notBefore ≤ now ≤ notAfter on every certificate. Must be set by the caller — there is no platform clock in no_std.

Warning — the default is 0 (1970-01-01): Any certificate issued after 1970 has notBefore > 0 and will fail the validity check with Error::ValidityPeriod. If you see unexpected ValidityPeriod errors, check that current_time_unix is set to the current time.

Warning: passing u64::MAX causes all notAfter checks to pass. This effectively disables expiry checking — only use it in contexts where you explicitly want permissive (clock-free) validation.

enforce_key_usage: bool

Enforce the KeyUsage extension when present. Default: true.

When true, an intermediate certificate whose KeyUsage extension is present but does not include keyCertSign will be rejected with Error::KeyUsageMissing, per RFC 5280 §6.1.4(n).

Certificates with no KeyUsage extension are not affected; RFC 5280 only mandates the check when the extension is present.

initial_explicit_policy: bool

Initial explicit-policy indicator (RFC 5280 §6.1.1).

When true, path validation requires that at least one valid policy exists from the initial policy set. When false (the default), any valid path is accepted even if no certificate policy is asserted.

initial_any_policy_inhibit: bool

Initial any-policy inhibit indicator (RFC 5280 §6.1.1).

When true, the anyPolicy OID is not considered a match for any other policy at the start of the path. When false (the default), anyPolicy is accepted as a wildcard unless later inhibited by a CA certificate.

initial_policy_mapping_inhibit: bool

Initial policy-mapping inhibit indicator (RFC 5280 §6.1.1).

When true, policy mappings are not permitted in any certificate in the chain. When false (the default), policy mappings are allowed.

initial_policy_set: Vec<ObjectIdentifier>

Initial user-requested policy set (RFC 5280 §6.1.1).

The set of certificate policies acceptable to the relying party. An empty vec is treated as {anyPolicy} — all policies are acceptable. Set this to restrict which policies are recognized in the output.

Note: this is pub but clones the OID set, so prefer constructing once and reusing the ValidationPolicy.

max_validity_secs: Option<u64>

If Some(n), reject any certificate whose (notAfter − notBefore) exceeds n seconds. None means unconstrained (the default).

Applied to every certificate in the chain, not just the leaf. Violations produce Error::ValidityPeriodExceedsMax.

allowed_signature_algs: Option<Vec<ObjectIdentifier>>

If Some(list), reject any certificate whose signature algorithm OID is not in list. None means any algorithm is accepted (the default).

Applied to every certificate in the chain. The check fires before signature verification so the error is diagnostic rather than a confusing Error::SignatureInvalid. Violations produce Error::AlgorithmNotAllowed.

min_rsa_key_bits: Option<u32>

If Some(bits), reject any certificate carrying an RSA public key whose modulus is fewer than bits bits. Non-RSA keys are not affected. None means unconstrained (the default).

Applied to every certificate in the chain. Violations produce Error::KeyTooSmall.

require_subject_alt_name: bool

If true, the leaf certificate (chain index 0) must have a non-empty SubjectAltName extension. false means no SAN requirement (the default).

Intermediate CA certificates are not checked by this field. Violations produce Error::MissingSan.

required_leaf_eku: Option<Vec<ObjectIdentifier>>

If Some(oids), the leaf certificate must explicitly assert every OID in oids via its ExtendedKeyUsage extension. None means no EKU requirement (the default).

anyExtendedKeyUsage (2.5.29.37.0) does not satisfy a specific OID check — each required OID must be listed in the cert’s EKU extension. Violations produce Error::MissingEku.

Implementations

impl ValidationPolicy

pub fn new(now_unix: u64) -> Self

Construct a policy with the given time and sensible defaults.

Equivalent to ValidationPolicy { current_time_unix: now_unix, ..Default::default() }. This is the preferred constructor: it forces the caller to supply a timestamp, preventing the silent validity failures caused by Default’s current_time_unix = 0.

Trait Implementations

impl Clone for ValidationPolicy

fn clone(&self) -> ValidationPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ValidationPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for ValidationPolicy

fn default() -> Self

Returns the “default value” for a type.

impl PartialEq for ValidationPolicy

fn eq(&self, other: &ValidationPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for ValidationPolicy

impl StructuralPartialEq for ValidationPolicy