Skip to main content

Crate pkix_path

Crate pkix_path 

Source
Expand description

RFC 5280 X.509 certificate path validation — pure Rust, no_std.

Implements certificate path building and validation per RFC 5280 §6.

§Architecture

Cryptographic signature verification is pluggable via SignatureVerifier. The default feature set (rustcrypto) wires in RustCrypto backends for RSA-PKCS1v15-SHA-256 (rsa feature) and ECDSA-P-256-SHA-256 (p256 feature). P-384 and Ed25519 are planned for a future release. For FIPS-validated crypto, implement SignatureVerifier against wolfcrypt-rustcrypto and disable the rustcrypto feature.

Revocation checking is handled by pkix-revocation. This crate never touches the network — use pkix_chain::verify_chain for the combined API.

§Limitations

The following are not implemented in v0.2:

  • RFC 4518 full Unicode NFKC DN normalization — only ASCII whitespace collapsing is applied; BMPString/UniversalString/TeletexString in DN attributes are compared after UTF-8 transcoding without NFKC.
  • Online revocation — revocation is handled by pkix-revocation (CRL/OCSP); this crate is network-free by design.
  • Path building — converting an unordered bag of certificates into a validated chain is handled by pkix-path-builder.

Structs§

DefaultVerifierp256 or rsa
A SignatureVerifier that dispatches to available RustCrypto backends by OID.
DerError
Opaque wrapper around an underlying ASN.1 / DER error.
EcdsaP256Verifierp256
ECDSA P-256 with SHA-256 signature verifier.
NameConstraints
Re-exported for use with TrustAnchor::name_constraints. NameConstraints extension as defined in RFC 5280 Section 4.2.1.10.
RsaPkcs1v15Sha256Verifierrsa
RSA with PKCS#1 v1.5 padding and SHA-256 signature verifier.
TrustAnchor
A trust anchor used to terminate path validation.
ValidatedPath
The result of a successful certificate path validation.
ValidationPolicy
Policy parameters controlling path validation.

Enums§

Error
Errors returned by path validation.

Traits§

Profile
A PKI regime profile that bundles identity, citation, and a validation policy.
SignatureVerifier
Pluggable signature verification backend.

Functions§

cert_is_ca
Returns Ok(true) if cert is a CA certificate per its BasicConstraints extension (RFC 5280 §4.2.1.9), Ok(false) if the extension is absent or cA = FALSE, and Err(DerError) if the extension is present but cannot be DER-decoded.
names_match
Compare two distinguished names per RFC 4518 string prep rules.
validate_path
Validate a certificate chain from subject to a trust anchor.
validate_path_with_profile
Validate a certificate chain using a Profile to produce the policy.

Type Aliases§

Result
Result alias for this crate.