Skip to main content

ValidationPolicy

pkix_path

Struct ValidationPolicy 

Source 
#[non_exhaustive]
pub struct ValidationPolicy {
Show 16 fields
    pub max_path_len: u8,
    pub current_time_unix: u64,
    pub enforce_key_usage: bool,
    pub require_crl_sign_on_cas: bool,
    pub initial_explicit_policy: bool,
    pub initial_any_policy_inhibit: bool,
    pub initial_policy_mapping_inhibit: bool,
    pub initial_policy_set: Vec<ObjectIdentifier>,
    pub max_validity_secs: Option<u64>,
    pub allowed_signature_algs: Option<Vec<ObjectIdentifier>>,
    pub min_rsa_key_bits: Option<u32>,
    pub require_subject_alt_name: bool,
    pub require_rfc822_san: bool,
    pub required_leaf_eku: Option<Vec<ObjectIdentifier>>,
    pub required_leaf_policy_oids: Option<Vec<ObjectIdentifier>>,
    pub required_leaf_subject_dn_attrs: Option<DnAttrRule>,

}
Expand description

Policy parameters controlling path validation.

§Stability

ValidationPolicy is #[non_exhaustive]. Construct via ValidationPolicy::new or Default + field assignment. Do not use struct literal syntax.

§Performance note

Policy objects are intended to be constructed once (e.g., at server startup) and reused for the lifetime of the application. Repeated construction is unnecessary.

Policy enforcement (CertificatePolicies, PolicyMappings, PolicyConstraints, InhibitAnyPolicy) is implemented per RFC 5280 §6.1. Use the initial_explicit_policy, initial_any_policy_inhibit, initial_policy_mapping_inhibit, and initial_policy_set fields to configure the initial policy state.

§Limitations

Path-building (RFC 4158 — cross-signed certificates, multiple candidate issuers) is out of scope for this crate. The caller must supply the complete, ordered chain (see pkix-path-builder for path discovery).

Revocation checking (CRL / OCSP) is out of scope for pkix-path; see pkix-revocation for that functionality.

Fields (Non-exhaustive)§

This struct is marked as non-exhaustive
Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.
§max_path_len: u8

Maximum chain depth, not counting the trust anchor. Default: 10.

A chain of [leaf] is depth 0. [leaf, intermediate, root] is depth 1 (one intermediate). Validation fails if depth exceeds this value.

§current_time_unix: u64

Current time as seconds since the Unix epoch (1970-01-01T00:00:00Z).

Used to check notBeforenownotAfter on every certificate. Must be set by the caller — there is no platform clock in no_std.

Warning — the default is 0 (1970-01-01): Any certificate issued after 1970 has notBefore > 0 and will fail the validity check with Error::ValidityPeriod. If you see unexpected ValidityPeriod errors, check that current_time_unix is set to the current time.

Warning: passing u64::MAX causes all notAfter checks to pass. This effectively disables expiry checking — only use it in contexts where you explicitly want permissive (clock-free) validation.

§enforce_key_usage: bool

Enforce the KeyUsage extension when present. Default: true.

When true, an intermediate certificate whose KeyUsage extension is present but does not include keyCertSign will be rejected with Error::KeyUsageMissing, per RFC 5280 §6.1.4(n).

Certificates with no KeyUsage extension are not affected; RFC 5280 only mandates the check when the extension is present.

§require_crl_sign_on_cas: bool

Require cRLSign in KeyUsage on every intermediate CA. Default: false.

When true, an intermediate certificate whose KeyUsage extension is present but does not include cRLSign will be rejected with Error::CrlSignMissing. Certificates with no KeyUsage extension are not affected.

RFC 5280 §6.1 does not mandate this check — it conflates path validation with revocation infrastructure. PKITS §4.7.4 and §4.7.5 nonetheless expect such chains to fail because a CA cert without cRLSign cannot revoke certs it issued. Enable this flag to restore PKITS conformance or to enforce a stricter “every CA must be able to sign CRLs” rule.

This check is independent of enforce_key_usage: enforce_key_usage governs the RFC-mandated keyCertSign check, while require_crl_sign_on_cas adds a separate cRLSign requirement.

§initial_explicit_policy: bool

Initial explicit-policy indicator (RFC 5280 §6.1.1).

When true, path validation requires that at least one valid policy exists from the initial policy set. When false (the default), any valid path is accepted even if no certificate policy is asserted.

§initial_any_policy_inhibit: bool

Initial any-policy inhibit indicator (RFC 5280 §6.1.1).

When true, the anyPolicy OID is not considered a match for any other policy at the start of the path. When false (the default), anyPolicy is accepted as a wildcard unless later inhibited by a CA certificate.

§initial_policy_mapping_inhibit: bool

Initial policy-mapping inhibit indicator (RFC 5280 §6.1.1).

When true, policy mappings are not permitted in any certificate in the chain. When false (the default), policy mappings are allowed.

§initial_policy_set: Vec<ObjectIdentifier>

Initial user-requested policy set (RFC 5280 §6.1.1).

The set of certificate policies acceptable to the relying party. An empty vec is treated as {anyPolicy} — all policies are acceptable. Set this to restrict which policies are recognized in the output.

Note: this is pub but clones the OID set, so prefer constructing once and reusing the ValidationPolicy.

§max_validity_secs: Option<u64>

If Some(n), reject any certificate whose (notAfter − notBefore) exceeds n seconds. None means unconstrained (the default).

Applied to every certificate in the chain, not just the leaf. Violations produce Error::ValidityPeriodExceedsMax.

§allowed_signature_algs: Option<Vec<ObjectIdentifier>>

If Some(list), reject any certificate whose signature algorithm OID is not in list. None means any algorithm is accepted (the default).

Applied to every certificate in the chain. The check fires before signature verification so the error is diagnostic rather than a confusing Error::SignatureInvalid. Violations produce Error::AlgorithmNotAllowed.

§min_rsa_key_bits: Option<u32>

If Some(bits), reject any certificate carrying an RSA public key whose modulus is fewer than bits bits. Non-RSA keys are not affected. None means unconstrained (the default).

Applied to every certificate in the chain. Violations produce Error::KeyTooSmall.

§require_subject_alt_name: bool

If true, the leaf certificate (chain index 0) must have a non-empty SubjectAltName extension. false means no SAN requirement (the default).

Intermediate CA certificates are not checked by this field. Violations produce Error::MissingSan.

§require_rfc822_san: bool

If true, at least one rfc822Name entry must be present in the leaf’s SubjectAltName extension.

Only meaningful when require_subject_alt_name is also true. When require_subject_alt_name is false, this field has no effect.

Default: false (backward compatible). Violations produce Error::MissingRfc822San.

§required_leaf_eku: Option<Vec<ObjectIdentifier>>

If Some(oids), the leaf certificate must explicitly assert every OID in oids via its ExtendedKeyUsage extension. None means no EKU requirement (the default).

anyExtendedKeyUsage (2.5.29.37.0) does not satisfy a specific OID check — each required OID must be listed in the cert’s EKU extension. Violations produce Error::MissingEku.

§required_leaf_policy_oids: Option<Vec<ObjectIdentifier>>

If Some(oids), the leaf certificate must explicitly assert every OID in oids via its CertificatePolicies extension. None means no policy-OID assertion requirement (the default).

Distinct from initial_policy_set: initial_policy_set is the relying party’s acceptable policy set (RFC 5280 §6.1.1, user-initial-policy-set). required_leaf_policy_oids requires assertion — the OID must appear on the leaf cert’s CertificatePolicies extension, independent of the policy tree.

anyPolicy (2.5.29.32.0) does not satisfy a specific OID check. Violations produce Error::MissingLeafPolicyOid.

This field follows the required_leaf_eku precedent: leaf-only, opt-in, additive. Intended for CA/B Forum subscriber-profile tier disambiguation where a tier mandates assertion of a specific reserved policy OID.

§required_leaf_subject_dn_attrs: Option<DnAttrRule>

If Some(rule), the leaf certificate’s Subject DN must satisfy rule. None means no Subject DN requirement (the default).

Violations produce Error::SubjectDnAttrRuleUnmet. See DnAttrRule for the expression grammar and vacuity rules.

This field follows the required_leaf_eku precedent: leaf-only, opt-in, additive. Intended for CA/B Forum subscriber-profile tier disambiguation (e.g., S/MIME Organization-validated tier requires organizationName).

Implementations§

Source§

impl ValidationPolicy

Source

pub fn new(now_unix: u64) -> Self

Construct a policy with the given time and sensible defaults.

Equivalent to ValidationPolicy { current_time_unix: now_unix, ..Default::default() }. This is the preferred constructor: it forces the caller to supply a timestamp, preventing the silent validity failures caused by Default’s current_time_unix = 0.

Trait Implementations§

Source§

impl Clone for ValidationPolicy

Source§

fn clone(&self) -> ValidationPolicy

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ValidationPolicy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for ValidationPolicy

Source§

fn default() -> Self

Returns a default policy with current_time_unix = 0 (1970-01-01).

This is not safe for production use because every certificate issued after the Unix epoch will fail Error::ValidityPeriod. Prefer ValidationPolicy::new (which takes now_unix explicitly). Default is provided only for ..Default::default() ergonomics on this #[non_exhaustive] struct.

Source§

impl<'de> Deserialize<'de> for ValidationPolicy

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Eq for ValidationPolicy

Source§

impl PartialEq for ValidationPolicy

Source§

fn eq(&self, other: &ValidationPolicy) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for ValidationPolicy

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for ValidationPolicy

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,

Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V