License
BSD-3-Clause
ddn.crypto.x509.chain
X.509 Certificate Chain Validation (RFC 5280).
Provides functions for building and validating certificate chains, including signature verification, validity period checks, and extension validation.
Copyright
Copyright © 2025, Dejan Lekić
enum ValidationResult
class TrustStore
Types 4
enumValidationResult
Result of certificate chain validation.
VALIDChain is valid
EXPIREDCertificate has expired
NOT_YET_VALIDCertificate is not yet valid
SIGNATURE_INVALIDSignature verification failed
NO_TRUSTED_ROOTNo trusted root found
NOT_A_CACertificate is not a CA but issued other certificates
PATH_LENGTH_EXCEEDEDPath length constraint exceeded
KEY_USAGE_INVALIDRequired key usage missing
INVALID_CHAINChain is empty or malformed
UNSUPPORTED_ALGORITHMUnknown or unsupported signature algorithm
UNRECOGNIZED_CRITICAL_EXTENSIONCritical extension not recognized
structValidationOptions
Options for certificate chain validation.
Fields
long validationTimeThe time to use for validity checks (Unix timestamp). If 0, validation is skipped.bool verifySignaturesWhether to verify signatures in the chain.bool checkKeyUsageWhether to check key usage extensions.bool checkBasicConstraintsWhether to check basic constraints.bool checkCriticalExtensionsWhether to check for unrecognized critical extensions.string requiredPurposePurpose OID to check in Extended Key Usage (null to skip).structValidationReport
Detailed result of certificate chain validation.
Fields
ValidationResult resultThe overall validation resultstring errorMessageHuman-readable error message (if validation failed)int failingCertIndexIndex of the certificate that caused the failure (-1 if N/A)X509Certificate[] chainThe validated certificate chain (from end-entity to root)classTrustStore
A collection of trusted root certificates.
The trust store is used during chain validation to determine whether a certificate chain terminates at a trusted root.
Fields
private X509Certificate[] _trustedRootsMethods
void addTrustedRoot(X509Certificate cert)Adds a trusted root certificate.void addTrustedRoots(X509Certificate[] certs)Adds multiple trusted root certificates.void loadFromPem(string pem)Loads trusted roots from PEM data containing multiple certificates.X509Certificate findIssuer(X509Certificate cert)Finds a trusted root that issued the given certificate.bool isTrusted(X509Certificate cert)Checks if a certificate is in the trust store.Constructors
this()Creates an empty trust store.Functions 12
fn
ValidationReport validateChain(X509Certificate[] chain, TrustStore trustStore,
ValidationOptions options = ValidationOptions.init)Validates a certificate chain against a trust store.fn
bool verifySignature(X509Certificate cert, X509Certificate issuer)Verifies that a certificate was signed by the given issuer.fn
bool verifySignatureWithKey(X509Certificate cert, PublicKey publicKey)Verifies a certificate's signature using a public key.private fn
bool verifyRsaPkcs1Signature(X509Certificate cert, PublicKey publicKey, Hash hash)Verifies an RSA PKCS#1 v1.5 signature.private fn
bool verifyPkcs1Padding(ubyte[] em, ubyte[] expectedHash, size_t hashLen)Verifies PKCS#1 v1.5 padding and compares hash.private fn
bool verifyEcdsaSignature(X509Certificate cert, PublicKey publicKey,
Hash delegate() hashFactory)Verifies an ECDSA signature.private fn
bool verifyEd25519Signature(X509Certificate cert, PublicKey publicKey)Verifies an Ed25519 signature.private fn
bool isRecognizedExtension(string oid) pure nothrow @safeChecks if an extension OID is recognized.private fn
size_t findMarker(string data, string marker, size_t start) pure nothrow @safeFinds a marker string in PEM data.fn
bool verifyHostname(X509Certificate cert, string hostname) @safeVerifies that a certificate is valid for the given hostname.private fn
bool matchHostname(string pattern, string hostname) pure @trustedMatches a hostname pattern against a hostname.