pub fn anchor_from_trusted_cert<'a>(
cert: &'a CertificateDer<'a>,
) -> Result<TrustAnchor<'a>, Error>
Expand description
Interprets the given pre-validated DER-encoded certificate as a TrustAnchor
.
This function extracts the components of a trust anchor (see RFC 5280 6.1.1) from an X.509 certificate obtained from a source trusted to have appropriately validated the subject name, public key, and name constraints in the certificate, for example your operating system’s trust store.
No additional checks on the content of the certificate, including whether it is self-signed,
or has a basic constraints extension indicating the cA
boolean is true, will be performed.
RFC 5280 6.2 notes:
Implementations that use self-signed certificates to specify trust anchor information are free to process or ignore such information.
This function is intended for users constructing TrustAnchor
’s from existing trust stores
that express trust anchors as X.509 certificates. It should not be used to treat an
end-entity certificate as a TrustAnchor
in an effort to validate the same end-entity
certificate during path building. Webpki has no support for self-signed certificates.