CertificateChain

Represents a chain of certificates, normally used to validate the trust in a certificate.

An X.509 certificate chain has one endpoint certificate (the one for which trust is being verified) and then in turn the certificate that issued each previous certificate in the chain.

This functionality is for building of certificate chains not for validating them. Use your favorite crypto library to validate trust in a certificate chain once its built.

The order of certificates in the chain should be first the endpoint certificates and then the signing certificates.

Create a new certificate chain with [ctor@CertificateChain.new] and then add the certificates with [method@CertificateChain.add].

You can then use [method@CertificateChain.build] to build the remainder of the chain. This will lookup missing certificates in PKCS#11 modules and also check that each certificate in the chain is the signer of the previous one. If a trust anchor, pinned certificate, or self-signed certificate is found, then the chain is considered built. Any extra certificates are removed from the chain.

Once the certificate chain has been built, you can access its status through [method@CertificateChain.get_status]. The status signifies whether the chain is anchored on a trust root, self-signed, incomplete etc. See [enum@CertificateChainStatus] for information on the various statuses.

It's important to understand that the building of a certificate chain is merely the first step towards verifying trust in a certificate.