pub fn validate_identity(
cert_der: &[u8],
expected: &str,
) -> Result<bool, String>Expand description
Validate that a DER-encoded certificate is authorized for a given identity.
RFC 6125 Section 6.4.4: the validation algorithm is:
- If the certificate contains Subject Alternative Name (SAN) entries, check each entry against the expected identity. The subject CN is ignored entirely when SANs are present.
- If no SANs are present, fall back to the subject Common Name (CN). This fallback is deprecated by RFC 6125 but still widely used.
The expected identity may be a DNS hostname, an IP address, or an
email address. The function determines the type by attempting to
parse as an IP address first, then checking for @ (email), then
treating it as a DNS name.
§Returns
Ok(true)— the certificate matches the expected identity.Ok(false)— the certificate does not match.Err(...)— the certificate could not be parsed.