Skip to main content

Crate ocsp_staple

Crate ocsp_staple 

Source
Expand description

Build OCSP requests, parse OCSP responses, and extract the OCSP responder URL from a certificate’s Authority Information Access (AIA) extension. With the fetch feature, also performs an async HTTP/1.1 POST against the responder via hyper.

§Transport policy: HTTP-only

Production CAs (Let’s Encrypt, DigiCert, Sectigo, Entrust, GlobalSign) all ship HTTP-only OCSP responders, and OCSP responses are independently signed (the transport adds nothing the response signature doesn’t already provide). This crate enforces HTTP-only: HTTPS responder URLs surface as OcspError::HttpsNotSupported at extract / fetch time; the caller can deliver such responses through other channels (e.g. a pre-fetched DER blob on disk).

§API shape

Three layers:

  • Pure functions on cert DER (always compiled): extract_ocsp_url, build_ocsp_request, parse_ocsp_response. No IO; unit- testable in isolation.
  • One async transport function (fetch feature): [fetch_ocsp]. Wraps a hyper HTTP/1.1 conn behind a single timeout.
  • Convenience (fetch feature): [fetch_ocsp_for_cert] runs the whole pipeline (extract → build → fetch → parse) given the leaf
    • issuer DER.

Structs§

OcspStaple
Parsed OCSP response result. staple is the full DER OCSPResponse suitable for handing to rustls via CertifiedKey.ocsp. next_update is the responder’s nextUpdate (or producedAt + 7d when omitted — RFC 6960 §4.2.2.1 allows nextUpdate to be absent for “indefinite” responses; we still need a wall-clock deadline so a renewal scheduler can plan a refresh).

Enums§

OcspError
Error surface for the OCSP pipeline. Categorised so callers can branch on transport / parse / responder failures without string-matching.

Functions§

build_ocsp_request
Build an OCSPRequest DER for cert_der signed by issuer_der per RFC 6960 §4.1.1. Cert ID hash is SHA-1 — RFC-mandated, not security-critical (the hash is a routing identifier).
extract_ocsp_url
Extract the OCSP responder URL from a cert’s AIA extension.
parse_ocsp_response
Parse an OCSPResponse DER into a OcspStaple. The original bytes are returned verbatim as the staple (rustls ships them on the wire without re-encoding).