Struct CrlChecker 

pub struct CrlChecker<V> { /* private fields */ }

Available on crate feature crl only.

Offline CRL-based revocation checker.

Parses a DER-encoded CertificateList, verifies its signature against the issuer’s SPKI, checks the thisUpdate/nextUpdate validity window, and reports whether the certificate’s serial number appears in the revoked list.

To also apply a delta CRL (RFC 5280 §5.2.4), use CrlChecker::with_delta.

Feature

Only available when the crl feature is enabled.

Return value semantics

RevocationChecker::check_revocation returns Ok(()) in two distinct cases:

1. Not revoked: the CRL covers this certificate type and the serial number was not found in the revoked list.
2. Not covered: the CRL’s IssuingDistributionPoint scope flags (onlyContainsUserCerts, onlyContainsCACerts, onlyContainsAttributeCerts) indicate the CRL does not apply to this certificate type.

These two outcomes are indistinguishable from the caller’s perspective. Callers enforcing a hard-fail revocation policy must separately verify that at least one CRL or OCSP response actually covers the certificate in question; receiving Ok(()) alone is not sufficient.

Limitations (v0.1)

• The CRL must be signed directly by the certificate issuer (indirect CRLs are not supported; deferred to v0.2).
• CRL Distribution Point name matching (CDP vs IDP name) is not implemented. The checker does enforce onlyContainsUserCerts, onlyContainsCACerts, and onlyContainsAttributeCerts scope flags; full CDP/IDP name matching is v0.2.
• Both the base CRL and the delta CRL (if present) are re-parsed from DER on every check_revocation call. For long chains validated against the same CRL pair, this is O(N) redundant parsing. Tracked for v0.2 (cache the parsed CertificateList in new / with_delta).
• RevocationChecker::check_revocation_against_anchor is not overridden. The certificate immediately issued by the trust anchor is not revocation-checked by this type; revocation against the anchor is the responsibility of the path validator (a v0.1 limitation).

Implementations

impl<V: SignatureVerifier> CrlChecker<V>

pub fn new(crl_der: impl Into<Vec<u8>>, now_unix: u64, verifier: V) -> Self

Create a new CrlChecker.

• crl_der — DER-encoded CertificateList (any Into<Vec<u8>>, e.g. Vec<u8> or &[u8])
• now_unix — current time as seconds since the Unix epoch
• verifier — signature verifier used to authenticate the CRL

pub fn with_delta( base_der: impl Into<Vec<u8>>, delta_der: impl Into<Vec<u8>>, now_unix: u64, verifier: V, ) -> Result<Self>

Create a CrlChecker with a base CRL and a delta CRL.

The delta CRL is merged into the base CRL per RFC 5280 §5.2.4:

• Entries in the delta that are not in the base are added.
• Entries in the delta with reason removeFromCRL are removed from the base.
• The merged result is used for all subsequent check_revocation calls.

Returns Err(Error::DeltaCrlBaseMismatch) if:

• The delta CRL’s BaseCRLNumber is absent (not a delta CRL), or
• The delta’s BaseCRLNumber is greater than the base CRL’s CRLNumber (the delta was produced against a newer base than the one supplied).

Trait Implementations

impl<V: Clone> Clone for CrlChecker<V>

fn clone(&self) -> CrlChecker<V>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<V: Debug> Debug for CrlChecker<V>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<V: SignatureVerifier> RevocationChecker for CrlChecker<V>

fn check_revocation( &self, cert: &Certificate, issuer: &Certificate, ) -> Result<()>

Check whether cert has been revoked.

fn check_revocation_against_anchor( &self, _cert: &Certificate, _anchor: &TrustAnchor, ) -> Result<()>

Check whether cert (issued directly by a trust anchor) has been revoked.