Skip to main content

OcspChecker

pkix_revocation

Struct OcspChecker 

Source 
pub struct OcspChecker<V> { /* private fields */ }
Available on crate feature ocsp only.
Expand description

Offline OCSP-based revocation checker.

Parses a pre-fetched DER-encoded OCSP response, verifies its signature against the issuer’s SPKI, checks the validity window of the matching SingleResponse, and reports the certificate’s revocation status.

§Feature

Only available when the ocsp feature is enabled.

§Limitations (v0.1)

  • The OCSP response is re-parsed from DER on every check_revocation call. For chains with multiple certificates validated against the same response, this is O(N) redundant parsing. Tracked for v0.2 (cache the parsed BasicOcspResponse in new).
  • Only issuer-signed (direct) OCSP responses are supported. Delegated OCSP responders (responses signed by a separate responder certificate, not by the issuer directly) will fail with Error::OcspSignatureInvalid because the signature is verified against the issuer’s key. This is a v0.1 limitation tracked for v0.2.
  • SingleResponse matching uses both serial number and the CertID issuerNameHash/issuerKeyHash fields (RFC 6960 §4.1.1). An OCSP response from a different CA with the same serial number will be rejected by the hash checks.
  • The ResponderId field is not verified against the issuer identity.
  • If no SingleResponse matches the certificate’s serial number, OcspStatusUnknown is returned (hard-fail).
  • RevocationChecker::check_revocation_against_anchor is not overridden. The certificate immediately issued by the trust anchor is not revocation-checked by this type; revocation against the anchor is the responsibility of the path validator (a v0.1 limitation).

Implementations§

Source§

impl<V: SignatureVerifier> OcspChecker<V>

Source

pub fn new(response_der: impl Into<Vec<u8>>, now_unix: u64, verifier: V) -> Self

Create a new OcspChecker.

  • response_der — DER-encoded OCSPResponse (any Into<Vec<u8>>, e.g. Vec<u8> or &[u8])
  • now_unix — current time as seconds since the Unix epoch
  • verifier — signature verifier used to authenticate the OCSP response

Trait Implementations§

Source§

impl<V: Clone> Clone for OcspChecker<V>

Source§

fn clone(&self) -> OcspChecker<V>

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<V: Debug> Debug for OcspChecker<V>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<V: SignatureVerifier> RevocationChecker for OcspChecker<V>

Source§

fn check_revocation( &self, cert: &Certificate, issuer: &Certificate, ) -> Result<()>

Check whether cert has been revoked. Read more
Source§

fn check_revocation_against_anchor( &self, _cert: &Certificate, _anchor: &TrustAnchor, ) -> Result<()>

Check whether cert (issued directly by a trust anchor) has been revoked. Read more

Auto Trait Implementations§

§

impl<V> Freeze for OcspChecker<V>
where V: Freeze,

§

impl<V> RefUnwindSafe for OcspChecker<V>
where V: RefUnwindSafe,

§

impl<V> Send for OcspChecker<V>
where V: Send,

§

impl<V> Sync for OcspChecker<V>
where V: Sync,

§

impl<V> Unpin for OcspChecker<V>
where V: Unpin,

§

impl<V> UnsafeUnpin for OcspChecker<V>
where V: UnsafeUnpin,

§

impl<V> UnwindSafe for OcspChecker<V>
where V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V