Trait RevocationChecker

Source

pub trait RevocationChecker {
    // Required method
    fn check_revocation(
        &self,
        cert: &Certificate,
        issuer: &Certificate,
    ) -> Result<()>;

    // Provided method
    fn check_revocation_against_anchor(
        &self,
        _cert: &Certificate,
        _anchor: &TrustAnchor,
    ) -> Result<()> { ... }
}

Expand description

Pluggable revocation checking.

Called once per certificate in the chain, in leaf-to-issuer order, after path signature validation has succeeded.

Implement this trait to plug CRL, OCSP, or a custom revocation mechanism into pkix_chain::verify_chain. Use NoRevocation for offline or embedded environments.

§Implementing this trait

Implementors MUST provide RevocationChecker::check_revocation.

Implementors that want full-chain revocation coverage — i.e., revocation checking for every certificate including the one issued directly by a trust anchor — MUST also override RevocationChecker::check_revocation_against_anchor. The default implementation skips the check silently; forgetting to override it will leave the anchor-issued certificate unchecked with no compile error or runtime warning.

Required Methods§

Source

fn check_revocation( &self, cert: &Certificate, issuer: &Certificate, ) -> Result<()>

Check whether cert has been revoked.

cert — the certificate being checked
issuer — the certificate that issued cert (signature-validated)

Returns Ok(()) if the certificate is not revoked, or an Err if it is revoked or if revocation status cannot be determined and the policy requires a definitive answer (hard-fail mode).

§Errors

Error::Revoked — the certificate’s serial number appears in the CRL’s or OCSP response’s revoked list.
Error::CrlExpired — the CRL has passed its nextUpdate timestamp.
Error::OcspMalformed — the OCSP response is structurally invalid or its validity window check failed.
Other Error variants for parse failures, signature verification failures, or structural constraint violations.

Ok(()) dual semantics: implementations may return Ok(()) both when a certificate is confirmed not-revoked and when the revocation source does not cover this certificate type (see CrlChecker for details). Hard-fail callers must ensure at least one revocation source covers the certificate.

Provided Methods§

Source

fn check_revocation_against_anchor( &self, _cert: &Certificate, _anchor: &TrustAnchor, ) -> Result<()>

Check whether cert (issued directly by a trust anchor) has been revoked.

Called by verify_chain for the last certificate in the chain — the one whose issuer is a TrustAnchor rather than another certificate in the chain. For example, in the chain [leaf, intermediate_CA] this method is called with cert = intermediate_CA and anchor set to the matched anchor.

Default implementation returns Ok(()) (skip). Override this method to enforce revocation checking for certificates issued directly by a trust anchor (e.g., fetch and verify the CA’s CRL using the anchor’s public key).

NoRevocation inherits this default and skips the check, matching its overall no-op behaviour. CrlChecker and OcspChecker also inherit the default for v0.1; a future version will override when an issuer cert is available.