Skip to main content

Crate pkix_revocation

Crate pkix_revocation 

Source
Expand description

Certificate revocation checking for pkix-path and pkix-chain.

Provides the RevocationChecker trait and implementations:

TypeFeatureDescription
NoRevocation(always)Zero-cost; always reports not-revoked
CrlCheckercrlOffline CRL validation (you supply DER bytes)
OcspCheckerocspOffline OCSP response validation

§no_std note

The core trait and NoRevocation are no_std. Feature-gated checkers that perform network I/O are std-only and gated behind separate features.

§Security: anchor-issued certificate revocation

RevocationChecker::check_revocation_against_anchor has a default implementation that returns Ok(()) (i.e., skips the check). Implementors that require full-chain revocation coverage — including the certificate issued directly by a trust anchor — MUST override this method. Failing to override it will silently leave the anchor-issued certificate unchecked with no compile error or runtime warning. See that method’s documentation for details.

§Limitations

  • No network I/O. CrlChecker and OcspChecker operate on caller-supplied DER bytes; this crate never opens a socket. Online fetching from CRLDistributionPoints / AuthorityInfoAccess URIs lives in the optional pkix-revocation-http adapter crate.
  • OCSP response only. OCSP request construction (the DER bytes a client POSTs to a responder) lives in pkix-revocation-http so it can stay paired with the HTTP transport. The OcspChecker in this crate validates already-fetched responses.
  • No OCSP stapling helpers. TLS-layer parsing of stapled responses (RFC 6066 §8, multi-stapling RFC 6961) is a transport-protocol concern handled by the TLS stack; once extracted, the response bytes feed OcspChecker like any other.
  • Algorithm coverage tracks pkix-path. CRL and OCSP-response signature verification is delegated to a SignatureVerifier; the same algorithm gaps documented in pkix-path (Ed25519, P-521, RSA-PSS — tracked under PKIX-gphz) apply here.

Structs§

CrlCheckercrl
Offline CRL-based revocation checker.
DerError
Opaque wrapper around an underlying ASN.1 / DER error.
NoRevocation
A no-op revocation checker that always reports certificates as not revoked.
OcspCheckerocsp
Offline OCSP-based revocation checker.

Enums§

Error
Errors returned by revocation checking.
OutOfScopeReason
Reason a revocation check produced no determination.

Traits§

RevocationChecker
Pluggable revocation checking.

Functions§

discover_crl_signercrl
Locate the certificate in bundle that signed crl.

Type Aliases§

Result
Result alias for this crate.