Skip to main content

OcspChecker

pkix_revocation

Struct OcspChecker 

Source 
pub struct OcspChecker<V> { /* private fields */ }
Available on crate feature ocsp only.
Expand description

Offline OCSP-based revocation checker.

Parses a pre-fetched DER-encoded OCSP response, verifies its signature against the issuer’s SPKI, checks the validity window of the matching SingleResponse, and reports the certificate’s revocation status.

§Feature

Only available when the ocsp feature is enabled.

§Supported responder shapes

  • Direct (RFC 6960 §4.2.2.2): the response is signed by the cert’s issuer CA. ResponderId matches the issuer’s name or SHA-1(SPKI); the response signature verifies against the issuer’s SPKI.
  • CA Designated Responder (RFC 6960 §4.2.2.2, “delegated”): the response is signed by a separate responder certificate embedded in the response’s certs field. The responder cert MUST be issued directly by the same CA, MUST carry id-kp-OCSPSigning Extended Key Usage, MUST have a validity period containing the response’s producedAt, and the issuer’s signature on it MUST verify against the issuer’s SPKI. Failures map to distinct error variants (Error::OcspResponderEkuMissing, Error::OcspResponderEkuMalformed, Error::OcspResponderCertNotIssuedByCa, Error::OcspResponderCertExpired, Error::OcspResponderCertSigInvalid).
  • The id-pkix-ocsp-nocheck extension on a delegate cert (RFC 6960 §4.2.2.2.1) is not parsed by this crate: the checker is single-shot and never recurses into the delegate’s revocation regardless of the extension. Callers wrapping this checker in a chain validator MUST honor ocsp-nocheck themselves to prevent infinite recursion.

§Limitations

  • Trusted Responder (third RFC 6960 case — a responder whose key the requester trusts out-of-band) is not modeled. Callers needing it can supply the trusted responder cert as the issuer argument.
  • No OCSP request generation. The response DER must be supplied at construction time; the checker is offline. The OCSP nonce extension is therefore not generated or checked.
  • No AIA-based responder discovery (RFC 6960 §3.1). The AuthorityInfoAccess extension’s id-ad-ocsp URL is not consulted — the caller is responsible for fetching the response out-of-band. See the planned pkix-revocation-http crate for online responder support.

§Behavior

  • SingleResponse matching uses both serial number and the CertID issuerNameHash/issuerKeyHash fields (RFC 6960 §4.1.1). An OCSP response from a different CA with the same serial number will be rejected by the hash checks.
  • The ResponderId field is verified against the issuer identity per RFC 6960 §2.2: byName is compared against the issuer’s subject DN using pkix_path::names_match; byKey is compared against SHA-1 of the issuer’s SPKI subjectPublicKey bit string.
  • If no SingleResponse matches the certificate’s serial number, OcspStatusUnknown is returned (hard-fail).
  • RevocationChecker::check_revocation_against_anchor is overridden. For the certificate issued directly by a trust anchor, the checker uses the anchor’s subject DN and SPKI to verify the OCSP response. The response DER must be supplied at construction time; this method always attempts to verify it against the anchor.

Implementations§

Source§

impl<V: SignatureVerifier> OcspChecker<V>

Source

pub fn new( response_der: impl AsRef<[u8]>, now_unix: u64, verifier: V, ) -> Result<Self>

Create a new OcspChecker.

  • response_der — DER-encoded OCSPResponse (any AsRef<[u8]>, e.g. Vec<u8> or &[u8])
  • now_unix — current time as seconds since the Unix epoch
  • verifier — signature verifier used to authenticate the OCSP response

The response is parsed once at construction time; subsequent RevocationChecker::check_revocation calls reuse the cached BasicOcspResponse.

§Errors

Returns Error::OcspParseError if response_der cannot be DER-decoded or Error::OcspMalformed if the response status is non-Successful, responseBytes is absent, or the inner responseType is not id-pkix-ocsp-basic.

Trait Implementations§

Source§

impl<V: Clone> Clone for OcspChecker<V>

Source§

fn clone(&self) -> OcspChecker<V>

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<V: Debug> Debug for OcspChecker<V>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<V: SignatureVerifier> RevocationChecker for OcspChecker<V>

Source§

fn check_revocation_against_anchor( &self, cert: &Certificate, anchor: &TrustAnchor, ) -> Result<()>

Check revocation for cert issued directly by a trust anchor.

Parses the pre-loaded OCSP response and verifies it against the anchor’s SPKI and subject DN. The anchor fields (subject and subject_public_key_info) are used in place of the missing issuer Certificate.

§Limitations

OCSP responder discovery via the Authority Information Access extension (RFC 6960 §3.1) is not implemented. The response DER must be supplied at construction time and is always verified. If the serial number is not found in the response, Error::OcspStatusUnknown is returned.

Source§

fn check_revocation( &self, cert: &Certificate, issuer: &Certificate, ) -> Result<()>

Check whether cert has been revoked. Read more

Auto Trait Implementations§

§

impl<V> Freeze for OcspChecker<V>
where V: Freeze,

§

impl<V> RefUnwindSafe for OcspChecker<V>
where V: RefUnwindSafe,

§

impl<V> Send for OcspChecker<V>
where V: Send,

§

impl<V> Sync for OcspChecker<V>
where V: Sync,

§

impl<V> Unpin for OcspChecker<V>
where V: Unpin,

§

impl<V> UnsafeUnpin for OcspChecker<V>
where V: UnsafeUnpin,

§

impl<V> UnwindSafe for OcspChecker<V>
where V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V