Trait RevocationChecker

Source

pub trait RevocationChecker {
    // Required method
    fn check_revocation(
        &self,
        cert: &Certificate,
        issuer: &Certificate,
    ) -> Result<()>;

    // Provided method
    fn check_revocation_against_anchor(
        &self,
        _cert: &Certificate,
        _anchor: &TrustAnchor,
    ) -> Result<()> { ... }
}

Expand description

Pluggable revocation checking.

Called once per certificate in the chain, in leaf-to-issuer order, after path signature validation has succeeded.

Implement this trait to plug CRL, OCSP, or a custom revocation mechanism into pkix_chain::verify_chain. Use NoRevocation for offline or embedded environments.

§Implementing this trait

Implementors MUST provide RevocationChecker::check_revocation.

Implementors that want full-chain revocation coverage — i.e., revocation checking for every certificate including the one issued directly by a trust anchor — MUST also override RevocationChecker::check_revocation_against_anchor. The default implementation skips the check silently; forgetting to override it will leave the anchor-issued certificate unchecked with no compile error or runtime warning.

Required Methods§

Source

fn check_revocation( &self, cert: &Certificate, issuer: &Certificate, ) -> Result<()>

Check whether cert has been revoked.

cert — the certificate being checked
issuer — the certificate that issued cert (signature-validated)

§Return value

Ok(()) means verified not-revoked: the revocation source covers this certificate and the serial number was not found in the revoked list. This is an unambiguous “not revoked” determination.

“Not covered” — i.e., the revocation source’s scope excludes the certificate so no determination was made — surfaces as Err(Error::OutOfScope) for CRL scope-flag mismatches and as Err(Error::OcspStatusUnknown) for OCSP responses with no matching SingleResponse. Hard-fail callers should treat both as failures; soft-fail callers can match on the specific variant / reason and decide which non-determinations to tolerate.

§Errors

Error::Revoked — the certificate’s serial number appears in the CRL’s or OCSP response’s revoked list.
Error::CrlExpired — the CRL has passed its nextUpdate timestamp.
Error::OcspMalformed — the OCSP response is structurally invalid or its validity window check failed.
Error::OcspStatusUnknown — no matching SingleResponse covered the certificate (OCSP-side “not covered”).
Error::OutOfScope — a CRL IssuingDistributionPoint scope flag excludes the certificate being checked (CRL-side “not covered”).
Other Error variants for parse failures, signature verification failures, or structural constraint violations.

Provided Methods§

Source

fn check_revocation_against_anchor( &self, _cert: &Certificate, _anchor: &TrustAnchor, ) -> Result<()>

Check whether cert (issued directly by a trust anchor) has been revoked.

Called by verify_chain for the last certificate in the chain — the one whose issuer is a TrustAnchor rather than another certificate in the chain. For example, in the chain [leaf, intermediate_CA] this method is called with cert = intermediate_CA and anchor set to the matched anchor.

Default implementation returns Ok(()) (skip). Override this method to enforce revocation checking for certificates issued directly by a trust anchor (e.g., fetch and verify the CA’s CRL using the anchor’s public key).

NoRevocation inherits this default and skips the check, matching its overall no-op behaviour. CrlChecker and OcspChecker both override this method: they verify the pre-loaded CRL or OCSP response against the anchor’s subject DN and SPKI.

§Security

The default implementation silently skips revocation checking for the anchor-issued certificate. If your threat model requires revocation checking for every certificate in the chain — including the one issued directly by the trust anchor — you MUST override this method. There is no compile-time or runtime warning when the default is used; the skip is intentional for environments (e.g., embedded, offline, short-lived certificates) where anchor-level revocation data is unavailable.

Failing to override this method in a context that requires full-chain revocation coverage is a silent security gap.

§Note: default is a no-op

The default implementation performs no revocation check and always returns Ok(()). Any implementor that does not override this method silently skips revocation for the certificate directly issued by the trust anchor. Override this method to enable anchor-level revocation.