Expand description
TLS / mTLS bridge — accept a peer-supplied X.509 certificate chain, verify it against a configured set of trust anchors, and project the verified leaf into a TrustForge actor identity + capabilities.
Uses x509-parser for ASN.1 parsing and signature verification, so we
avoid embedding our own ASN.1/DER walker.
Modules§
- ocsp
- Internal OCSP DER walker. Implements the minimum RFC 6960 surface needed
to decide good / revoked / unknown for the first SingleResponse and
validate the freshness window. We do not verify the responder signature
here; callers that need that should layer their own verification on top
(the responder ID is exposed in
BasicResponseData). This is consistent with the TS bridge, which also delegates signature verification to the caller via theOcspStatusResolvercallback.
Structs§
- CrlCheck
- CrlIndex
- Indexed CRL — a parsed RFC 5280 v2 CRL with a
BTreeMapkeyed on serial forO(log n)lookups. We hold the normalised big-endian serial bytes (leading 0x00 sign-extension byte stripped), so callers can pass eithercert.serial_beor a raw hex value normalised the same way. - Exporter
Binding - Ocsp
Check - Stateless OCSP checker. Holds no configuration; the caller selects a fetcher and clock per call.
- Post
Handshake Reauth - Revocation
Entry - TlsBridge
- TlsBridge
Config - TlsVerification
Result - X509
Cert - X.509 certificate handle used by the OCSP / CRL helpers. We deliberately
keep this thin (raw DER + cached subject + serial) so callers don’t have
to depend on
x509-parser’sX509Certificatelifetime in their own types.
Enums§
- CrlError
- Ocsp
Error - Errors that can come out of OCSP DER parsing / status extraction.
- Ocsp
Status - The decision an OCSP responder returned for a particular certificate.
Traits§
- Ocsp
Fetcher - Trait for callers who actually speak OCSP. Implementations receive the
(cert, issuer, ocsp_url)triple and return DER bytes of anOCSPResponse(RFC 6960). The bridge does no network IO itself.
Functions§
- default_
eku_ to_ action - Mapping from X.509 Extended Key Usage OIDs to TrustForge action names.