Skip to main content

Module bridge_tls

Module bridge_tls 

Source
Expand description

TLS / mTLS bridge — accept a peer-supplied X.509 certificate chain, verify it against a configured set of trust anchors, and project the verified leaf into a TrustForge actor identity + capabilities.

Uses x509-parser for ASN.1 parsing and signature verification, so we avoid embedding our own ASN.1/DER walker.

Modules§

ocsp
Internal OCSP DER walker. Implements the minimum RFC 6960 surface needed to decide good / revoked / unknown for the first SingleResponse and validate the freshness window. We do not verify the responder signature here; callers that need that should layer their own verification on top (the responder ID is exposed in BasicResponseData). This is consistent with the TS bridge, which also delegates signature verification to the caller via the OcspStatusResolver callback.

Structs§

CrlCheck
CrlIndex
Indexed CRL — a parsed RFC 5280 v2 CRL with a BTreeMap keyed on serial for O(log n) lookups. We hold the normalised big-endian serial bytes (leading 0x00 sign-extension byte stripped), so callers can pass either cert.serial_be or a raw hex value normalised the same way.
ExporterBinding
OcspCheck
Stateless OCSP checker. Holds no configuration; the caller selects a fetcher and clock per call.
PostHandshakeReauth
RevocationEntry
TlsBridge
TlsBridgeConfig
TlsVerificationResult
X509Cert
X.509 certificate handle used by the OCSP / CRL helpers. We deliberately keep this thin (raw DER + cached subject + serial) so callers don’t have to depend on x509-parser’s X509Certificate lifetime in their own types.

Enums§

CrlError
OcspError
Errors that can come out of OCSP DER parsing / status extraction.
OcspStatus
The decision an OCSP responder returned for a particular certificate.

Traits§

OcspFetcher
Trait for callers who actually speak OCSP. Implementations receive the (cert, issuer, ocsp_url) triple and return DER bytes of an OCSPResponse (RFC 6960). The bridge does no network IO itself.

Functions§

default_eku_to_action
Mapping from X.509 Extended Key Usage OIDs to TrustForge action names.