Module crl 

Available on crate feature crypto only.

Generic X.509 v2 CRL builder (TLS-backend agnostic).

DER-encodes a CertificateList (RFC 5280 §5.1) signed by its issuer. Hashing and signing are supplied by the caller, so this module pulls in no crypto backend — pure yasna assembly, mirroring crate::ocsp.

Primary use: a MITM proxy hosting a CA-signed CRL whose distribution point it stamps onto re-signed leaves, so revocation-strict clients (notably libcurl + schannel, which resolves revocation from the cert’s own CDP and ignores stapled OCSP) accept the leaf.

Structs

CrlParams

Inputs for build_crl. All identity fields are caller-supplied so this crate needs no hash/key backend.

RevokedEntry

A single revoked certificate entry.

Enums

CrlSignatureAlgorithm

Signature algorithm the caller used to sign the tbsCertList. It is encoded both inside the signed tbsCertList and in the outer signatureAlgorithm, so the caller commits to it before signing.

Functions

build_crl

Build a DER-encoded v2 CertificateList.

crl_distribution_point_der

DER of a CRLDistributionPoints extension value with a single fullName URI distribution point, for embedding as the 2.5.29.31 extension on a re-signed leaf.