Module ocsp 

Available on crate feature crypto only.

Generic OCSP response builder (TLS-backend agnostic).

Builds and DER-encodes an OCSP response asserting a single certificate’s status, signed by its issuer. Hashing and signing are supplied by the caller (the TLS backend), so this module pulls in no crypto backend — it is pure ASN.1 assembly on the yasna DER writer already in the dependency tree.

BoringSSL (and others) can staple a pre-built OCSP response on the server side but cannot build one — there is no responder/builder API. This is that builder, kept generic so every TLS backend (rama-tls-boring, rama-tls-rustls, …) can share it; only the cert/key/hash/sign glue lives in the backend crate.

Primary use: a MITM proxy stapling an issuer-signed good status onto a re-signed leaf, so revocation-strict clients (e.g. cargo / schannel on Windows) accept it inline without an external responder.

Structs

OcspCertId

Identifies the certificate whose status is attested (RFC 6960 CertID).

Enums

OcspCertStatus

Status to assert for the certificate. Only Good today; Revoked is the seam for a future mode that mirrors an upstream’s real revocation status.

OcspSignatureAlgorithm

Signature algorithm the caller used to sign the tbsResponseData.

Functions

build_ocsp_response

Build a DER-encoded OCSPResponse attesting cert’s status.