Skip to main content

Module ocsp

Module ocsp 

Available on crate features crypto and std only.
Expand description

Generic OCSP response builder (TLS-backend agnostic).

Builds and DER-encodes an OCSP response asserting a single certificate’s status, signed by its issuer. Hashing and signing are supplied by the caller (the TLS backend), so this module pulls in no crypto backend — it is pure ASN.1 assembly on the yasna DER writer already in the dependency tree.

BoringSSL (and others) can staple a pre-built OCSP response on the server side but cannot build one — there is no responder/builder API. This is that builder, kept generic so every TLS backend (rama-tls-boring, rama-tls-rustls, …) can share it; only the cert/key/hash/sign glue lives in the backend crate.

Primary use: a MITM proxy stapling an issuer-signed good status onto a re-signed leaf, so revocation-strict clients (e.g. cargo / schannel on Windows) accept it inline without an external responder.

Structs§

OcspCertId
Identifies the certificate whose status is attested (RFC 6960 CertID).
OcspRequestCertId
A single CertID extracted from an OCSP request.
OcspRequestInfo
A parsed OCSP request: the requested CertIDs and the optional nonce.

Enums§

OcspCertStatus
Status to assert for the certificate.
OcspSignatureAlgorithm
Signature algorithm the caller used to sign the tbsResponseData.

Functions§

authority_info_access_ocsp_der
DER of an AuthorityInfoAccessSyntax extension value with a single id-ad-ocsp responder URI, for embedding as the 1.3.6.1.5.5.7.1.1 extension on a re-signed leaf.
build_ocsp_response
Build a DER-encoded OCSPResponse attesting cert’s status.
parse_ocsp_request
Parse a DER OCSPRequest (RFC 6960 §4.1.1).
sha1_hash_algorithm_der
DER of the sha1 CertID hashAlgorithm (AlgorithmIdentifier { sha1, NULL }), for callers building a CertID without an inbound request to echo (e.g. a stapled good response).