Module ocsp
crypto and std only.Expand description
Generic OCSP response builder (TLS-backend agnostic).
Builds and DER-encodes an OCSP response asserting a single certificate’s
status, signed by its issuer. Hashing and signing are supplied by the
caller (the TLS backend), so this module pulls in no crypto backend — it is
pure ASN.1 assembly on the yasna DER writer already in the dependency tree.
BoringSSL (and others) can staple a pre-built OCSP response on the server
side but cannot build one — there is no responder/builder API. This is
that builder, kept generic so every TLS backend (rama-tls-boring,
rama-tls-rustls, …) can share it; only the cert/key/hash/sign glue lives
in the backend crate.
Primary use: a MITM proxy stapling an issuer-signed good status onto a
re-signed leaf, so revocation-strict clients (e.g. cargo / schannel on
Windows) accept it inline without an external responder.
Structs§
- Ocsp
Cert Id - Identifies the certificate whose status is attested (RFC 6960
CertID). - Ocsp
Request Cert Id - A single
CertIDextracted from an OCSP request. - Ocsp
Request Info - A parsed OCSP request: the requested
CertIDs and the optional nonce.
Enums§
- Ocsp
Cert Status - Status to assert for the certificate.
- Ocsp
Signature Algorithm - Signature algorithm the caller used to sign the
tbsResponseData.
Functions§
- authority_
info_ access_ ocsp_ der - DER of an
AuthorityInfoAccessSyntaxextension value with a singleid-ad-ocspresponder URI, for embedding as the1.3.6.1.5.5.7.1.1extension on a re-signed leaf. - build_
ocsp_ response - Build a DER-encoded
OCSPResponseattestingcert’sstatus. - parse_
ocsp_ request - Parse a DER
OCSPRequest(RFC 6960 §4.1.1). - sha1_
hash_ algorithm_ der - DER of the
sha1CertIDhashAlgorithm(AlgorithmIdentifier { sha1, NULL }), for callers building aCertIDwithout an inbound request to echo (e.g. a stapledgoodresponse).