Expand description
OCSP client for certificate revocation checking per RFC 6960.
Provides an OcspClient that sends OCSP requests to a configured
responder URL, caches responses, and integrates with the mTLS
authentication layer (RHELBU-3536 R21).
§Protocol overview (RFC 6960)
An OCSP request identifies the certificate to check via a CertID
structure (§4.1.1) containing:
- Hash algorithm
- Hash of issuer’s distinguished name
- Hash of issuer’s public key
- Certificate serial number
The responder returns a signed BasicOCSPResponse (§4.2.1) with a
status of good, revoked, or unknown for each queried certificate.
§Nonce support
Per RFC 6960 §4.4.1, the client MAY include a nonce extension in the
request to prevent replay attacks. When OcspConfig::require_nonce
is true, the client rejects responses that do not echo the nonce.
§Caching
Responses are cached in a concurrent DashMap keyed by CertId.
The cache TTL is configurable via OcspConfig::cache_ttl_secs.
Structs§
- CertId
- Identifier for a certificate in an OCSP request.
- Ocsp
Client - OCSP client for checking certificate revocation status.
- Ocsp
Config - OCSP configuration.
Enums§
- Ocsp
Error - OCSP-specific errors.
- Ocsp
Status - Certificate revocation status per RFC 6960 §4.2.1.
Type Aliases§
- Ocsp
Result - Result type for OCSP operations.