Lib.rs

Web programmingHTTP server | Network programming | Cryptography
#ocsp #rustls #client #stapling #staple

ocsp-stapler

OCSP stapler & client with support for Rustls

by Igor Novgorodov

7 unstable releases (3 breaking)

0.4.1 May 27, 2024
0.4.0 May 26, 2024
0.3.1 May 25, 2024
0.2.0 May 24, 2024
0.1.1 May 24, 2024

#743 in HTTP server

30 downloads per month

MPL-2.0 license

34KB
683 lines

ocsp-stapler

crates.io Documentation MPL-2 Licensed

OCSP stapler for Rustls.

  • OCSP Client that can be used separately
  • Stapler wraps Arc<dyn ResolvesServerCert> trait object and automatically staples all certificates provided by it

Please see the docs for more details.

Example

// Read the chain & private key and combine them into CertifiedKey
let certs = std::fs::read("chain.pem").unwrap();
let certs = rustls_pemfile::certs(&mut certs.as_ref()).collect::<Result<Vec<_>, _>>().unwrap();

let key = std::fs::read("private.pem").unwrap();
let key = rustls_pemfile::private_key(&mut key.as_ref()).unwrap();
let key = rustls::crypto::aws_lc_rs::sign::any_supported_type(&key).unwrap();

let ckey = rustls::sign::CertifiedKey::new(certs, key);

// Inner service that provides certificates to Rustls, can be anything
let mut inner = rustls::server::ResolvesServerCertUsingSni::new();
inner.add("crates.io", ckey).unwrap();

// Create a Stapler wrapping inner resolver
let stapler = Arc::new(ocsp_stapler::Stapler::new(inner));

// Then you can build & use ServerConfig wherever applicable
let server_config = rustls::server::ServerConfig::builder()
        .with_no_client_auth()
        .with_cert_resolver(stapler.clone());

// Stop the background worker to clean up resources
stapler.stop().await;

Dependencies

~26–38MB
~738K SLoC