micro509/revocation
Canonical revocation domain surface. Owns CRL, OCSP, and revocation orchestration APIs.
CertificateRevocationStatus
Revocation evaluation result for a single certificate.
One entry per certificate in CheckChainRevocationValue.certificates. The trust anchor is excluded (never checked for revocation).
type CertificateRevocationStatus = {
readonly certificate: ParsedCertificate;
readonly status: good;
readonly source: RevocationSource;
readonly indeterminateReasons?: undefined;
readonly revocationInfo?: undefined
} | {
readonly certificate: ParsedCertificate;
readonly status: revoked;
readonly source: RevocationSource;
readonly revocationInfo: {
readonly revocationDate: Date;
readonly reason?: RevocationReason
};
readonly indeterminateReasons?: undefined
} | {
readonly certificate: ParsedCertificate;
readonly status: indeterminate;
readonly indeterminateReasons: readonly RevocationIndeterminateReason[];
readonly source?: undefined;
readonly revocationInfo?: undefined
}CheckChainRevocationInput
Input for checkChainRevocation.
interface CheckChainRevocationInput {
readonly chain: readonly ParsedCertificate[];
readonly crls?: readonly CrlSource[];
readonly ocspResponses?: readonly OcspResponseSource[];
readonly extraCertificates?: readonly RevocationCertificateSource[];
readonly trustedOcspResponders?: readonly RevocationCertificateSource[];
readonly at?: Date;
readonly policy?: RevocationPolicy;
}Properties
readonlychain:readonlyParsedCertificate[]— Validated certificate chain (leaf first, root last).readonlycrls?:readonlyCrlSource[]— CRLs to evaluate.readonlyocspResponses?:readonlyOcspResponseSource[]— OCSP responses to evaluate.readonlyextraCertificates?:readonlyRevocationCertificateSource[]— Extra certs for indirect CRL issuers / delegated OCSP responders.readonlytrustedOcspResponders?:readonlyRevocationCertificateSource[]— Explicitly trusted OCSP responder certificates (RFC 6960 §4.2.2.2 criterion 1). A response signed by one of these is accepted without delegated-responder issuance, EKU, and revocation checks.readonlyat?:Date— Evaluation time. Defaults tonew Date().readonlypolicy?:RevocationPolicy— Revocation policy.
CheckChainRevocationResult
Result type for checkChainRevocation.
type CheckChainRevocationResult = {
readonly ok: true;
readonly value: CheckChainRevocationValue
}CheckChainRevocationValue
Detailed revocation check results.
Returned as CheckChainRevocationResult.value from checkChainRevocation. Contains both the policy decision and detailed per-certificate findings for debugging.
interface CheckChainRevocationValue {
readonly decision: allow | deny;
readonly summary: {
readonly revokedCertificates: readonly ParsedCertificate[];
readonly indeterminateCertificates: readonly ParsedCertificate[]
};
readonly certificates: readonly CertificateRevocationStatus[];
readonly executionErrors?: readonly RevocationExecutionError[];
}Properties
readonlydecision:allow|deny— Final policy decision based onRevocationPolicy.'allow': chain passes revocation check'deny': chain fails (revoked certificate or hard-fail on indeterminate)
readonlysummary: {readonlyrevokedCertificates:readonlyParsedCertificate[];readonlyindeterminateCertificates:readonlyParsedCertificate[]} — Quick-access summary of problematic certificates.readonlycertificates:readonlyCertificateRevocationStatus[]— Per-certificate evaluation results. SeeCertificateRevocationStatus.readonlyexecutionErrors?:readonlyRevocationExecutionError[]— Evidence that could not be processed. SeeRevocationExecutionError.
OcspResponseSource
OCSP response in any supported format.
Accepts PEM string or DER bytes. Used for CheckChainRevocationInput.ocspResponses.
type OcspResponseSource = string | Uint8ArrayRevocationExecutionError
Errors encountered while processing revocation evidence.
Distinct from RevocationIndeterminateReason: execution errors are code failures (malformed CRL, unsupported extension) rather than evaluation outcomes (CRL doesn't cover this certificate).
Collected in CheckChainRevocationValue.executionErrors.
interface RevocationExecutionError {
readonly kind: parse_error | unsupported_extension | internal_error;
readonly message: string;
readonly evidenceIdentifier?: string;
}Properties
readonlykind:parse_error|unsupported_extension|internal_error— Error category.readonlymessage:string— Human-readable error description.readonlyevidenceIdentifier?:string— Which evidence caused the error (e.g., CRL issuer DN).
RevocationIndeterminateReason
See the doc comment above REVOCATION_INDETERMINATE_REASONS.
type RevocationIndeterminateReason = (typeof REVOCATION_INDETERMINATE_REASONS)[number]RevocationPolicy
Revocation checking policy for checkChainRevocation.
Controls how indeterminate results (missing evidence, expired CRLs) affect the final decision.
interface RevocationPolicy {
readonly mode?: soft-fail | hard-fail;
readonly prefer?: ocsp | crl | best-available;
readonly ocspResponderRevocation?: OcspResponderRevocationPolicy;
}Properties
readonlymode?:soft-fail|hard-fail— How to handle indeterminate status.'hard-fail': indeterminate certificates cause denial (default)'soft-fail': indeterminate certificates are allowed — an explicit availability/compatibility choice
Revocation checking itself is opt-in: no check runs unless evidence is supplied. Once it is, indeterminate status denies by default.
readonlyprefer?:ocsp|crl|best-available— Evidence preference when multiple sources are available.Both evidence kinds are always evaluated, and a validated
revokedverdict from either source wins regardless of preference (fail-closed). Preference only decides which source'sgoodverdict is reported when both yield one.'best-available': the source with the fresher evidence — the laterthisUpdateon the validated OCSP entry or CRL — is reported; ties favor OCSP (default)'ocsp': prefer OCSP over CRL'crl': prefer CRL over OCSP
readonlyocspResponderRevocation?:OcspResponderRevocationPolicy— Revocation policy for delegated OCSP responder certificates (RFC 6960 §4.2.2.2.1). Supplied CRLs double as responder revocation evidence. Defaults to'honor-nocheck'.
RevocationSource
Identifies the source of revocation evidence.
Included in CertificateRevocationStatus's source when status is 'good' or 'revoked' to indicate which CRL or OCSP response provided the answer.
interface RevocationSource {
readonly kind: crl | ocsp;
readonly signerCertificate?: ParsedCertificate;
readonly evidenceIdentifier?: string;
readonly thisUpdate?: Date;
}Properties
readonlykind:crl|ocsp— Whether evidence came from a CRL or OCSP response.readonlysignerCertificate?:ParsedCertificate— Certificate that signed the evidence (CRL issuer or OCSP responder).readonlyevidenceIdentifier?:string— Identifier for debugging (e.g., CRL issuer DN or OCSP responder URL).readonlythisUpdate?:Date—thisUpdateof the evidence backing the verdict — the OCSP single response entry or the freshest contributing CRL (an applied delta CRL supersedes its base). This is the timestamp'best-available'compares.
checkChainRevocation
Checks revocation status for all certificates in a validated chain.
Evaluates CRL and OCSP evidence against each certificate (except the trust anchor), applies the revocation policy, and returns a unified decision.
function checkChainRevocation(
input: CheckChainRevocationInput,
): Promise<CheckChainRevocationResult>Parameters
input:CheckChainRevocationInput
Examples
const result = await checkChainRevocation({
chain: validatedChain,
crls: [crl1, crl2],
ocspResponses: [ocspResponseDer],
policy: { mode: 'hard-fail' },
});
if (result.value.decision === 'deny') {
console.log('Revocation check failed');
}REVOCATION_INDETERMINATE_REASONS
Granular reasons why revocation status could not be determined.
Returned in CertificateRevocationStatus's indeterminateReasons when status is 'indeterminate'. Grouped by category:
- Evidence not found:
no_applicable_crl,no_applicable_ocsp - Scope mismatch:
distribution_point_mismatch,issuer_name_mismatch,reason_scope_mismatch,indirect_crl_scope_mismatch,reason_coverage_incomplete - Signer trust:
crl_signer_not_found,crl_signer_not_authorized,crl_signer_revoked,crl_signer_indeterminate, and OCSP equivalents - Freshness:
crl_expired,ocsp_response_expired
const REVOCATION_INDETERMINATE_REASONS: no_applicable_crl | no_applicable_ocsp | distribution_point_mismatch | issuer_name_mismatch | reason_scope_mismatch | indirect_crl_scope_mismatch | reason_coverage_incomplete | crl_signer_not_found | crl_signer_not_authorized | crl_signer_revoked | crl_signer_indeterminate | ocsp_responder_not_found | ocsp_responder_not_authorized | ocsp_responder_revoked | ocsp_responder_indeterminate | crl_expired | ocsp_response_expired | ocsp_status_unknown[]CertificateRevocationListMaterial
Encoded CRL in multiple serialisation formats, returned by createCertificateRevocationList.
interface CertificateRevocationListMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER bytes of the signed CRL.readonlypem:string— PEM-encoded CRL (-----BEGIN X509 CRL-----).readonlybase64:string— Base64-encoded DER (no PEM armour).
CheckCertificateRevocationAgainstCrlErrorCode
Error codes that checkCertificateRevocationAgainstCrl may return.
type CheckCertificateRevocationAgainstCrlErrorCode = signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted | non_applicableCheckCertificateRevocationAgainstCrlFailure
Failure detail for checkCertificateRevocationAgainstCrl.
interface CheckCertificateRevocationAgainstCrlFailure extends Micro509Error<CheckCertificateRevocationAgainstCrlErrorCode, CheckCertificateRevocationAgainstCrlFailureDetails> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
CheckCertificateRevocationAgainstCrlFailureDetails
Structured details attached to a CheckCertificateRevocationAgainstCrlFailure.
interface CheckCertificateRevocationAgainstCrlFailureDetails {
readonly reason?: CrlApplicabilityFailureReason;
}Properties
readonlyreason?:CrlApplicabilityFailureReason— Why the CRL was non-applicable, when the error code isnon_applicable.
CheckCertificateRevocationAgainstCrlGoodValue
Success value when the certificate is not found in the CRL.
interface CheckCertificateRevocationAgainstCrlGoodValue {
readonly status: good;
readonly crl: ParsedCertificateRevocationList;
}Properties
readonlystatus:good— Certificate is not revoked.readonlycrl:ParsedCertificateRevocationList— The validated CRL that was checked.
CheckCertificateRevocationAgainstCrlInput
Input for checkCertificateRevocationAgainstCrl.
interface CheckCertificateRevocationAgainstCrlInput {
readonly certificate: CrlCertificateSource;
readonly issuerCertificate: CrlCertificateSource;
readonly crl: CrlSource;
readonly deltaCrl?: CrlSource;
readonly at?: Date;
readonly clockSkewMs?: number;
}Properties
readonlycertificate:CrlCertificateSource— Certificate whose revocation status to check.readonlyissuerCertificate:CrlCertificateSource— Issuer ofcertificate— also expected signer of the CRL.readonlycrl:CrlSource— Complete (base) CRL to check against.readonlydeltaCrl?:CrlSource— Optional delta CRL for more recent revocation information.readonlyat?:Date— Evaluation time. Defaults tonew Date().readonlyclockSkewMs?:number— Clock-skew tolerance in milliseconds for freshness checks.
CheckCertificateRevocationAgainstCrlResult
Result of checkCertificateRevocationAgainstCrl.
On success value.status is 'good' or 'revoked'. On failure the CRL could not be validated or was non-applicable.
type CheckCertificateRevocationAgainstCrlResult = {
readonly ok: true;
readonly value: CheckCertificateRevocationAgainstCrlValue
} | ErrorResult<CheckCertificateRevocationAgainstCrlErrorCode, CheckCertificateRevocationAgainstCrlFailureDetails, CheckCertificateRevocationAgainstCrlFailure>CheckCertificateRevocationAgainstCrlRevokedValue
Success value when the certificate is found as revoked in the CRL.
interface CheckCertificateRevocationAgainstCrlRevokedValue {
readonly status: revoked;
readonly crl: ParsedCertificateRevocationList;
readonly revocationDate: Date;
readonly reasonCode?: RevocationReason;
}Properties
readonlystatus:revoked— Certificate is revoked.readonlycrl:ParsedCertificateRevocationList— The validated CRL that contained the revocation entry.readonlyrevocationDate:Date— When the CA declared this certificate revoked.readonlyreasonCode?:RevocationReason— CRLReason from the entry, if present.
CheckCertificateRevocationAgainstCrlValue
Discriminated union of good and revoked outcomes.
type CheckCertificateRevocationAgainstCrlValue = CheckCertificateRevocationAgainstCrlGoodValue | CheckCertificateRevocationAgainstCrlRevokedValueCreateCertificateRevocationListInput
Input for createCertificateRevocationList.
interface CreateCertificateRevocationListInput {
readonly issuer: NameInput;
readonly signerPrivateKey: CryptoKey;
readonly issuerPublicKey?: CryptoKey;
readonly thisUpdate?: Date;
readonly nextUpdate?: Date;
readonly revokedCertificates?: readonly RevokedCertificateInput[];
readonly crlNumber?: number;
readonly baseCrlNumber?: number;
readonly issuingDistributionPoint?: IssuingDistributionPoint;
readonly freshestCrlDistributionPoints?: readonly DistributionPoint[];
}Properties
readonlyissuer:NameInput— Distinguished name of the CRL issuer (typically the signing CA).readonlysignerPrivateKey:CryptoKey— Private key used to sign the CRL. Algorithm is inferred from the key.readonlyissuerPublicKey?:CryptoKey— Issuer public key — used to embed an Authority Key Identifier extension.readonlythisUpdate?:Date— Issuance timestamp. Defaults tonew Date().readonlynextUpdate?:Date— Planned next issuance. Omit for an open-ended CRL.readonlyrevokedCertificates?:readonlyRevokedCertificateInput[]— Certificates to list as revoked in this CRL.readonlycrlNumber?:number— Monotonically-increasing CRL sequence number (CRLNumber extension).readonlybaseCrlNumber?:number— If set, marks this CRL as a delta CRL referencing the given base CRL number.readonlyissuingDistributionPoint?:IssuingDistributionPoint— Issuing distribution point extension — scopes this CRL to a subset of certificates.readonlyfreshestCrlDistributionPoints?:readonlyDistributionPoint[]— Freshest CRL distribution points — tells relying parties where to find delta CRLs.
CrlApplicabilityFailureReason
Structured reason why a CRL was deemed non-applicable to a given certificate.
type CrlApplicabilityFailureReason = certificate_scope_mismatch | delta_crl_incompatible | unsupported_delta_crl | distribution_point_mismatch | unsupported_indirect_crl | issuer_mismatch | reasons_mismatchCrlCertificateSource
PEM string, DER bytes, or already-parsed certificate.
type CrlCertificateSource = string | Uint8Array | ParsedCertificateCrlSource
PEM string, DER bytes, or already-parsed CRL.
type CrlSource = string | Uint8Array | ParsedCertificateRevocationListParseCertificateRevocationListErrorCode
Machine-readable failure reason for the CRL parsers.
type ParseCertificateRevocationListErrorCode = malformedParseCertificateRevocationListFailure
Structured failure payload for CRL parsing.
interface ParseCertificateRevocationListFailure extends Micro509Error<ParseCertificateRevocationListErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParseCertificateRevocationListResult
Success-or-failure result from parseCertificateRevocationListDer / parseCertificateRevocationListPem.
type ParseCertificateRevocationListResult = {
readonly ok: true;
readonly value: ParsedCertificateRevocationList
} | ErrorResult<ParseCertificateRevocationListErrorCode, Record<never, never>, ParseCertificateRevocationListFailure>ParsedCertificateRevocationList
Decoded X.509 CRL, returned by parseCertificateRevocationListDer and parseCertificateRevocationListPem.
interface ParsedCertificateRevocationList {
readonly der?: Uint8Array;
readonly version: number;
readonly tbsCertListDer: Uint8Array;
readonly signatureValue: Uint8Array;
readonly issuer: ParsedName;
readonly thisUpdate: Date;
readonly nextUpdate?: Date;
readonly signatureAlgorithmOid: string;
readonly signatureAlgorithmName: string;
readonly signatureAlgorithmParametersDer?: Uint8Array;
readonly issuerPublicKeyAlgorithmOid?: string;
readonly issuerPublicKeyParametersOid?: string;
readonly authorityKeyIdentifier?: string;
readonly crlNumber?: number;
readonly baseCrlNumber?: number;
readonly issuingDistributionPoint?: ParsedIssuingDistributionPoint;
readonly freshestCrlDistributionPoints?: readonly ParsedDistributionPoint[];
readonly revokedCertificates: readonly ParsedRevokedCertificate[];
}Properties
readonlyder?:Uint8Array— Original DER bytes when this object came fromparseCertificateRevocationListDeror PEM parsing.readonlyversion:number— CRL version (1 = v1, 2 = v2 with extensions).readonlytbsCertListDer:Uint8Array— DER-encoded TBSCertList — the signed payload for signature verification.readonlysignatureValue:Uint8Array— Raw signature bytes from the CRL outer wrapper.readonlyissuer:ParsedName— CRL issuer distinguished name.readonlythisUpdate:Date— Start of the CRL validity window.readonlynextUpdate?:Date— End of the CRL validity window. Absent if the CA does not commit to a schedule.readonlysignatureAlgorithmOid:string— OID of the algorithm used to sign this CRL.readonlysignatureAlgorithmName:string— Human-readable signature algorithm name (e.g."ECDSA with SHA-256").readonlysignatureAlgorithmParametersDer?:Uint8Array— DER-encoded signature algorithm parameters (e.g. DER NULL for RSA PKCS#1 v1.5).readonlyissuerPublicKeyAlgorithmOid?:string— OID of the issuer's public key algorithm, when available.readonlyissuerPublicKeyParametersOid?:string— OID of the issuer's public key parameters (e.g. named curve), when available.readonlyauthorityKeyIdentifier?:string— Hex-encoded Authority Key Identifier, if the extension is present.readonlycrlNumber?:number— CRLNumber extension value — monotonically increasing sequence number.readonlybaseCrlNumber?:number— Delta CRL indicator — present only on delta CRLs, referencing the base CRL number.readonlyissuingDistributionPoint?:ParsedIssuingDistributionPoint— Issuing distribution point extension — scopes this CRL to a certificate subset.readonlyfreshestCrlDistributionPoints?:readonlyParsedDistributionPoint[]— Freshest CRL extension — points to delta CRL locations.readonlyrevokedCertificates:readonlyParsedRevokedCertificate[]— All revoked certificate entries (empty array if none).
ParsedRevokedCertificate
A single revoked-certificate entry decoded from a CRL.
interface ParsedRevokedCertificate {
readonly serialNumberHex: string;
readonly revocationDate: Date;
readonly reasonCode?: RevocationReason;
readonly invalidityDate?: Date;
readonly certificateIssuer?: readonly GeneralName[];
}Properties
readonlyserialNumberHex:string— Hex-encoded serial number of the revoked certificate.readonlyrevocationDate:Date— When the CA declared this certificate revoked.readonlyreasonCode?:RevocationReason— RFC 5280 CRLReason, if the entry carries one.readonlyinvalidityDate?:Date— When the key or certificate actually became suspect, if present.readonlycertificateIssuer?:readonlyGeneralName[]— Indirect-CRL certificate issuer override (RFC 5280 §5.3.3).
RevocationReason
RFC 5280 §5.3.1 CRLReason code values.
removeFromCRL is used in delta CRLs to un-hold a certificate.
type RevocationReason = unspecified | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | removeFromCRL | privilegeWithdrawn | aACompromiseRevokedCertificateInput
Single revoked certificate entry for createCertificateRevocationList.
interface RevokedCertificateInput {
readonly serialNumber: Uint8Array;
readonly revocationDate?: Date;
readonly reasonCode?: RevocationReason;
readonly invalidityDate?: Date;
}Properties
readonlyserialNumber:Uint8Array— DER-encoded certificate serial number to revoke.readonlyrevocationDate?:Date— When the certificate was revoked. Defaults tothisUpdateof the CRL.readonlyreasonCode?:RevocationReason— RFC 5280 CRLReason code. Omit forunspecified.readonlyinvalidityDate?:Date— When the key or certificate became suspect — may predaterevocationDate.
ValidateCertificateRevocationListFailure
Failure detail for validateCertificateRevocationList.
Possible codes: signature_invalid, issuer_mismatch, stale_crl, crl_sign_not_permitted.
interface ValidateCertificateRevocationListFailure extends Micro509Error<signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ValidateCertificateRevocationListInput
Input for validateCertificateRevocationList.
interface ValidateCertificateRevocationListInput {
readonly crl: CrlSource;
readonly issuerCertificate: CrlCertificateSource;
readonly at?: Date;
readonly clockSkewMs?: number;
}Properties
readonlycrl:CrlSource— The CRL to validate.readonlyissuerCertificate:CrlCertificateSource— Certificate of the CA that should have signed the CRL.readonlyat?:Date— Evaluation time for freshness checks. Defaults tonew Date().readonlyclockSkewMs?:number— Tolerance in milliseconds for clock skew when checkingthisUpdate/nextUpdate.
ValidateCertificateRevocationListResult
Result of validateCertificateRevocationList.
On success, the CRL has passed signature, issuer, key-usage, and freshness checks.
type ValidateCertificateRevocationListResult = {
readonly ok: true;
readonly value: ParsedCertificateRevocationList
} | ErrorResult<signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted, Record<never, never>, ValidateCertificateRevocationListFailure>VerifyCertificateRevocationListSignatureFailure
Failure detail when CRL signature verification fails.
interface VerifyCertificateRevocationListSignatureFailure extends Micro509Error<signature_invalid> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
VerifyCertificateRevocationListSignatureResult
Result of verifyCertificateRevocationListSignature.
On success, value is the parsed CRL whose signature has been verified.
type VerifyCertificateRevocationListSignatureResult = {
readonly ok: true;
readonly value: ParsedCertificateRevocationList
} | ErrorResult<signature_invalid, Record<never, never>, VerifyCertificateRevocationListSignatureFailure>checkCertificateRevocationAgainstCrl
End-to-end revocation check: validates the CRL (and optional delta CRL), verifies applicability via distribution-point and scope matching, then resolves the certificate's revocation status.
Returns good if the serial is absent, revoked with date/reason if present, or an error if the CRL cannot be validated or is non-applicable.
function checkCertificateRevocationAgainstCrl(
input: CheckCertificateRevocationAgainstCrlInput,
): Promise<CheckCertificateRevocationAgainstCrlResult>Parameters
Examples
import { checkCertificateRevocationAgainstCrl } from 'micro509';
const result = await checkCertificateRevocationAgainstCrl({
certificate: leafPem,
issuerCertificate: caPem,
crl: crlPem,
});
if (result.ok && result.value.status === 'revoked') {
console.log('revoked on', result.value.revocationDate);
}createCertificateRevocationList
Signs and encodes an X.509 v2 CRL.
Embeds Authority Key Identifier, CRLNumber, delta CRL indicator, issuing distribution point, and freshest-CRL extensions as configured.
function createCertificateRevocationList(
input: CreateCertificateRevocationListInput,
): Promise<CertificateRevocationListMaterial>Parameters
Examples
import { createCertificateRevocationList } from 'micro509';
const crl = await createCertificateRevocationList({
issuer: { commonName: 'Example CA' },
signerPrivateKey: caPrivateKey,
issuerPublicKey: caPublicKey,
thisUpdate: new Date('2025-01-01'),
nextUpdate: new Date('2025-02-01'),
crlNumber: 42,
revokedCertificates: [
{ serialNumber: revokedSerial, reasonCode: 'keyCompromise' },
],
});
// crl.pem, crl.der, crl.base64isCertificateRevoked
Quick serial-number lookup — returns true if the serial appears in the CRL's revoked entries. Does not validate the CRL or check applicability.
function isCertificateRevoked(
certificateSerialNumber: Uint8Array | string,
crl: ParsedCertificateRevocationList,
): booleanParameters
certificateSerialNumber:Uint8Array|stringcrl:ParsedCertificateRevocationList
parseCertificateRevocationListDer
Decodes a DER-encoded X.509 CRL into a structured ParsedCertificateRevocationList.
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseCertificateRevocationListDerOrThrow. Does not verify the signature — call verifyCertificateRevocationListSignature or validateCertificateRevocationList for that.
function parseCertificateRevocationListDer(
der: Uint8Array,
): ParseCertificateRevocationListResultParameters
der:Uint8Array
parseCertificateRevocationListDerOrThrow
Throwing core for parseCertificateRevocationListDer.
Does not verify the signature — call verifyCertificateRevocationListSignature or validateCertificateRevocationList for that.
function parseCertificateRevocationListDerOrThrow(
der: Uint8Array,
): ParsedCertificateRevocationListParameters
der:Uint8Array
parseCertificateRevocationListPem
Decodes a PEM-encoded X.509 CRL (-----BEGIN X509 CRL-----).
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseCertificateRevocationListPemOrThrow.
function parseCertificateRevocationListPem(
pem: string,
): ParseCertificateRevocationListResultParameters
pem:string
parseCertificateRevocationListPemOrThrow
Decodes a PEM-encoded X.509 CRL (-----BEGIN X509 CRL-----).
function parseCertificateRevocationListPemOrThrow(
pem: string,
): ParsedCertificateRevocationListParameters
pem:string
Examples
import { parseCertificateRevocationListPemOrThrow } from 'micro509';
const crl = parseCertificateRevocationListPemOrThrow(pemString); // throws if malformed
console.log(crl.issuer.values.commonName, crl.revokedCertificates.length);validateCertificateRevocationList
Full CRL validation: issuer name match, authority key identifier match, cRLSign key-usage check, signature verification, and thisUpdate/nextUpdate freshness check (with optional clock-skew tolerance).
function validateCertificateRevocationList(
input: ValidateCertificateRevocationListInput,
): Promise<ValidateCertificateRevocationListResult>Parameters
verifyCertificateRevocationListSignature
Verifies the CRL signature against the issuer certificate's public key.
Does not check issuer name match, key-usage, or freshness — use validateCertificateRevocationList for full validation.
function verifyCertificateRevocationListSignature(
crl: string | Uint8Array,
issuerCertificate: string | Uint8Array,
): Promise<VerifyCertificateRevocationListSignatureResult>Parameters
crl:string|Uint8ArrayissuerCertificate:string|Uint8Array
CreateOcspRequestInput
Input for createOcspRequest.
interface CreateOcspRequestInput {
readonly requests: readonly CreateOcspRequestItemInput[];
readonly hashAlgorithm?: OcspHashAlgorithm;
readonly nonce?: Uint8Array;
}Properties
readonlyrequests:readonlyCreateOcspRequestItemInput[]— One or more certificates to query (batched into a single OCSP request).readonlyhashAlgorithm?:OcspHashAlgorithm— Hash algorithm for CertID computation. Defaults to'SHA-1'.readonlynonce?:Uint8Array— Random nonce for replay protection. Omit to skip the nonce extension.
CreateOcspRequestItemInput
One certificate whose status to query in an OCSP request. Used as an element of CreateOcspRequestInput.requests.
interface CreateOcspRequestItemInput {
readonly certificate: OcspCertificateSource;
readonly issuerCertificate: OcspCertificateSource;
}Properties
readonlycertificate:OcspCertificateSource— Certificate whose revocation status is being queried.readonlyissuerCertificate:OcspCertificateSource— Issuer ofcertificate— needed to compute the CertID hash.
CreateOcspResponseInput
Input for createOcspResponse.
interface CreateOcspResponseInput {
readonly signerPrivateKey: CryptoKey;
readonly signerCertificate: OcspCertificateSource;
readonly responses: readonly CreateOcspSingleResponseInput[];
readonly producedAt?: Date;
readonly nonce?: Uint8Array;
readonly hashAlgorithm?: OcspHashAlgorithm;
readonly includedCertificates?: readonly OcspCertificateSource[];
}Properties
readonlysignerPrivateKey:CryptoKey— Private key used to sign the response. Algorithm is inferred from the key.readonlysignerCertificate:OcspCertificateSource— Certificate of the OCSP responder — used to build the responder ID (by key hash).readonlyresponses:readonlyCreateOcspSingleResponseInput[]— Per-certificate status entries to include in the BasicOCSPResponse.readonlyproducedAt?:Date— Timestamp for theproducedAtfield. Defaults tonew Date().readonlynonce?:Uint8Array— Nonce to echo back for replay protection.readonlyhashAlgorithm?:OcspHashAlgorithm— Hash algorithm for CertID computation. Defaults to'SHA-1'.readonlyincludedCertificates?:readonlyOcspCertificateSource[]— Extra certificates to embed in the response (e.g. the responder's issuer chain).
CreateOcspSingleResponseInput
One certificate's status entry for CreateOcspResponseInput.responses. Extends CreateOcspRequestItemInput with status and timing fields.
interface CreateOcspSingleResponseInput extends CreateOcspRequestItemInput {
readonly certStatus: OcspCertStatus;
readonly thisUpdate?: Date;
readonly nextUpdate?: Date;
readonly revokedAt?: Date;
readonly revocationReasonCode?: number;
}Properties
readonlycertStatus:OcspCertStatus— Status to assert for this certificate.readonlythisUpdate?:Date— Start of the validity window for this status assertion. Defaults tonew Date().readonlynextUpdate?:Date— End of the validity window. Omit for open-ended assertions.readonlyrevokedAt?:Date— Revocation time (required whencertStatusis'revoked'). Defaults tothisUpdate.readonlyrevocationReasonCode?:number— CRLReason integer code (only meaningful whencertStatusis'revoked').
OcspCertificateSource
PEM string, DER bytes, or already-parsed certificate.
type OcspCertificateSource = string | Uint8Array | ParsedCertificateOcspCertStatus
RFC 6960 certificate status reported by the responder for a single CertID.
type OcspCertStatus = good | revoked | unknownOcspHashAlgorithm
Hash algorithm used to compute OCSP CertID fields. SHA-1 is the RFC 6960 default.
type OcspHashAlgorithm = SHA-1 | SHA-256OcspRequestMaterial
Encoded OCSP request in multiple serialisation formats, returned by createOcspRequest.
interface OcspRequestMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER bytes.readonlypem:string— PEM-encoded request (-----BEGIN OCSP REQUEST-----).readonlybase64:string— Base64-encoded DER (no PEM armour).
OcspRequestSource
PEM string, DER bytes, or already-parsed OCSP request.
type OcspRequestSource = string | Uint8Array | ParsedOcspRequestOcspResponderRevocationPolicy
Revocation policy for delegated OCSP responder certificates (RFC 6960 §4.2.2.2.1).
'honor-nocheck'(default): a responder carryingid-pkix-ocsp-nocheckis exempt from revocation checking. Otherwise, CRL evidence fromValidateOcspResponseInput.responderRevocationCrlsis consulted when provided — a revoked responder rejects the response; missing or unusable evidence is tolerated (soft).'require-evidence':nocheckis ignored; CRL evidence must positively show the responder is not revoked, otherwise the response is rejected.'skip': no responder revocation checking.
type OcspResponderRevocationPolicy = honor-nocheck | require-evidence | skipOcspResponseMaterial
Encoded OCSP response in multiple serialisation formats, returned by createOcspResponse.
interface OcspResponseMaterial {
readonly der: Uint8Array;
readonly pem: string;
readonly base64: string;
}Properties
readonlyder:Uint8Array— Raw DER bytes.readonlypem:string— PEM-encoded response (-----BEGIN OCSP RESPONSE-----).readonlybase64:string— Base64-encoded DER (no PEM armour).
OcspResponseStatus
RFC 6960 overall response status — anything other than 'successful' means the response body is absent or unusable.
type OcspResponseStatus = successful | malformedRequest | internalError | tryLater | sigRequired | unauthorizedParsedOcspCertId
Decoded OCSP CertID — identifies a certificate by hashed issuer name, hashed issuer key, and serial number.
interface ParsedOcspCertId {
readonly hashAlgorithmOid: string;
readonly hashAlgorithmName: string;
readonly issuerNameHashHex: string;
readonly issuerKeyHashHex: string;
readonly serialNumberHex: string;
}Properties
readonlyhashAlgorithmOid:string— OID of the hash algorithm used for the name and key hashes.readonlyhashAlgorithmName:string— Human-readable hash algorithm name (e.g."SHA-256").readonlyissuerNameHashHex:string— Hex-encoded hash of the issuer's distinguished name DER.readonlyissuerKeyHashHex:string— Hex-encoded hash of the issuer's SubjectPublicKey BIT STRING content.readonlyserialNumberHex:string— Hex-encoded serial number of the certificate.
ParsedOcspRequest
Decoded OCSP request, returned by parseOcspRequestDer / parseOcspRequestPem.
interface ParsedOcspRequest {
readonly der?: Uint8Array;
readonly requests: readonly ParsedOcspCertId[];
readonly nonce?: string;
}Properties
readonlyder?:Uint8Array— Original DER bytes when this object came fromparseOcspRequestDeror PEM parsing.readonlyrequests:readonlyParsedOcspCertId[]— CertIDs of the certificates being queried.readonlynonce?:string— Hex-encoded nonce extension value, if present.
ParsedOcspResponderId
How the OCSP responder identifies itself — either by distinguished name or by SHA-1 hash of its public key.
type ParsedOcspResponderId = {
readonly type: byName;
readonly name: ParsedName
} | {
readonly type: byKeyHash;
readonly keyHashHex: string
}ParsedOcspResponse
Decoded OCSP response, returned by parseOcspResponseDer / parseOcspResponsePem.
When responseStatus is not 'successful', most fields are absent.
interface ParsedOcspResponse {
readonly der?: Uint8Array;
readonly responseStatus: OcspResponseStatus;
readonly responseTypeOid?: string;
readonly responseDataDer?: Uint8Array;
readonly responderId?: ParsedOcspResponderId;
readonly signatureAlgorithmOid?: string;
readonly signatureAlgorithmName?: string;
readonly signatureValue?: Uint8Array;
readonly producedAt?: Date;
readonly responses?: readonly ParsedOcspSingleResponse[];
readonly nonce?: string;
readonly certificates?: readonly ParsedCertificate[];
}Properties
readonlyder?:Uint8Array— Original DER bytes when this object came fromparseOcspResponseDeror PEM parsing.readonlyresponseStatus:OcspResponseStatus— Overall response status. Only'successful'carries a BasicOCSPResponse body.readonlyresponseTypeOid?:string— OID of the response type (normallyid-pkix-ocsp-basic).readonlyresponseDataDer?:Uint8Array— DER-encoded ResponseData — the signed payload for signature verification.readonlyresponderId?:ParsedOcspResponderId— How the responder identifies itself.readonlysignatureAlgorithmOid?:string— OID of the algorithm used to sign this response.readonlysignatureAlgorithmName?:string— Human-readable signature algorithm name.readonlysignatureValue?:Uint8Array— Raw signature bytes.readonlyproducedAt?:Date— Timestamp when the responder produced this response.readonlyresponses?:readonlyParsedOcspSingleResponse[]— Per-certificate status entries.readonlynonce?:string— Hex-encoded nonce, if the response echoed one.readonlycertificates?:readonlyParsedCertificate[]— Certificates embedded in the response (typically the responder's chain).
ParsedOcspSingleResponse
Status of one certificate inside an OCSP BasicResponse.
interface ParsedOcspSingleResponse {
readonly certId: ParsedOcspCertId;
readonly certStatus: OcspCertStatus;
readonly thisUpdate: Date;
readonly nextUpdate?: Date;
readonly revokedAt?: Date;
readonly revocationReasonCode?: number;
}Properties
readonlycertId:ParsedOcspCertId— Which certificate this status applies to.readonlycertStatus:OcspCertStatus— Responder's verdict:good,revoked, orunknown.readonlythisUpdate:Date— Start of the validity window for this status assertion.readonlynextUpdate?:Date— End of the validity window. Absent if the responder does not commit to a schedule.readonlyrevokedAt?:Date— When the certificate was revoked (only forcertStatus === 'revoked').readonlyrevocationReasonCode?:number— CRLReason integer (only forcertStatus === 'revoked').
ParseOcspRequestErrorCode
Machine-readable failure reason for the OCSP request parsers.
type ParseOcspRequestErrorCode = malformedParseOcspRequestFailure
Structured failure payload for OCSP request parsing.
interface ParseOcspRequestFailure extends Micro509Error<ParseOcspRequestErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParseOcspRequestResult
Success-or-failure result from parseOcspRequestDer / parseOcspRequestPem.
type ParseOcspRequestResult = {
readonly ok: true;
readonly value: ParsedOcspRequest
} | ErrorResult<ParseOcspRequestErrorCode, Record<never, never>, ParseOcspRequestFailure>ParseOcspResponseErrorCode
Machine-readable failure reason for the OCSP response parsers.
type ParseOcspResponseErrorCode = malformedParseOcspResponseFailure
Structured failure payload for OCSP response parsing.
interface ParseOcspResponseFailure extends Micro509Error<ParseOcspResponseErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ParseOcspResponseResult
Success-or-failure result from parseOcspResponseDer / parseOcspResponsePem.
type ParseOcspResponseResult = {
readonly ok: true;
readonly value: ParsedOcspResponse
} | ErrorResult<ParseOcspResponseErrorCode, Record<never, never>, ParseOcspResponseFailure>ValidateOcspResponseErrorCode
Failure codes produced by validateOcspResponse.
type ValidateOcspResponseErrorCode = response_status_invalid | signature_invalid | responder_id_mismatch | nonce_mismatch | request_mismatch | issuer_mismatch | responder_chain_invalid | ocsp_signing_missing | responder_revoked | responder_revocation_unknown | stale_responseValidateOcspResponseFailure
Failure detail for validateOcspResponse.
Possible codes: response_status_invalid, signature_invalid, responder_id_mismatch, nonce_mismatch, request_mismatch, issuer_mismatch, responder_chain_invalid, ocsp_signing_missing, responder_revoked, responder_revocation_unknown, stale_response.
interface ValidateOcspResponseFailure extends Micro509Error<ValidateOcspResponseErrorCode> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
ValidateOcspResponseInput
Input for validateOcspResponse.
interface ValidateOcspResponseInput {
readonly response: string | Uint8Array | ParsedOcspResponse;
readonly issuerCertificate: OcspCertificateSource;
readonly request?: OcspRequestSource;
readonly responderCertificate?: OcspCertificateSource;
readonly allowChainedResponderCertificate?: boolean;
readonly trustedOcspResponders?: readonly OcspCertificateSource[];
readonly responderRevocationPolicy?: OcspResponderRevocationPolicy;
readonly responderRevocationCrls?: readonly CrlSource[];
readonly at?: Date;
readonly clockSkewMs?: number;
}Properties
readonlyresponse:string|Uint8Array|ParsedOcspResponse— The OCSP response to validate.readonlyissuerCertificate:OcspCertificateSource— Certificate of the CA that issued the target certificate.readonlyrequest?:OcspRequestSource— Original request — enables nonce and request-coverage checks.readonlyresponderCertificate?:OcspCertificateSource— Explicit responder certificate — overrides embedded certificate discovery.readonlyallowChainedResponderCertificate?:boolean— Whentrue, allows delegated responder chain validation beyond direct issuance.readonlytrustedOcspResponders?:readonlyOcspCertificateSource[]— Explicitly trusted responder certificates for this issuer's scope (RFC 6960 §4.2.2.2 criterion 1 — local responder configuration).A response signer matching one of these certificates is accepted without the delegated-responder issuance, chain, EKU, and revocation checks. Signature verification and responder-ID binding are still enforced. Also consulted during responder discovery when the response embeds no matching certificate.
readonlyresponderRevocationPolicy?:OcspResponderRevocationPolicy— Revocation policy for delegated responder certificates. Defaults to'honor-nocheck'.readonlyresponderRevocationCrls?:readonlyCrlSource[]— CRLs used as revocation evidence for delegated responder certificates.readonlyat?:Date— Evaluation time for freshness checks and delegated responder chain validation. Defaults tonew Date().readonlyclockSkewMs?:number— Clock-skew tolerance in milliseconds forthisUpdate/nextUpdate/producedAt.
ValidateOcspResponseResult
Result of validateOcspResponse.
On success, the response has passed status, signature, responder binding, authorization (including responder revocation policy), freshness, nonce, and request-coverage checks.
type ValidateOcspResponseResult = {
readonly ok: true;
readonly value: ParsedOcspResponse
} | ErrorResult<ValidateOcspResponseErrorCode, Record<never, never>, ValidateOcspResponseFailure>VerifyOcspResponseSignatureFailure
Failure detail when OCSP response signature verification fails.
interface VerifyOcspResponseSignatureFailure extends Micro509Error<signature_invalid> {
readonly ok: false;
}Properties
readonlyok:false— Alwaysfalsefor failures.
VerifyOcspResponseSignatureResult
Result of verifyOcspResponseSignature.
On success, value is the parsed response whose signature has been verified.
type VerifyOcspResponseSignatureResult = {
readonly ok: true;
readonly value: ParsedOcspResponse
} | ErrorResult<signature_invalid, Record<never, never>, VerifyOcspResponseSignatureFailure>createOcspRequest
Builds a DER-encoded OCSP request containing one or more CertID entries and an optional nonce extension.
function createOcspRequest(
input: CreateOcspRequestInput,
): Promise<OcspRequestMaterial>Parameters
input:CreateOcspRequestInput
Examples
import { createOcspRequest } from 'micro509';
const req = await createOcspRequest({
requests: [{ certificate: leafPem, issuerCertificate: caPem }],
hashAlgorithm: 'SHA-256',
nonce: crypto.getRandomValues(new Uint8Array(16)),
});
// POST req.der to the OCSP responder URIcreateOcspResponse
Signs and encodes an OCSP BasicResponse with a successful status.
The responder is identified by key hash (SHA-1 of the signer's SubjectPublicKey). Use includedCertificates to embed the responder's chain for relying parties.
function createOcspResponse(
input: CreateOcspResponseInput,
): Promise<OcspResponseMaterial>Parameters
input:CreateOcspResponseInput
Examples
import { createOcspResponse } from 'micro509';
const resp = await createOcspResponse({
signerPrivateKey: responderPrivateKey,
signerCertificate: responderCertPem,
responses: [
{
certificate: leafPem,
issuerCertificate: caPem,
certStatus: 'good',
thisUpdate: new Date('2025-01-01'),
nextUpdate: new Date('2025-01-08'),
},
],
nonce: requestNonce,
});
// resp.der, resp.pem, resp.base64hasOcspNoCheckExtension
Reports whether a certificate carries the id-pkix-ocsp-nocheck extension (RFC 6960 §4.2.2.2.1) — the CA's assertion that relying parties may trust this OCSP responder certificate for its lifetime without revocation checks.
function hasOcspNoCheckExtension(
certificate: OcspCertificateSource,
): booleanParameters
certificate:OcspCertificateSource
parseOcspRequestDer
Decodes a DER-encoded OCSP request into a structured ParsedOcspRequest.
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspRequestDerOrThrow.
function parseOcspRequestDer(
der: Uint8Array,
): ParseOcspRequestResultParameters
der:Uint8Array
parseOcspRequestDerOrThrow
Throwing core for parseOcspRequestDer.
function parseOcspRequestDerOrThrow(
der: Uint8Array,
): ParsedOcspRequestParameters
der:Uint8Array
parseOcspRequestPem
Decodes a PEM-encoded OCSP request (-----BEGIN OCSP REQUEST-----).
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspRequestPemOrThrow.
function parseOcspRequestPem(
pem: string,
): ParseOcspRequestResultParameters
pem:string
parseOcspRequestPemOrThrow
Decodes a PEM-encoded OCSP request (-----BEGIN OCSP REQUEST-----).
function parseOcspRequestPemOrThrow(
pem: string,
): ParsedOcspRequestParameters
pem:string
parseOcspResponseDer
Decodes a DER-encoded OCSP response into a structured ParsedOcspResponse.
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspResponseDerOrThrow.
function parseOcspResponseDer(
der: Uint8Array,
): ParseOcspResponseResultParameters
der:Uint8Array
parseOcspResponseDerOrThrow
Throwing core for parseOcspResponseDer.
function parseOcspResponseDerOrThrow(
der: Uint8Array,
): ParsedOcspResponseParameters
der:Uint8Array
parseOcspResponsePem
Decodes a PEM-encoded OCSP response (-----BEGIN OCSP RESPONSE-----).
Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspResponsePemOrThrow.
function parseOcspResponsePem(
pem: string,
): ParseOcspResponseResultParameters
pem:string
parseOcspResponsePemOrThrow
Decodes a PEM-encoded OCSP response (-----BEGIN OCSP RESPONSE-----).
function parseOcspResponsePemOrThrow(
pem: string,
): ParsedOcspResponseParameters
pem:string
Examples
import { parseOcspResponsePemOrThrow } from 'micro509';
const resp = parseOcspResponsePemOrThrow(pemString);
if (resp.responseStatus === 'successful') {
for (const entry of resp.responses ?? []) {
console.log(entry.certId.serialNumberHex, entry.certStatus);
}
}validateOcspResponse
Full OCSP response validation: response status check, signature verification, responder ID binding (byName or byKeyHash), delegated-responder chain and ocspSigning EKU checks, producedAt/thisUpdate/nextUpdate freshness, nonce match, and request-coverage completeness.
function validateOcspResponse(
input: ValidateOcspResponseInput,
): Promise<ValidateOcspResponseResult>Parameters
input:ValidateOcspResponseInput
Examples
import { validateOcspResponse } from 'micro509';
const result = await validateOcspResponse({
response: ocspResponseDer,
issuerCertificate: caPem,
request: ocspRequestDer,
});
if (result.ok) {
const entry = result.value.responses?.[0];
console.log(entry?.certStatus); // 'good' | 'revoked' | 'unknown'
}verifyOcspResponseSignature
Verifies the OCSP response signature against the given signer certificate.
Does not check responder binding, freshness, or nonce — use validateOcspResponse for full validation.
function verifyOcspResponseSignature(
response: string | Uint8Array | ParsedOcspResponse,
signerCertificate: OcspCertificateSource,
): Promise<VerifyOcspResponseSignatureResult>Parameters
response:string|Uint8Array|ParsedOcspResponsesignerCertificate:OcspCertificateSource
CheckCertificateRevocationErrorCode
Error codes that checkCertificateRevocation may surface inside an indeterminate result.
type CheckCertificateRevocationErrorCode = revocation_evidence_missing | revocation_status_indeterminateCheckCertificateRevocationFailureDetails
Diagnostic details attached to an indeterminate revocation result.
interface CheckCertificateRevocationFailureDetails {
readonly checkedSources: readonly RevocationEvidenceKind[];
readonly indeterminateEvidence: readonly RevocationIndeterminateEvidence[];
}Properties
readonlycheckedSources:readonlyRevocationEvidenceKind[]— Which evidence kinds were attempted ('crl','ocsp', or both).readonlyindeterminateEvidence:readonlyRevocationIndeterminateEvidence[]— Per-evidence explanations of why no definitive answer was reached.
CheckCertificateRevocationInput
Input for checkCertificateRevocation.
interface CheckCertificateRevocationInput {
readonly certificate: RevocationCertificateSource;
readonly issuerCertificate: RevocationCertificateSource;
readonly evidence?: readonly RevocationEvidenceInput[];
readonly at?: Date;
readonly clockSkewMs?: number;
}Properties
readonlycertificate:RevocationCertificateSource— Certificate whose revocation status to determine.readonlyissuerCertificate:RevocationCertificateSource— Issuer ofcertificate.readonlyevidence?:readonlyRevocationEvidenceInput[]— CRL and/or OCSP evidence to evaluate. Returnsindeterminateif empty.readonlyat?:Date— Evaluation time. Defaults tonew Date().readonlyclockSkewMs?:number— Clock-skew tolerance in milliseconds.
CheckCertificateRevocationResult
Result of checkCertificateRevocation. Always succeeds (ok: true) — the value.status discriminator carries the actual outcome.
type CheckCertificateRevocationResult = Result<CheckCertificateRevocationValue, never>CheckCertificateRevocationValue
Discriminated union of good, revoked, and indeterminate revocation outcomes.
type CheckCertificateRevocationValue = RevocationCheckGoodValue | RevocationCheckRevokedValue | RevocationCheckIndeterminateValueConfiguredOcspResponder
A manually-configured OCSP responder endpoint.
interface ConfiguredOcspResponder {
readonly uri: string;
readonly responderCertificate?: ConfiguredOcspResponderCertificate;
}Properties
readonlyuri:string— OCSP responder URI (typicallyhttp://...).readonlyresponderCertificate?:ConfiguredOcspResponderCertificate— Known responder certificate — skips embedded-certificate discovery.
ConfiguredOcspResponderCertificate
PEM or DER bytes of a pre-configured OCSP responder certificate.
type ConfiguredOcspResponderCertificate = string | Uint8ArrayOcspResponderCandidate
One candidate OCSP responder resolved by resolveOcspResponderCandidates.
interface OcspResponderCandidate {
readonly source: OcspResponderSource;
readonly uri: string;
readonly responderCertificate?: ConfiguredOcspResponderCertificate;
}Properties
readonlysource:OcspResponderSource— Whether this candidate came from configuration or the certificate's AIA extension.readonlyuri:string— OCSP responder URI.readonlyresponderCertificate?:ConfiguredOcspResponderCertificate— Pre-known responder certificate, if available.
OcspResponderSource
Where the OCSP responder URI came from.
type OcspResponderSource = configured | authorityInfoAccessResolveOcspResponderCandidatesInput
Input for resolveOcspResponderCandidates.
interface ResolveOcspResponderCandidatesInput {
readonly certificate: RevocationCertificateSource;
readonly configuredResponders?: readonly ConfiguredOcspResponder[];
}Properties
readonlycertificate:RevocationCertificateSource— Certificate whose AIA extension will be inspected for OCSP URIs.readonlyconfiguredResponders?:readonlyConfiguredOcspResponder[]— Manually-configured responders — checked before AIA-derived ones.
RevocationCertificateSource
PEM string, DER bytes, or already-parsed certificate.
type RevocationCertificateSource = string | Uint8Array | ParsedCertificateRevocationCheckGoodValue
Certificate is not revoked according to the checked evidence.
interface RevocationCheckGoodValue {
readonly status: Extract<RevocationStatus, good>;
readonly kind: RevocationEvidenceKind;
readonly message: string;
}Properties
readonlystatus:Extract<RevocationStatus,good> — Certificate is not revoked.readonlykind:RevocationEvidenceKind— Which evidence kind confirmed the good status.readonlymessage:string— Human-readable diagnostic message.
RevocationCheckIndeterminateValue
Revocation status could not be determined from the provided evidence.
interface RevocationCheckIndeterminateValue {
readonly status: Extract<RevocationStatus, indeterminate>;
readonly code: CheckCertificateRevocationErrorCode;
readonly message: string;
readonly details: CheckCertificateRevocationFailureDetails;
}Properties
readonlystatus:Extract<RevocationStatus,indeterminate> — Status is indeterminate.readonlycode:CheckCertificateRevocationErrorCode— Why revocation status is indeterminate.readonlymessage:string— Human-readable diagnostic message.readonlydetails:CheckCertificateRevocationFailureDetails— What evidence was attempted and why each failed.
RevocationCheckRevokedValue
Certificate is revoked according to the checked evidence.
interface RevocationCheckRevokedValue {
readonly status: Extract<RevocationStatus, revoked>;
readonly kind: RevocationEvidenceKind;
readonly message: string;
readonly revokedAt?: Date;
readonly revocationReason?: RevocationReason;
readonly revocationReasonCode?: number;
}Properties
readonlystatus:Extract<RevocationStatus,revoked> — Certificate is revoked.readonlykind:RevocationEvidenceKind— Which evidence kind reported the revocation.readonlymessage:string— Human-readable diagnostic message.readonlyrevokedAt?:Date— When the certificate was revoked (from CRL entry or OCSP response).readonlyrevocationReason?:RevocationReason— CRL reason string (from CRL evidence).readonlyrevocationReasonCode?:number— CRL reason integer code (from OCSP evidence).
RevocationCrlEvidenceInput
CRL-based revocation evidence for CheckCertificateRevocationInput.evidence.
interface RevocationCrlEvidenceInput {
readonly kind: crl;
readonly crl: CrlSource;
readonly deltaCrl?: CrlSource;
}Properties
readonlykind:crl— Discriminator for the CRL evidence variant.readonlycrl:CrlSource— Complete (base) CRL.readonlydeltaCrl?:CrlSource— Optional delta CRL for more recent revocation information.
RevocationEvidenceInput
Discriminated union of CRL and OCSP evidence inputs.
type RevocationEvidenceInput = RevocationCrlEvidenceInput | RevocationOcspEvidenceInputRevocationEvidenceKind
Which revocation mechanism produced the evidence.
type RevocationEvidenceKind = crl | ocspRevocationIndeterminateEvidence
One piece of evidence that failed to produce a definitive revocation answer.
interface RevocationIndeterminateEvidence {
readonly kind: RevocationEvidenceKind;
readonly code: RevocationIndeterminateReasonCode;
readonly message: string;
readonly reason?: CrlApplicabilityFailureReason;
}Properties
readonlykind:RevocationEvidenceKind— Whether this evidence was CRL or OCSP.readonlycode:RevocationIndeterminateReasonCode— Machine-readable reason code.readonlymessage:string— Human-readable explanation.readonlyreason?:CrlApplicabilityFailureReason— CRL-specific applicability failure reason, whenkindis'crl'.
RevocationIndeterminateReasonCode
Why a particular piece of evidence could not produce a definitive good/revoked answer.
type RevocationIndeterminateReasonCode = (typeof REVOCATION_INDETERMINATE_REASON_CODES)[number]RevocationOcspEvidenceInput
OCSP-based revocation evidence for CheckCertificateRevocationInput.evidence.
interface RevocationOcspEvidenceInput {
readonly kind: ocsp;
readonly response: string | Uint8Array | ParsedOcspResponse;
readonly request?: OcspRequestSource;
readonly responderCertificate?: OcspCertificateSource;
}Properties
readonlykind:ocsp— Discriminator for the OCSP evidence variant.readonlyresponse:string|Uint8Array|ParsedOcspResponse— OCSP response to validate.readonlyrequest?:OcspRequestSource— Original OCSP request — enables nonce and coverage checks.readonlyresponderCertificate?:OcspCertificateSource— Explicit responder certificate — overrides embedded certificate discovery.
RevocationStatus
Unified revocation outcome across CRL and OCSP evidence.
type RevocationStatus = good | revoked | indeterminatecheckCertificateRevocation
Evaluates all provided CRL and OCSP evidence to determine the certificate's revocation status. Returns the first revoked if any, else the first good, else indeterminate with diagnostic details about each indeterminate evidence.
function checkCertificateRevocation(
input: CheckCertificateRevocationInput,
): Promise<CheckCertificateRevocationResult>Parameters
Examples
import { checkCertificateRevocation } from 'micro509';
const result = await checkCertificateRevocation({
certificate: leafPem,
issuerCertificate: caPem,
evidence: [{ kind: 'crl', crl: crlPem }],
});
if (result.ok && result.value.status === 'revoked') {
console.log('revoked at', result.value.revokedAt);
}getCertificateOcspResponderUris
Extracts OCSP responder URIs from the certificate's Authority Information Access extension.
function getCertificateOcspResponderUris(
certificate: RevocationCertificateSource,
): readonly string[]Parameters
certificate:RevocationCertificateSource
REVOCATION_INDETERMINATE_REASON_CODES
Every RevocationIndeterminateReasonCode, as a runtime array.
const REVOCATION_INDETERMINATE_REASON_CODES: certificate_status_missing | certificate_status_unknown | crl_sign_not_permitted | issuer_mismatch | non_applicable | nonce_mismatch | ocsp_signing_missing | request_mismatch | responder_id_mismatch | responder_chain_invalid | responder_revoked | responder_revocation_unknown | response_status_invalid | signature_invalid | stale_crl | stale_response[]resolveOcspResponderCandidates
Merges configured OCSP responders with those discovered from the certificate's AIA extension. Configured responders take priority; duplicates are deduplicated by URI.
function resolveOcspResponderCandidates(
input: ResolveOcspResponderCandidatesInput,
): readonly OcspResponderCandidate[]Parameters
IssuingDistributionPoint
Input for the Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).
The union enforces that at most one of the onlyContains* flags is true.
type IssuingDistributionPoint = IssuingDistributionPointBase | IssuingDistributionPointForUserCerts | IssuingDistributionPointForCaCerts | IssuingDistributionPointForAttributeCertsIssuingDistributionPointBase
Base shape for Issuing Distribution Point (RFC 5280 §5.2.5) — no scope restriction.
interface IssuingDistributionPointBase {
readonly distributionPoint?: DistributionPointName;
readonly onlySomeReasons?: readonly DistributionPointReason[];
readonly indirectCrl?: boolean;
readonly onlyContainsUserCerts?: false;
readonly onlyContainsCACerts?: false;
readonly onlyContainsAttributeCerts?: boolean;
}Properties
readonlydistributionPoint?:DistributionPointName— Where to fetch this CRL.readonlyonlySomeReasons?:readonlyDistributionPointReason[]— Limits the CRL to these revocation reasons. Absent means all reasons.readonlyindirectCrl?:boolean— When true, the CRL may contain entries from other CAs. Default false.readonlyonlyContainsUserCerts?:false— Must be absent or false in this variant (no user-cert-only restriction).readonlyonlyContainsCACerts?:false— Must be absent or false in this variant (no CA-cert-only restriction).readonlyonlyContainsAttributeCerts?:boolean— When true, the CRL only covers attribute certificates. Default false.
IssuingDistributionPointForAttributeCerts
IDP scoped to attribute certificates only. Mutually exclusive with user / CA scopes.
interface IssuingDistributionPointForAttributeCerts extends Omit<IssuingDistributionPointBase, onlyContainsAttributeCerts> {
readonly onlyContainsUserCerts?: false;
readonly onlyContainsCACerts?: false;
readonly onlyContainsAttributeCerts: true;
}Properties
readonlyonlyContainsUserCerts?:false— Must be absent or false when the CRL is not user-cert-only.readonlyonlyContainsCACerts?:false— Must be absent or false when the CRL is not CA-only.readonlyonlyContainsAttributeCerts:true— This variant only covers attribute certificates.
IssuingDistributionPointForCaCerts
IDP scoped to CA certificates only. Mutually exclusive with user / attribute scopes.
interface IssuingDistributionPointForCaCerts extends Omit<IssuingDistributionPointBase, onlyContainsCACerts> {
readonly onlyContainsUserCerts?: false;
readonly onlyContainsCACerts: true;
readonly onlyContainsAttributeCerts?: false;
}Properties
readonlyonlyContainsUserCerts?:false— Must be absent or false when the CRL is not user-cert-only.readonlyonlyContainsCACerts:true— This variant only covers CA certificates.readonlyonlyContainsAttributeCerts?:false— Must be absent or false when the CRL is not attribute-cert-only.
IssuingDistributionPointForUserCerts
IDP scoped to end-entity (user) certificates only. Mutually exclusive with CA / attribute scopes.
interface IssuingDistributionPointForUserCerts extends Omit<IssuingDistributionPointBase, onlyContainsUserCerts> {
readonly onlyContainsUserCerts: true;
readonly onlyContainsCACerts?: false;
readonly onlyContainsAttributeCerts?: false;
}Properties
readonlyonlyContainsUserCerts:true— This variant only covers end-entity certificates.readonlyonlyContainsCACerts?:false— Must be absent or false when the CRL is not CA-only.readonlyonlyContainsAttributeCerts?:false— Must be absent or false when the CRL is not attribute-cert-only.
ParsedIssuingDistributionPoint
Decoded Issuing Distribution Point CRL extension (RFC 5280 §5.2.5). Constrains which certificates a CRL covers (scope, reasons, indirection).
interface ParsedIssuingDistributionPoint {
readonly distributionPoint?: ParsedDistributionPointName;
readonly onlyContainsUserCerts?: boolean;
readonly onlyContainsCACerts?: boolean;
readonly onlySomeReasons?: ParsedBitFlags<DistributionPointReason>;
readonly indirectCrl?: boolean;
readonly onlyContainsAttributeCerts?: boolean;
}Properties
readonlydistributionPoint?:ParsedDistributionPointName— Where to fetch this CRL, if specified.readonlyonlyContainsUserCerts?:boolean— When true, this CRL only covers end-entity certificates. Default false.readonlyonlyContainsCACerts?:boolean— When true, this CRL only covers CA certificates. Default false.readonlyonlySomeReasons?:ParsedBitFlags<DistributionPointReason> — Limits the CRL to these revocation reasons. Absent means all reasons.readonlyindirectCrl?:boolean— When true, this CRL may contain entries from CAs other than the issuer. Default false.readonlyonlyContainsAttributeCerts?:boolean— When true, this CRL only covers attribute certificates. Default false.