Skip to content

micro509/revocation

Canonical revocation domain surface. Owns CRL, OCSP, and revocation orchestration APIs.

CertificateRevocationStatus

Revocation evaluation result for a single certificate.

One entry per certificate in CheckChainRevocationValue.certificates. The trust anchor is excluded (never checked for revocation).

ts
type CertificateRevocationStatus = {
  readonly certificate: ParsedCertificate;
  readonly status: good;
  readonly source: RevocationSource;
  readonly indeterminateReasons?: undefined;
  readonly revocationInfo?: undefined
} | {
  readonly certificate: ParsedCertificate;
  readonly status: revoked;
  readonly source: RevocationSource;
  readonly revocationInfo: {
  readonly revocationDate: Date;
  readonly reason?: RevocationReason
};
  readonly indeterminateReasons?: undefined
} | {
  readonly certificate: ParsedCertificate;
  readonly status: indeterminate;
  readonly indeterminateReasons: readonly RevocationIndeterminateReason[];
  readonly source?: undefined;
  readonly revocationInfo?: undefined
}

CheckChainRevocationInput

Input for checkChainRevocation.

ts
interface CheckChainRevocationInput {
	readonly chain: readonly ParsedCertificate[];
	readonly crls?: readonly CrlSource[];
	readonly ocspResponses?: readonly OcspResponseSource[];
	readonly extraCertificates?: readonly RevocationCertificateSource[];
	readonly trustedOcspResponders?: readonly RevocationCertificateSource[];
	readonly at?: Date;
	readonly policy?: RevocationPolicy;
}

Properties

  • readonly chain: readonly ParsedCertificate[] — Validated certificate chain (leaf first, root last).
  • readonly crls?: readonly CrlSource[] — CRLs to evaluate.
  • readonly ocspResponses?: readonly OcspResponseSource[] — OCSP responses to evaluate.
  • readonly extraCertificates?: readonly RevocationCertificateSource[] — Extra certs for indirect CRL issuers / delegated OCSP responders.
  • readonly trustedOcspResponders?: readonly RevocationCertificateSource[] — Explicitly trusted OCSP responder certificates (RFC 6960 §4.2.2.2 criterion 1). A response signed by one of these is accepted without delegated-responder issuance, EKU, and revocation checks.
  • readonly at?: Date — Evaluation time. Defaults to new Date().
  • readonly policy?: RevocationPolicy — Revocation policy.

CheckChainRevocationResult

Result type for checkChainRevocation.

ts
type CheckChainRevocationResult = {
  readonly ok: true;
  readonly value: CheckChainRevocationValue
}

CheckChainRevocationValue

Detailed revocation check results.

Returned as CheckChainRevocationResult.value from checkChainRevocation. Contains both the policy decision and detailed per-certificate findings for debugging.

ts
interface CheckChainRevocationValue {
	readonly decision: allow | deny;
	readonly summary: {
  readonly revokedCertificates: readonly ParsedCertificate[];
  readonly indeterminateCertificates: readonly ParsedCertificate[]
};
	readonly certificates: readonly CertificateRevocationStatus[];
	readonly executionErrors?: readonly RevocationExecutionError[];
}

Properties

OcspResponseSource

OCSP response in any supported format.

Accepts PEM string or DER bytes. Used for CheckChainRevocationInput.ocspResponses.

ts
type OcspResponseSource = string | Uint8Array

RevocationExecutionError

Errors encountered while processing revocation evidence.

Distinct from RevocationIndeterminateReason: execution errors are code failures (malformed CRL, unsupported extension) rather than evaluation outcomes (CRL doesn't cover this certificate).

Collected in CheckChainRevocationValue.executionErrors.

ts
interface RevocationExecutionError {
	readonly kind: parse_error | unsupported_extension | internal_error;
	readonly message: string;
	readonly evidenceIdentifier?: string;
}

Properties

  • readonly kind: parse_error | unsupported_extension | internal_error — Error category.
  • readonly message: string — Human-readable error description.
  • readonly evidenceIdentifier?: string — Which evidence caused the error (e.g., CRL issuer DN).

RevocationIndeterminateReason

See the doc comment above REVOCATION_INDETERMINATE_REASONS.

ts
type RevocationIndeterminateReason = (typeof REVOCATION_INDETERMINATE_REASONS)[number]

RevocationPolicy

Revocation checking policy for checkChainRevocation.

Controls how indeterminate results (missing evidence, expired CRLs) affect the final decision.

ts
interface RevocationPolicy {
	readonly mode?: soft-fail | hard-fail;
	readonly prefer?: ocsp | crl | best-available;
	readonly ocspResponderRevocation?: OcspResponderRevocationPolicy;
}

Properties

  • readonly mode?: soft-fail | hard-fail — How to handle indeterminate status.

    • 'hard-fail': indeterminate certificates cause denial (default)
    • 'soft-fail': indeterminate certificates are allowed — an explicit availability/compatibility choice

    Revocation checking itself is opt-in: no check runs unless evidence is supplied. Once it is, indeterminate status denies by default.

  • readonly prefer?: ocsp | crl | best-available — Evidence preference when multiple sources are available.

    Both evidence kinds are always evaluated, and a validated revoked verdict from either source wins regardless of preference (fail-closed). Preference only decides which source's good verdict is reported when both yield one.

    • 'best-available': the source with the fresher evidence — the later thisUpdate on the validated OCSP entry or CRL — is reported; ties favor OCSP (default)
    • 'ocsp': prefer OCSP over CRL
    • 'crl': prefer CRL over OCSP
  • readonly ocspResponderRevocation?: OcspResponderRevocationPolicy — Revocation policy for delegated OCSP responder certificates (RFC 6960 §4.2.2.2.1). Supplied CRLs double as responder revocation evidence. Defaults to 'honor-nocheck'.

RevocationSource

Identifies the source of revocation evidence.

Included in CertificateRevocationStatus's source when status is 'good' or 'revoked' to indicate which CRL or OCSP response provided the answer.

ts
interface RevocationSource {
	readonly kind: crl | ocsp;
	readonly signerCertificate?: ParsedCertificate;
	readonly evidenceIdentifier?: string;
	readonly thisUpdate?: Date;
}

Properties

  • readonly kind: crl | ocsp — Whether evidence came from a CRL or OCSP response.
  • readonly signerCertificate?: ParsedCertificate — Certificate that signed the evidence (CRL issuer or OCSP responder).
  • readonly evidenceIdentifier?: string — Identifier for debugging (e.g., CRL issuer DN or OCSP responder URL).
  • readonly thisUpdate?: DatethisUpdate of the evidence backing the verdict — the OCSP single response entry or the freshest contributing CRL (an applied delta CRL supersedes its base). This is the timestamp 'best-available' compares.

checkChainRevocation

Checks revocation status for all certificates in a validated chain.

Evaluates CRL and OCSP evidence against each certificate (except the trust anchor), applies the revocation policy, and returns a unified decision.

ts
function checkChainRevocation(
	input: CheckChainRevocationInput,
): Promise<CheckChainRevocationResult>

Parameters

Examples

ts
const result = await checkChainRevocation({
  chain: validatedChain,
  crls: [crl1, crl2],
  ocspResponses: [ocspResponseDer],
  policy: { mode: 'hard-fail' },
});
if (result.value.decision === 'deny') {
  console.log('Revocation check failed');
}

REVOCATION_INDETERMINATE_REASONS

Granular reasons why revocation status could not be determined.

Returned in CertificateRevocationStatus's indeterminateReasons when status is 'indeterminate'. Grouped by category:

  • Evidence not found: no_applicable_crl, no_applicable_ocsp
  • Scope mismatch: distribution_point_mismatch, issuer_name_mismatch, reason_scope_mismatch, indirect_crl_scope_mismatch, reason_coverage_incomplete
  • Signer trust: crl_signer_not_found, crl_signer_not_authorized, crl_signer_revoked, crl_signer_indeterminate, and OCSP equivalents
  • Freshness: crl_expired, ocsp_response_expired
ts
const REVOCATION_INDETERMINATE_REASONS: no_applicable_crl | no_applicable_ocsp | distribution_point_mismatch | issuer_name_mismatch | reason_scope_mismatch | indirect_crl_scope_mismatch | reason_coverage_incomplete | crl_signer_not_found | crl_signer_not_authorized | crl_signer_revoked | crl_signer_indeterminate | ocsp_responder_not_found | ocsp_responder_not_authorized | ocsp_responder_revoked | ocsp_responder_indeterminate | crl_expired | ocsp_response_expired | ocsp_status_unknown[]

CertificateRevocationListMaterial

Encoded CRL in multiple serialisation formats, returned by createCertificateRevocationList.

ts
interface CertificateRevocationListMaterial {
	readonly der: Uint8Array;
	readonly pem: string;
	readonly base64: string;
}

Properties

  • readonly der: Uint8Array — Raw DER bytes of the signed CRL.
  • readonly pem: string — PEM-encoded CRL (-----BEGIN X509 CRL-----).
  • readonly base64: string — Base64-encoded DER (no PEM armour).

CheckCertificateRevocationAgainstCrlErrorCode

Error codes that checkCertificateRevocationAgainstCrl may return.

ts
type CheckCertificateRevocationAgainstCrlErrorCode = signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted | non_applicable

CheckCertificateRevocationAgainstCrlFailure

Failure detail for checkCertificateRevocationAgainstCrl.

ts
interface CheckCertificateRevocationAgainstCrlFailure extends Micro509Error<CheckCertificateRevocationAgainstCrlErrorCode, CheckCertificateRevocationAgainstCrlFailureDetails> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

CheckCertificateRevocationAgainstCrlFailureDetails

Structured details attached to a CheckCertificateRevocationAgainstCrlFailure.

ts
interface CheckCertificateRevocationAgainstCrlFailureDetails {
	readonly reason?: CrlApplicabilityFailureReason;
}

Properties

CheckCertificateRevocationAgainstCrlGoodValue

Success value when the certificate is not found in the CRL.

ts
interface CheckCertificateRevocationAgainstCrlGoodValue {
	readonly status: good;
	readonly crl: ParsedCertificateRevocationList;
}

Properties

CheckCertificateRevocationAgainstCrlInput

Input for checkCertificateRevocationAgainstCrl.

ts
interface CheckCertificateRevocationAgainstCrlInput {
	readonly certificate: CrlCertificateSource;
	readonly issuerCertificate: CrlCertificateSource;
	readonly crl: CrlSource;
	readonly deltaCrl?: CrlSource;
	readonly at?: Date;
	readonly clockSkewMs?: number;
}

Properties

  • readonly certificate: CrlCertificateSource — Certificate whose revocation status to check.
  • readonly issuerCertificate: CrlCertificateSource — Issuer of certificate — also expected signer of the CRL.
  • readonly crl: CrlSource — Complete (base) CRL to check against.
  • readonly deltaCrl?: CrlSource — Optional delta CRL for more recent revocation information.
  • readonly at?: Date — Evaluation time. Defaults to new Date().
  • readonly clockSkewMs?: number — Clock-skew tolerance in milliseconds for freshness checks.

CheckCertificateRevocationAgainstCrlResult

Result of checkCertificateRevocationAgainstCrl.

On success value.status is 'good' or 'revoked'. On failure the CRL could not be validated or was non-applicable.

ts
type CheckCertificateRevocationAgainstCrlResult = {
  readonly ok: true;
  readonly value: CheckCertificateRevocationAgainstCrlValue
} | ErrorResult<CheckCertificateRevocationAgainstCrlErrorCode, CheckCertificateRevocationAgainstCrlFailureDetails, CheckCertificateRevocationAgainstCrlFailure>

CheckCertificateRevocationAgainstCrlRevokedValue

Success value when the certificate is found as revoked in the CRL.

ts
interface CheckCertificateRevocationAgainstCrlRevokedValue {
	readonly status: revoked;
	readonly crl: ParsedCertificateRevocationList;
	readonly revocationDate: Date;
	readonly reasonCode?: RevocationReason;
}

Properties

  • readonly status: revoked — Certificate is revoked.
  • readonly crl: ParsedCertificateRevocationList — The validated CRL that contained the revocation entry.
  • readonly revocationDate: Date — When the CA declared this certificate revoked.
  • readonly reasonCode?: RevocationReason — CRLReason from the entry, if present.

CheckCertificateRevocationAgainstCrlValue

Discriminated union of good and revoked outcomes.

ts
type CheckCertificateRevocationAgainstCrlValue = CheckCertificateRevocationAgainstCrlGoodValue | CheckCertificateRevocationAgainstCrlRevokedValue

CreateCertificateRevocationListInput

Input for createCertificateRevocationList.

ts
interface CreateCertificateRevocationListInput {
	readonly issuer: NameInput;
	readonly signerPrivateKey: CryptoKey;
	readonly issuerPublicKey?: CryptoKey;
	readonly thisUpdate?: Date;
	readonly nextUpdate?: Date;
	readonly revokedCertificates?: readonly RevokedCertificateInput[];
	readonly crlNumber?: number;
	readonly baseCrlNumber?: number;
	readonly issuingDistributionPoint?: IssuingDistributionPoint;
	readonly freshestCrlDistributionPoints?: readonly DistributionPoint[];
}

Properties

  • readonly issuer: NameInput — Distinguished name of the CRL issuer (typically the signing CA).
  • readonly signerPrivateKey: CryptoKey — Private key used to sign the CRL. Algorithm is inferred from the key.
  • readonly issuerPublicKey?: CryptoKey — Issuer public key — used to embed an Authority Key Identifier extension.
  • readonly thisUpdate?: Date — Issuance timestamp. Defaults to new Date().
  • readonly nextUpdate?: Date — Planned next issuance. Omit for an open-ended CRL.
  • readonly revokedCertificates?: readonly RevokedCertificateInput[] — Certificates to list as revoked in this CRL.
  • readonly crlNumber?: number — Monotonically-increasing CRL sequence number (CRLNumber extension).
  • readonly baseCrlNumber?: number — If set, marks this CRL as a delta CRL referencing the given base CRL number.
  • readonly issuingDistributionPoint?: IssuingDistributionPoint — Issuing distribution point extension — scopes this CRL to a subset of certificates.
  • readonly freshestCrlDistributionPoints?: readonly DistributionPoint[] — Freshest CRL distribution points — tells relying parties where to find delta CRLs.

CrlApplicabilityFailureReason

Structured reason why a CRL was deemed non-applicable to a given certificate.

ts
type CrlApplicabilityFailureReason = certificate_scope_mismatch | delta_crl_incompatible | unsupported_delta_crl | distribution_point_mismatch | unsupported_indirect_crl | issuer_mismatch | reasons_mismatch

CrlCertificateSource

PEM string, DER bytes, or already-parsed certificate.

ts
type CrlCertificateSource = string | Uint8Array | ParsedCertificate

CrlSource

PEM string, DER bytes, or already-parsed CRL.

ts
type CrlSource = string | Uint8Array | ParsedCertificateRevocationList

ParseCertificateRevocationListErrorCode

Machine-readable failure reason for the CRL parsers.

ts
type ParseCertificateRevocationListErrorCode = malformed

ParseCertificateRevocationListFailure

Structured failure payload for CRL parsing.

ts
interface ParseCertificateRevocationListFailure extends Micro509Error<ParseCertificateRevocationListErrorCode> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

ParseCertificateRevocationListResult

Success-or-failure result from parseCertificateRevocationListDer / parseCertificateRevocationListPem.

ts
type ParseCertificateRevocationListResult = {
  readonly ok: true;
  readonly value: ParsedCertificateRevocationList
} | ErrorResult<ParseCertificateRevocationListErrorCode, Record<never, never>, ParseCertificateRevocationListFailure>

ParsedCertificateRevocationList

Decoded X.509 CRL, returned by parseCertificateRevocationListDer and parseCertificateRevocationListPem.

ts
interface ParsedCertificateRevocationList {
	readonly der?: Uint8Array;
	readonly version: number;
	readonly tbsCertListDer: Uint8Array;
	readonly signatureValue: Uint8Array;
	readonly issuer: ParsedName;
	readonly thisUpdate: Date;
	readonly nextUpdate?: Date;
	readonly signatureAlgorithmOid: string;
	readonly signatureAlgorithmName: string;
	readonly signatureAlgorithmParametersDer?: Uint8Array;
	readonly issuerPublicKeyAlgorithmOid?: string;
	readonly issuerPublicKeyParametersOid?: string;
	readonly authorityKeyIdentifier?: string;
	readonly crlNumber?: number;
	readonly baseCrlNumber?: number;
	readonly issuingDistributionPoint?: ParsedIssuingDistributionPoint;
	readonly freshestCrlDistributionPoints?: readonly ParsedDistributionPoint[];
	readonly revokedCertificates: readonly ParsedRevokedCertificate[];
}

Properties

  • readonly der?: Uint8Array — Original DER bytes when this object came from parseCertificateRevocationListDer or PEM parsing.
  • readonly version: number — CRL version (1 = v1, 2 = v2 with extensions).
  • readonly tbsCertListDer: Uint8Array — DER-encoded TBSCertList — the signed payload for signature verification.
  • readonly signatureValue: Uint8Array — Raw signature bytes from the CRL outer wrapper.
  • readonly issuer: ParsedName — CRL issuer distinguished name.
  • readonly thisUpdate: Date — Start of the CRL validity window.
  • readonly nextUpdate?: Date — End of the CRL validity window. Absent if the CA does not commit to a schedule.
  • readonly signatureAlgorithmOid: string — OID of the algorithm used to sign this CRL.
  • readonly signatureAlgorithmName: string — Human-readable signature algorithm name (e.g. "ECDSA with SHA-256").
  • readonly signatureAlgorithmParametersDer?: Uint8Array — DER-encoded signature algorithm parameters (e.g. DER NULL for RSA PKCS#1 v1.5).
  • readonly issuerPublicKeyAlgorithmOid?: string — OID of the issuer's public key algorithm, when available.
  • readonly issuerPublicKeyParametersOid?: string — OID of the issuer's public key parameters (e.g. named curve), when available.
  • readonly authorityKeyIdentifier?: string — Hex-encoded Authority Key Identifier, if the extension is present.
  • readonly crlNumber?: number — CRLNumber extension value — monotonically increasing sequence number.
  • readonly baseCrlNumber?: number — Delta CRL indicator — present only on delta CRLs, referencing the base CRL number.
  • readonly issuingDistributionPoint?: ParsedIssuingDistributionPoint — Issuing distribution point extension — scopes this CRL to a certificate subset.
  • readonly freshestCrlDistributionPoints?: readonly ParsedDistributionPoint[] — Freshest CRL extension — points to delta CRL locations.
  • readonly revokedCertificates: readonly ParsedRevokedCertificate[] — All revoked certificate entries (empty array if none).

ParsedRevokedCertificate

A single revoked-certificate entry decoded from a CRL.

ts
interface ParsedRevokedCertificate {
	readonly serialNumberHex: string;
	readonly revocationDate: Date;
	readonly reasonCode?: RevocationReason;
	readonly invalidityDate?: Date;
	readonly certificateIssuer?: readonly GeneralName[];
}

Properties

  • readonly serialNumberHex: string — Hex-encoded serial number of the revoked certificate.
  • readonly revocationDate: Date — When the CA declared this certificate revoked.
  • readonly reasonCode?: RevocationReason — RFC 5280 CRLReason, if the entry carries one.
  • readonly invalidityDate?: Date — When the key or certificate actually became suspect, if present.
  • readonly certificateIssuer?: readonly GeneralName[] — Indirect-CRL certificate issuer override (RFC 5280 §5.3.3).

RevocationReason

RFC 5280 §5.3.1 CRLReason code values.

removeFromCRL is used in delta CRLs to un-hold a certificate.

ts
type RevocationReason = unspecified | keyCompromise | cACompromise | affiliationChanged | superseded | cessationOfOperation | certificateHold | removeFromCRL | privilegeWithdrawn | aACompromise

RevokedCertificateInput

Single revoked certificate entry for createCertificateRevocationList.

ts
interface RevokedCertificateInput {
	readonly serialNumber: Uint8Array;
	readonly revocationDate?: Date;
	readonly reasonCode?: RevocationReason;
	readonly invalidityDate?: Date;
}

Properties

  • readonly serialNumber: Uint8Array — DER-encoded certificate serial number to revoke.
  • readonly revocationDate?: Date — When the certificate was revoked. Defaults to thisUpdate of the CRL.
  • readonly reasonCode?: RevocationReason — RFC 5280 CRLReason code. Omit for unspecified.
  • readonly invalidityDate?: Date — When the key or certificate became suspect — may predate revocationDate.

ValidateCertificateRevocationListFailure

Failure detail for validateCertificateRevocationList.

Possible codes: signature_invalid, issuer_mismatch, stale_crl, crl_sign_not_permitted.

ts
interface ValidateCertificateRevocationListFailure extends Micro509Error<signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

ValidateCertificateRevocationListInput

Input for validateCertificateRevocationList.

ts
interface ValidateCertificateRevocationListInput {
	readonly crl: CrlSource;
	readonly issuerCertificate: CrlCertificateSource;
	readonly at?: Date;
	readonly clockSkewMs?: number;
}

Properties

  • readonly crl: CrlSource — The CRL to validate.
  • readonly issuerCertificate: CrlCertificateSource — Certificate of the CA that should have signed the CRL.
  • readonly at?: Date — Evaluation time for freshness checks. Defaults to new Date().
  • readonly clockSkewMs?: number — Tolerance in milliseconds for clock skew when checking thisUpdate/nextUpdate.

ValidateCertificateRevocationListResult

Result of validateCertificateRevocationList.

On success, the CRL has passed signature, issuer, key-usage, and freshness checks.

ts
type ValidateCertificateRevocationListResult = {
  readonly ok: true;
  readonly value: ParsedCertificateRevocationList
} | ErrorResult<signature_invalid | issuer_mismatch | stale_crl | crl_sign_not_permitted, Record<never, never>, ValidateCertificateRevocationListFailure>

VerifyCertificateRevocationListSignatureFailure

Failure detail when CRL signature verification fails.

ts
interface VerifyCertificateRevocationListSignatureFailure extends Micro509Error<signature_invalid> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

VerifyCertificateRevocationListSignatureResult

Result of verifyCertificateRevocationListSignature.

On success, value is the parsed CRL whose signature has been verified.

ts
type VerifyCertificateRevocationListSignatureResult = {
  readonly ok: true;
  readonly value: ParsedCertificateRevocationList
} | ErrorResult<signature_invalid, Record<never, never>, VerifyCertificateRevocationListSignatureFailure>

checkCertificateRevocationAgainstCrl

End-to-end revocation check: validates the CRL (and optional delta CRL), verifies applicability via distribution-point and scope matching, then resolves the certificate's revocation status.

Returns good if the serial is absent, revoked with date/reason if present, or an error if the CRL cannot be validated or is non-applicable.

ts
function checkCertificateRevocationAgainstCrl(
	input: CheckCertificateRevocationAgainstCrlInput,
): Promise<CheckCertificateRevocationAgainstCrlResult>

Parameters

Examples

ts
import { checkCertificateRevocationAgainstCrl } from 'micro509';

const result = await checkCertificateRevocationAgainstCrl({
  certificate: leafPem,
  issuerCertificate: caPem,
  crl: crlPem,
});
if (result.ok && result.value.status === 'revoked') {
  console.log('revoked on', result.value.revocationDate);
}

createCertificateRevocationList

Signs and encodes an X.509 v2 CRL.

Embeds Authority Key Identifier, CRLNumber, delta CRL indicator, issuing distribution point, and freshest-CRL extensions as configured.

ts
function createCertificateRevocationList(
	input: CreateCertificateRevocationListInput,
): Promise<CertificateRevocationListMaterial>

Parameters

Examples

ts
import { createCertificateRevocationList } from 'micro509';

const crl = await createCertificateRevocationList({
  issuer: { commonName: 'Example CA' },
  signerPrivateKey: caPrivateKey,
  issuerPublicKey: caPublicKey,
  thisUpdate: new Date('2025-01-01'),
  nextUpdate: new Date('2025-02-01'),
  crlNumber: 42,
  revokedCertificates: [
    { serialNumber: revokedSerial, reasonCode: 'keyCompromise' },
  ],
});
// crl.pem, crl.der, crl.base64

isCertificateRevoked

Quick serial-number lookup — returns true if the serial appears in the CRL's revoked entries. Does not validate the CRL or check applicability.

ts
function isCertificateRevoked(
	certificateSerialNumber: Uint8Array | string,
	crl: ParsedCertificateRevocationList,
): boolean

Parameters

parseCertificateRevocationListDer

Decodes a DER-encoded X.509 CRL into a structured ParsedCertificateRevocationList.

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseCertificateRevocationListDerOrThrow. Does not verify the signature — call verifyCertificateRevocationListSignature or validateCertificateRevocationList for that.

ts
function parseCertificateRevocationListDer(
	der: Uint8Array,
): ParseCertificateRevocationListResult

Parameters

  • der: Uint8Array

parseCertificateRevocationListDerOrThrow

Throwing core for parseCertificateRevocationListDer.

Does not verify the signature — call verifyCertificateRevocationListSignature or validateCertificateRevocationList for that.

ts
function parseCertificateRevocationListDerOrThrow(
	der: Uint8Array,
): ParsedCertificateRevocationList

Parameters

  • der: Uint8Array

parseCertificateRevocationListPem

Decodes a PEM-encoded X.509 CRL (-----BEGIN X509 CRL-----).

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseCertificateRevocationListPemOrThrow.

ts
function parseCertificateRevocationListPem(
	pem: string,
): ParseCertificateRevocationListResult

Parameters

  • pem: string

parseCertificateRevocationListPemOrThrow

Decodes a PEM-encoded X.509 CRL (-----BEGIN X509 CRL-----).

ts
function parseCertificateRevocationListPemOrThrow(
	pem: string,
): ParsedCertificateRevocationList

Parameters

  • pem: string

Examples

ts
import { parseCertificateRevocationListPemOrThrow } from 'micro509';

const crl = parseCertificateRevocationListPemOrThrow(pemString); // throws if malformed
console.log(crl.issuer.values.commonName, crl.revokedCertificates.length);

validateCertificateRevocationList

Full CRL validation: issuer name match, authority key identifier match, cRLSign key-usage check, signature verification, and thisUpdate/nextUpdate freshness check (with optional clock-skew tolerance).

ts
function validateCertificateRevocationList(
	input: ValidateCertificateRevocationListInput,
): Promise<ValidateCertificateRevocationListResult>

Parameters

verifyCertificateRevocationListSignature

Verifies the CRL signature against the issuer certificate's public key.

Does not check issuer name match, key-usage, or freshness — use validateCertificateRevocationList for full validation.

ts
function verifyCertificateRevocationListSignature(
	crl: string | Uint8Array,
	issuerCertificate: string | Uint8Array,
): Promise<VerifyCertificateRevocationListSignatureResult>

Parameters

  • crl: string | Uint8Array
  • issuerCertificate: string | Uint8Array

CreateOcspRequestInput

Input for createOcspRequest.

ts
interface CreateOcspRequestInput {
	readonly requests: readonly CreateOcspRequestItemInput[];
	readonly hashAlgorithm?: OcspHashAlgorithm;
	readonly nonce?: Uint8Array;
}

Properties

  • readonly requests: readonly CreateOcspRequestItemInput[] — One or more certificates to query (batched into a single OCSP request).
  • readonly hashAlgorithm?: OcspHashAlgorithm — Hash algorithm for CertID computation. Defaults to 'SHA-1'.
  • readonly nonce?: Uint8Array — Random nonce for replay protection. Omit to skip the nonce extension.

CreateOcspRequestItemInput

One certificate whose status to query in an OCSP request. Used as an element of CreateOcspRequestInput.requests.

ts
interface CreateOcspRequestItemInput {
	readonly certificate: OcspCertificateSource;
	readonly issuerCertificate: OcspCertificateSource;
}

Properties

  • readonly certificate: OcspCertificateSource — Certificate whose revocation status is being queried.
  • readonly issuerCertificate: OcspCertificateSource — Issuer of certificate — needed to compute the CertID hash.

CreateOcspResponseInput

Input for createOcspResponse.

ts
interface CreateOcspResponseInput {
	readonly signerPrivateKey: CryptoKey;
	readonly signerCertificate: OcspCertificateSource;
	readonly responses: readonly CreateOcspSingleResponseInput[];
	readonly producedAt?: Date;
	readonly nonce?: Uint8Array;
	readonly hashAlgorithm?: OcspHashAlgorithm;
	readonly includedCertificates?: readonly OcspCertificateSource[];
}

Properties

  • readonly signerPrivateKey: CryptoKey — Private key used to sign the response. Algorithm is inferred from the key.
  • readonly signerCertificate: OcspCertificateSource — Certificate of the OCSP responder — used to build the responder ID (by key hash).
  • readonly responses: readonly CreateOcspSingleResponseInput[] — Per-certificate status entries to include in the BasicOCSPResponse.
  • readonly producedAt?: Date — Timestamp for the producedAt field. Defaults to new Date().
  • readonly nonce?: Uint8Array — Nonce to echo back for replay protection.
  • readonly hashAlgorithm?: OcspHashAlgorithm — Hash algorithm for CertID computation. Defaults to 'SHA-1'.
  • readonly includedCertificates?: readonly OcspCertificateSource[] — Extra certificates to embed in the response (e.g. the responder's issuer chain).

CreateOcspSingleResponseInput

One certificate's status entry for CreateOcspResponseInput.responses. Extends CreateOcspRequestItemInput with status and timing fields.

ts
interface CreateOcspSingleResponseInput extends CreateOcspRequestItemInput {
	readonly certStatus: OcspCertStatus;
	readonly thisUpdate?: Date;
	readonly nextUpdate?: Date;
	readonly revokedAt?: Date;
	readonly revocationReasonCode?: number;
}

Properties

  • readonly certStatus: OcspCertStatus — Status to assert for this certificate.
  • readonly thisUpdate?: Date — Start of the validity window for this status assertion. Defaults to new Date().
  • readonly nextUpdate?: Date — End of the validity window. Omit for open-ended assertions.
  • readonly revokedAt?: Date — Revocation time (required when certStatus is 'revoked'). Defaults to thisUpdate.
  • readonly revocationReasonCode?: number — CRLReason integer code (only meaningful when certStatus is 'revoked').

OcspCertificateSource

PEM string, DER bytes, or already-parsed certificate.

ts
type OcspCertificateSource = string | Uint8Array | ParsedCertificate

OcspCertStatus

RFC 6960 certificate status reported by the responder for a single CertID.

ts
type OcspCertStatus = good | revoked | unknown

OcspHashAlgorithm

Hash algorithm used to compute OCSP CertID fields. SHA-1 is the RFC 6960 default.

ts
type OcspHashAlgorithm = SHA-1 | SHA-256

OcspRequestMaterial

Encoded OCSP request in multiple serialisation formats, returned by createOcspRequest.

ts
interface OcspRequestMaterial {
	readonly der: Uint8Array;
	readonly pem: string;
	readonly base64: string;
}

Properties

  • readonly der: Uint8Array — Raw DER bytes.
  • readonly pem: string — PEM-encoded request (-----BEGIN OCSP REQUEST-----).
  • readonly base64: string — Base64-encoded DER (no PEM armour).

OcspRequestSource

PEM string, DER bytes, or already-parsed OCSP request.

ts
type OcspRequestSource = string | Uint8Array | ParsedOcspRequest

OcspResponderRevocationPolicy

Revocation policy for delegated OCSP responder certificates (RFC 6960 §4.2.2.2.1).

  • 'honor-nocheck' (default): a responder carrying id-pkix-ocsp-nocheck is exempt from revocation checking. Otherwise, CRL evidence from ValidateOcspResponseInput.responderRevocationCrls is consulted when provided — a revoked responder rejects the response; missing or unusable evidence is tolerated (soft).
  • 'require-evidence': nocheck is ignored; CRL evidence must positively show the responder is not revoked, otherwise the response is rejected.
  • 'skip': no responder revocation checking.
ts
type OcspResponderRevocationPolicy = honor-nocheck | require-evidence | skip

OcspResponseMaterial

Encoded OCSP response in multiple serialisation formats, returned by createOcspResponse.

ts
interface OcspResponseMaterial {
	readonly der: Uint8Array;
	readonly pem: string;
	readonly base64: string;
}

Properties

  • readonly der: Uint8Array — Raw DER bytes.
  • readonly pem: string — PEM-encoded response (-----BEGIN OCSP RESPONSE-----).
  • readonly base64: string — Base64-encoded DER (no PEM armour).

OcspResponseStatus

RFC 6960 overall response status — anything other than 'successful' means the response body is absent or unusable.

ts
type OcspResponseStatus = successful | malformedRequest | internalError | tryLater | sigRequired | unauthorized

ParsedOcspCertId

Decoded OCSP CertID — identifies a certificate by hashed issuer name, hashed issuer key, and serial number.

ts
interface ParsedOcspCertId {
	readonly hashAlgorithmOid: string;
	readonly hashAlgorithmName: string;
	readonly issuerNameHashHex: string;
	readonly issuerKeyHashHex: string;
	readonly serialNumberHex: string;
}

Properties

  • readonly hashAlgorithmOid: string — OID of the hash algorithm used for the name and key hashes.
  • readonly hashAlgorithmName: string — Human-readable hash algorithm name (e.g. "SHA-256").
  • readonly issuerNameHashHex: string — Hex-encoded hash of the issuer's distinguished name DER.
  • readonly issuerKeyHashHex: string — Hex-encoded hash of the issuer's SubjectPublicKey BIT STRING content.
  • readonly serialNumberHex: string — Hex-encoded serial number of the certificate.

ParsedOcspRequest

Decoded OCSP request, returned by parseOcspRequestDer / parseOcspRequestPem.

ts
interface ParsedOcspRequest {
	readonly der?: Uint8Array;
	readonly requests: readonly ParsedOcspCertId[];
	readonly nonce?: string;
}

Properties

  • readonly der?: Uint8Array — Original DER bytes when this object came from parseOcspRequestDer or PEM parsing.
  • readonly requests: readonly ParsedOcspCertId[] — CertIDs of the certificates being queried.
  • readonly nonce?: string — Hex-encoded nonce extension value, if present.

ParsedOcspResponderId

How the OCSP responder identifies itself — either by distinguished name or by SHA-1 hash of its public key.

ts
type ParsedOcspResponderId = {
  readonly type: byName;
  readonly name: ParsedName
} | {
  readonly type: byKeyHash;
  readonly keyHashHex: string
}

ParsedOcspResponse

Decoded OCSP response, returned by parseOcspResponseDer / parseOcspResponsePem.

When responseStatus is not 'successful', most fields are absent.

ts
interface ParsedOcspResponse {
	readonly der?: Uint8Array;
	readonly responseStatus: OcspResponseStatus;
	readonly responseTypeOid?: string;
	readonly responseDataDer?: Uint8Array;
	readonly responderId?: ParsedOcspResponderId;
	readonly signatureAlgorithmOid?: string;
	readonly signatureAlgorithmName?: string;
	readonly signatureValue?: Uint8Array;
	readonly producedAt?: Date;
	readonly responses?: readonly ParsedOcspSingleResponse[];
	readonly nonce?: string;
	readonly certificates?: readonly ParsedCertificate[];
}

Properties

  • readonly der?: Uint8Array — Original DER bytes when this object came from parseOcspResponseDer or PEM parsing.
  • readonly responseStatus: OcspResponseStatus — Overall response status. Only 'successful' carries a BasicOCSPResponse body.
  • readonly responseTypeOid?: string — OID of the response type (normally id-pkix-ocsp-basic).
  • readonly responseDataDer?: Uint8Array — DER-encoded ResponseData — the signed payload for signature verification.
  • readonly responderId?: ParsedOcspResponderId — How the responder identifies itself.
  • readonly signatureAlgorithmOid?: string — OID of the algorithm used to sign this response.
  • readonly signatureAlgorithmName?: string — Human-readable signature algorithm name.
  • readonly signatureValue?: Uint8Array — Raw signature bytes.
  • readonly producedAt?: Date — Timestamp when the responder produced this response.
  • readonly responses?: readonly ParsedOcspSingleResponse[] — Per-certificate status entries.
  • readonly nonce?: string — Hex-encoded nonce, if the response echoed one.
  • readonly certificates?: readonly ParsedCertificate[] — Certificates embedded in the response (typically the responder's chain).

ParsedOcspSingleResponse

Status of one certificate inside an OCSP BasicResponse.

ts
interface ParsedOcspSingleResponse {
	readonly certId: ParsedOcspCertId;
	readonly certStatus: OcspCertStatus;
	readonly thisUpdate: Date;
	readonly nextUpdate?: Date;
	readonly revokedAt?: Date;
	readonly revocationReasonCode?: number;
}

Properties

  • readonly certId: ParsedOcspCertId — Which certificate this status applies to.
  • readonly certStatus: OcspCertStatus — Responder's verdict: good, revoked, or unknown.
  • readonly thisUpdate: Date — Start of the validity window for this status assertion.
  • readonly nextUpdate?: Date — End of the validity window. Absent if the responder does not commit to a schedule.
  • readonly revokedAt?: Date — When the certificate was revoked (only for certStatus === 'revoked').
  • readonly revocationReasonCode?: number — CRLReason integer (only for certStatus === 'revoked').

ParseOcspRequestErrorCode

Machine-readable failure reason for the OCSP request parsers.

ts
type ParseOcspRequestErrorCode = malformed

ParseOcspRequestFailure

Structured failure payload for OCSP request parsing.

ts
interface ParseOcspRequestFailure extends Micro509Error<ParseOcspRequestErrorCode> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

ParseOcspRequestResult

Success-or-failure result from parseOcspRequestDer / parseOcspRequestPem.

ts
type ParseOcspRequestResult = {
  readonly ok: true;
  readonly value: ParsedOcspRequest
} | ErrorResult<ParseOcspRequestErrorCode, Record<never, never>, ParseOcspRequestFailure>

ParseOcspResponseErrorCode

Machine-readable failure reason for the OCSP response parsers.

ts
type ParseOcspResponseErrorCode = malformed

ParseOcspResponseFailure

Structured failure payload for OCSP response parsing.

ts
interface ParseOcspResponseFailure extends Micro509Error<ParseOcspResponseErrorCode> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

ParseOcspResponseResult

Success-or-failure result from parseOcspResponseDer / parseOcspResponsePem.

ts
type ParseOcspResponseResult = {
  readonly ok: true;
  readonly value: ParsedOcspResponse
} | ErrorResult<ParseOcspResponseErrorCode, Record<never, never>, ParseOcspResponseFailure>

ValidateOcspResponseErrorCode

Failure codes produced by validateOcspResponse.

ts
type ValidateOcspResponseErrorCode = response_status_invalid | signature_invalid | responder_id_mismatch | nonce_mismatch | request_mismatch | issuer_mismatch | responder_chain_invalid | ocsp_signing_missing | responder_revoked | responder_revocation_unknown | stale_response

ValidateOcspResponseFailure

Failure detail for validateOcspResponse.

Possible codes: response_status_invalid, signature_invalid, responder_id_mismatch, nonce_mismatch, request_mismatch, issuer_mismatch, responder_chain_invalid, ocsp_signing_missing, responder_revoked, responder_revocation_unknown, stale_response.

ts
interface ValidateOcspResponseFailure extends Micro509Error<ValidateOcspResponseErrorCode> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

ValidateOcspResponseInput

Input for validateOcspResponse.

ts
interface ValidateOcspResponseInput {
	readonly response: string | Uint8Array | ParsedOcspResponse;
	readonly issuerCertificate: OcspCertificateSource;
	readonly request?: OcspRequestSource;
	readonly responderCertificate?: OcspCertificateSource;
	readonly allowChainedResponderCertificate?: boolean;
	readonly trustedOcspResponders?: readonly OcspCertificateSource[];
	readonly responderRevocationPolicy?: OcspResponderRevocationPolicy;
	readonly responderRevocationCrls?: readonly CrlSource[];
	readonly at?: Date;
	readonly clockSkewMs?: number;
}

Properties

  • readonly response: string | Uint8Array | ParsedOcspResponse — The OCSP response to validate.

  • readonly issuerCertificate: OcspCertificateSource — Certificate of the CA that issued the target certificate.

  • readonly request?: OcspRequestSource — Original request — enables nonce and request-coverage checks.

  • readonly responderCertificate?: OcspCertificateSource — Explicit responder certificate — overrides embedded certificate discovery.

  • readonly allowChainedResponderCertificate?: boolean — When true, allows delegated responder chain validation beyond direct issuance.

  • readonly trustedOcspResponders?: readonly OcspCertificateSource[] — Explicitly trusted responder certificates for this issuer's scope (RFC 6960 §4.2.2.2 criterion 1 — local responder configuration).

    A response signer matching one of these certificates is accepted without the delegated-responder issuance, chain, EKU, and revocation checks. Signature verification and responder-ID binding are still enforced. Also consulted during responder discovery when the response embeds no matching certificate.

  • readonly responderRevocationPolicy?: OcspResponderRevocationPolicy — Revocation policy for delegated responder certificates. Defaults to 'honor-nocheck'.

  • readonly responderRevocationCrls?: readonly CrlSource[] — CRLs used as revocation evidence for delegated responder certificates.

  • readonly at?: Date — Evaluation time for freshness checks and delegated responder chain validation. Defaults to new Date().

  • readonly clockSkewMs?: number — Clock-skew tolerance in milliseconds for thisUpdate/nextUpdate/producedAt.

ValidateOcspResponseResult

Result of validateOcspResponse.

On success, the response has passed status, signature, responder binding, authorization (including responder revocation policy), freshness, nonce, and request-coverage checks.

ts
type ValidateOcspResponseResult = {
  readonly ok: true;
  readonly value: ParsedOcspResponse
} | ErrorResult<ValidateOcspResponseErrorCode, Record<never, never>, ValidateOcspResponseFailure>

VerifyOcspResponseSignatureFailure

Failure detail when OCSP response signature verification fails.

ts
interface VerifyOcspResponseSignatureFailure extends Micro509Error<signature_invalid> {
	readonly ok: false;
}

Properties

  • readonly ok: false — Always false for failures.

VerifyOcspResponseSignatureResult

Result of verifyOcspResponseSignature.

On success, value is the parsed response whose signature has been verified.

ts
type VerifyOcspResponseSignatureResult = {
  readonly ok: true;
  readonly value: ParsedOcspResponse
} | ErrorResult<signature_invalid, Record<never, never>, VerifyOcspResponseSignatureFailure>

createOcspRequest

Builds a DER-encoded OCSP request containing one or more CertID entries and an optional nonce extension.

ts
function createOcspRequest(
	input: CreateOcspRequestInput,
): Promise<OcspRequestMaterial>

Parameters

Examples

ts
import { createOcspRequest } from 'micro509';

const req = await createOcspRequest({
  requests: [{ certificate: leafPem, issuerCertificate: caPem }],
  hashAlgorithm: 'SHA-256',
  nonce: crypto.getRandomValues(new Uint8Array(16)),
});
// POST req.der to the OCSP responder URI

createOcspResponse

Signs and encodes an OCSP BasicResponse with a successful status.

The responder is identified by key hash (SHA-1 of the signer's SubjectPublicKey). Use includedCertificates to embed the responder's chain for relying parties.

ts
function createOcspResponse(
	input: CreateOcspResponseInput,
): Promise<OcspResponseMaterial>

Parameters

Examples

ts
import { createOcspResponse } from 'micro509';

const resp = await createOcspResponse({
  signerPrivateKey: responderPrivateKey,
  signerCertificate: responderCertPem,
  responses: [
    {
      certificate: leafPem,
      issuerCertificate: caPem,
      certStatus: 'good',
      thisUpdate: new Date('2025-01-01'),
      nextUpdate: new Date('2025-01-08'),
    },
  ],
  nonce: requestNonce,
});
// resp.der, resp.pem, resp.base64

hasOcspNoCheckExtension

Reports whether a certificate carries the id-pkix-ocsp-nocheck extension (RFC 6960 §4.2.2.2.1) — the CA's assertion that relying parties may trust this OCSP responder certificate for its lifetime without revocation checks.

ts
function hasOcspNoCheckExtension(
	certificate: OcspCertificateSource,
): boolean

Parameters

parseOcspRequestDer

Decodes a DER-encoded OCSP request into a structured ParsedOcspRequest.

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspRequestDerOrThrow.

ts
function parseOcspRequestDer(
	der: Uint8Array,
): ParseOcspRequestResult

Parameters

  • der: Uint8Array

parseOcspRequestDerOrThrow

Throwing core for parseOcspRequestDer.

ts
function parseOcspRequestDerOrThrow(
	der: Uint8Array,
): ParsedOcspRequest

Parameters

  • der: Uint8Array

parseOcspRequestPem

Decodes a PEM-encoded OCSP request (-----BEGIN OCSP REQUEST-----).

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspRequestPemOrThrow.

ts
function parseOcspRequestPem(
	pem: string,
): ParseOcspRequestResult

Parameters

  • pem: string

parseOcspRequestPemOrThrow

Decodes a PEM-encoded OCSP request (-----BEGIN OCSP REQUEST-----).

ts
function parseOcspRequestPemOrThrow(
	pem: string,
): ParsedOcspRequest

Parameters

  • pem: string

parseOcspResponseDer

Decodes a DER-encoded OCSP response into a structured ParsedOcspResponse.

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspResponseDerOrThrow.

ts
function parseOcspResponseDer(
	der: Uint8Array,
): ParseOcspResponseResult

Parameters

  • der: Uint8Array

parseOcspResponseDerOrThrow

Throwing core for parseOcspResponseDer.

ts
function parseOcspResponseDerOrThrow(
	der: Uint8Array,
): ParsedOcspResponse

Parameters

  • der: Uint8Array

parseOcspResponsePem

Decodes a PEM-encoded OCSP response (-----BEGIN OCSP RESPONSE-----).

Returns a typed failure (code: 'malformed') on malformed input. For the throwing form use parseOcspResponsePemOrThrow.

ts
function parseOcspResponsePem(
	pem: string,
): ParseOcspResponseResult

Parameters

  • pem: string

parseOcspResponsePemOrThrow

Decodes a PEM-encoded OCSP response (-----BEGIN OCSP RESPONSE-----).

ts
function parseOcspResponsePemOrThrow(
	pem: string,
): ParsedOcspResponse

Parameters

  • pem: string

Examples

ts
import { parseOcspResponsePemOrThrow } from 'micro509';

const resp = parseOcspResponsePemOrThrow(pemString);
if (resp.responseStatus === 'successful') {
  for (const entry of resp.responses ?? []) {
    console.log(entry.certId.serialNumberHex, entry.certStatus);
  }
}

validateOcspResponse

Full OCSP response validation: response status check, signature verification, responder ID binding (byName or byKeyHash), delegated-responder chain and ocspSigning EKU checks, producedAt/thisUpdate/nextUpdate freshness, nonce match, and request-coverage completeness.

ts
function validateOcspResponse(
	input: ValidateOcspResponseInput,
): Promise<ValidateOcspResponseResult>

Parameters

Examples

ts
import { validateOcspResponse } from 'micro509';

const result = await validateOcspResponse({
  response: ocspResponseDer,
  issuerCertificate: caPem,
  request: ocspRequestDer,
});
if (result.ok) {
  const entry = result.value.responses?.[0];
  console.log(entry?.certStatus); // 'good' | 'revoked' | 'unknown'
}

verifyOcspResponseSignature

Verifies the OCSP response signature against the given signer certificate.

Does not check responder binding, freshness, or nonce — use validateOcspResponse for full validation.

ts
function verifyOcspResponseSignature(
	response: string | Uint8Array | ParsedOcspResponse,
	signerCertificate: OcspCertificateSource,
): Promise<VerifyOcspResponseSignatureResult>

Parameters

CheckCertificateRevocationErrorCode

Error codes that checkCertificateRevocation may surface inside an indeterminate result.

ts
type CheckCertificateRevocationErrorCode = revocation_evidence_missing | revocation_status_indeterminate

CheckCertificateRevocationFailureDetails

Diagnostic details attached to an indeterminate revocation result.

ts
interface CheckCertificateRevocationFailureDetails {
	readonly checkedSources: readonly RevocationEvidenceKind[];
	readonly indeterminateEvidence: readonly RevocationIndeterminateEvidence[];
}

Properties

  • readonly checkedSources: readonly RevocationEvidenceKind[] — Which evidence kinds were attempted ('crl', 'ocsp', or both).
  • readonly indeterminateEvidence: readonly RevocationIndeterminateEvidence[] — Per-evidence explanations of why no definitive answer was reached.

CheckCertificateRevocationInput

Input for checkCertificateRevocation.

ts
interface CheckCertificateRevocationInput {
	readonly certificate: RevocationCertificateSource;
	readonly issuerCertificate: RevocationCertificateSource;
	readonly evidence?: readonly RevocationEvidenceInput[];
	readonly at?: Date;
	readonly clockSkewMs?: number;
}

Properties

  • readonly certificate: RevocationCertificateSource — Certificate whose revocation status to determine.
  • readonly issuerCertificate: RevocationCertificateSource — Issuer of certificate.
  • readonly evidence?: readonly RevocationEvidenceInput[] — CRL and/or OCSP evidence to evaluate. Returns indeterminate if empty.
  • readonly at?: Date — Evaluation time. Defaults to new Date().
  • readonly clockSkewMs?: number — Clock-skew tolerance in milliseconds.

CheckCertificateRevocationResult

Result of checkCertificateRevocation. Always succeeds (ok: true) — the value.status discriminator carries the actual outcome.

ts
type CheckCertificateRevocationResult = Result<CheckCertificateRevocationValue, never>

CheckCertificateRevocationValue

Discriminated union of good, revoked, and indeterminate revocation outcomes.

ts
type CheckCertificateRevocationValue = RevocationCheckGoodValue | RevocationCheckRevokedValue | RevocationCheckIndeterminateValue

ConfiguredOcspResponder

A manually-configured OCSP responder endpoint.

ts
interface ConfiguredOcspResponder {
	readonly uri: string;
	readonly responderCertificate?: ConfiguredOcspResponderCertificate;
}

Properties

  • readonly uri: string — OCSP responder URI (typically http://...).
  • readonly responderCertificate?: ConfiguredOcspResponderCertificate — Known responder certificate — skips embedded-certificate discovery.

ConfiguredOcspResponderCertificate

PEM or DER bytes of a pre-configured OCSP responder certificate.

ts
type ConfiguredOcspResponderCertificate = string | Uint8Array

OcspResponderCandidate

One candidate OCSP responder resolved by resolveOcspResponderCandidates.

ts
interface OcspResponderCandidate {
	readonly source: OcspResponderSource;
	readonly uri: string;
	readonly responderCertificate?: ConfiguredOcspResponderCertificate;
}

Properties

  • readonly source: OcspResponderSource — Whether this candidate came from configuration or the certificate's AIA extension.
  • readonly uri: string — OCSP responder URI.
  • readonly responderCertificate?: ConfiguredOcspResponderCertificate — Pre-known responder certificate, if available.

OcspResponderSource

Where the OCSP responder URI came from.

ts
type OcspResponderSource = configured | authorityInfoAccess

ResolveOcspResponderCandidatesInput

Input for resolveOcspResponderCandidates.

ts
interface ResolveOcspResponderCandidatesInput {
	readonly certificate: RevocationCertificateSource;
	readonly configuredResponders?: readonly ConfiguredOcspResponder[];
}

Properties

  • readonly certificate: RevocationCertificateSource — Certificate whose AIA extension will be inspected for OCSP URIs.
  • readonly configuredResponders?: readonly ConfiguredOcspResponder[] — Manually-configured responders — checked before AIA-derived ones.

RevocationCertificateSource

PEM string, DER bytes, or already-parsed certificate.

ts
type RevocationCertificateSource = string | Uint8Array | ParsedCertificate

RevocationCheckGoodValue

Certificate is not revoked according to the checked evidence.

ts
interface RevocationCheckGoodValue {
	readonly status: Extract<RevocationStatus, good>;
	readonly kind: RevocationEvidenceKind;
	readonly message: string;
}

Properties

  • readonly status: Extract<RevocationStatus, good> — Certificate is not revoked.
  • readonly kind: RevocationEvidenceKind — Which evidence kind confirmed the good status.
  • readonly message: string — Human-readable diagnostic message.

RevocationCheckIndeterminateValue

Revocation status could not be determined from the provided evidence.

ts
interface RevocationCheckIndeterminateValue {
	readonly status: Extract<RevocationStatus, indeterminate>;
	readonly code: CheckCertificateRevocationErrorCode;
	readonly message: string;
	readonly details: CheckCertificateRevocationFailureDetails;
}

Properties

RevocationCheckRevokedValue

Certificate is revoked according to the checked evidence.

ts
interface RevocationCheckRevokedValue {
	readonly status: Extract<RevocationStatus, revoked>;
	readonly kind: RevocationEvidenceKind;
	readonly message: string;
	readonly revokedAt?: Date;
	readonly revocationReason?: RevocationReason;
	readonly revocationReasonCode?: number;
}

Properties

  • readonly status: Extract<RevocationStatus, revoked> — Certificate is revoked.
  • readonly kind: RevocationEvidenceKind — Which evidence kind reported the revocation.
  • readonly message: string — Human-readable diagnostic message.
  • readonly revokedAt?: Date — When the certificate was revoked (from CRL entry or OCSP response).
  • readonly revocationReason?: RevocationReason — CRL reason string (from CRL evidence).
  • readonly revocationReasonCode?: number — CRL reason integer code (from OCSP evidence).

RevocationCrlEvidenceInput

CRL-based revocation evidence for CheckCertificateRevocationInput.evidence.

ts
interface RevocationCrlEvidenceInput {
	readonly kind: crl;
	readonly crl: CrlSource;
	readonly deltaCrl?: CrlSource;
}

Properties

  • readonly kind: crl — Discriminator for the CRL evidence variant.
  • readonly crl: CrlSource — Complete (base) CRL.
  • readonly deltaCrl?: CrlSource — Optional delta CRL for more recent revocation information.

RevocationEvidenceInput

Discriminated union of CRL and OCSP evidence inputs.

ts
type RevocationEvidenceInput = RevocationCrlEvidenceInput | RevocationOcspEvidenceInput

RevocationEvidenceKind

Which revocation mechanism produced the evidence.

ts
type RevocationEvidenceKind = crl | ocsp

RevocationIndeterminateEvidence

One piece of evidence that failed to produce a definitive revocation answer.

ts
interface RevocationIndeterminateEvidence {
	readonly kind: RevocationEvidenceKind;
	readonly code: RevocationIndeterminateReasonCode;
	readonly message: string;
	readonly reason?: CrlApplicabilityFailureReason;
}

Properties

RevocationIndeterminateReasonCode

Why a particular piece of evidence could not produce a definitive good/revoked answer.

ts
type RevocationIndeterminateReasonCode = (typeof REVOCATION_INDETERMINATE_REASON_CODES)[number]

RevocationOcspEvidenceInput

OCSP-based revocation evidence for CheckCertificateRevocationInput.evidence.

ts
interface RevocationOcspEvidenceInput {
	readonly kind: ocsp;
	readonly response: string | Uint8Array | ParsedOcspResponse;
	readonly request?: OcspRequestSource;
	readonly responderCertificate?: OcspCertificateSource;
}

Properties

  • readonly kind: ocsp — Discriminator for the OCSP evidence variant.
  • readonly response: string | Uint8Array | ParsedOcspResponse — OCSP response to validate.
  • readonly request?: OcspRequestSource — Original OCSP request — enables nonce and coverage checks.
  • readonly responderCertificate?: OcspCertificateSource — Explicit responder certificate — overrides embedded certificate discovery.

RevocationStatus

Unified revocation outcome across CRL and OCSP evidence.

ts
type RevocationStatus = good | revoked | indeterminate

checkCertificateRevocation

Evaluates all provided CRL and OCSP evidence to determine the certificate's revocation status. Returns the first revoked if any, else the first good, else indeterminate with diagnostic details about each indeterminate evidence.

ts
function checkCertificateRevocation(
	input: CheckCertificateRevocationInput,
): Promise<CheckCertificateRevocationResult>

Parameters

Examples

ts
import { checkCertificateRevocation } from 'micro509';

const result = await checkCertificateRevocation({
  certificate: leafPem,
  issuerCertificate: caPem,
  evidence: [{ kind: 'crl', crl: crlPem }],
});
if (result.ok && result.value.status === 'revoked') {
  console.log('revoked at', result.value.revokedAt);
}

getCertificateOcspResponderUris

Extracts OCSP responder URIs from the certificate's Authority Information Access extension.

ts
function getCertificateOcspResponderUris(
	certificate: RevocationCertificateSource,
): readonly string[]

Parameters

REVOCATION_INDETERMINATE_REASON_CODES

Every RevocationIndeterminateReasonCode, as a runtime array.

ts
const REVOCATION_INDETERMINATE_REASON_CODES: certificate_status_missing | certificate_status_unknown | crl_sign_not_permitted | issuer_mismatch | non_applicable | nonce_mismatch | ocsp_signing_missing | request_mismatch | responder_id_mismatch | responder_chain_invalid | responder_revoked | responder_revocation_unknown | response_status_invalid | signature_invalid | stale_crl | stale_response[]

resolveOcspResponderCandidates

Merges configured OCSP responders with those discovered from the certificate's AIA extension. Configured responders take priority; duplicates are deduplicated by URI.

ts
function resolveOcspResponderCandidates(
	input: ResolveOcspResponderCandidatesInput,
): readonly OcspResponderCandidate[]

Parameters

IssuingDistributionPoint

Input for the Issuing Distribution Point CRL extension (RFC 5280 §5.2.5).

The union enforces that at most one of the onlyContains* flags is true.

ts
type IssuingDistributionPoint = IssuingDistributionPointBase | IssuingDistributionPointForUserCerts | IssuingDistributionPointForCaCerts | IssuingDistributionPointForAttributeCerts

IssuingDistributionPointBase

Base shape for Issuing Distribution Point (RFC 5280 §5.2.5) — no scope restriction.

ts
interface IssuingDistributionPointBase {
	readonly distributionPoint?: DistributionPointName;
	readonly onlySomeReasons?: readonly DistributionPointReason[];
	readonly indirectCrl?: boolean;
	readonly onlyContainsUserCerts?: false;
	readonly onlyContainsCACerts?: false;
	readonly onlyContainsAttributeCerts?: boolean;
}

Properties

  • readonly distributionPoint?: DistributionPointName — Where to fetch this CRL.
  • readonly onlySomeReasons?: readonly DistributionPointReason[] — Limits the CRL to these revocation reasons. Absent means all reasons.
  • readonly indirectCrl?: boolean — When true, the CRL may contain entries from other CAs. Default false.
  • readonly onlyContainsUserCerts?: false — Must be absent or false in this variant (no user-cert-only restriction).
  • readonly onlyContainsCACerts?: false — Must be absent or false in this variant (no CA-cert-only restriction).
  • readonly onlyContainsAttributeCerts?: boolean — When true, the CRL only covers attribute certificates. Default false.

IssuingDistributionPointForAttributeCerts

IDP scoped to attribute certificates only. Mutually exclusive with user / CA scopes.

ts
interface IssuingDistributionPointForAttributeCerts extends Omit<IssuingDistributionPointBase, onlyContainsAttributeCerts> {
	readonly onlyContainsUserCerts?: false;
	readonly onlyContainsCACerts?: false;
	readonly onlyContainsAttributeCerts: true;
}

Properties

  • readonly onlyContainsUserCerts?: false — Must be absent or false when the CRL is not user-cert-only.
  • readonly onlyContainsCACerts?: false — Must be absent or false when the CRL is not CA-only.
  • readonly onlyContainsAttributeCerts: true — This variant only covers attribute certificates.

IssuingDistributionPointForCaCerts

IDP scoped to CA certificates only. Mutually exclusive with user / attribute scopes.

ts
interface IssuingDistributionPointForCaCerts extends Omit<IssuingDistributionPointBase, onlyContainsCACerts> {
	readonly onlyContainsUserCerts?: false;
	readonly onlyContainsCACerts: true;
	readonly onlyContainsAttributeCerts?: false;
}

Properties

  • readonly onlyContainsUserCerts?: false — Must be absent or false when the CRL is not user-cert-only.
  • readonly onlyContainsCACerts: true — This variant only covers CA certificates.
  • readonly onlyContainsAttributeCerts?: false — Must be absent or false when the CRL is not attribute-cert-only.

IssuingDistributionPointForUserCerts

IDP scoped to end-entity (user) certificates only. Mutually exclusive with CA / attribute scopes.

ts
interface IssuingDistributionPointForUserCerts extends Omit<IssuingDistributionPointBase, onlyContainsUserCerts> {
	readonly onlyContainsUserCerts: true;
	readonly onlyContainsCACerts?: false;
	readonly onlyContainsAttributeCerts?: false;
}

Properties

  • readonly onlyContainsUserCerts: true — This variant only covers end-entity certificates.
  • readonly onlyContainsCACerts?: false — Must be absent or false when the CRL is not CA-only.
  • readonly onlyContainsAttributeCerts?: false — Must be absent or false when the CRL is not attribute-cert-only.

ParsedIssuingDistributionPoint

Decoded Issuing Distribution Point CRL extension (RFC 5280 §5.2.5). Constrains which certificates a CRL covers (scope, reasons, indirection).

ts
interface ParsedIssuingDistributionPoint {
	readonly distributionPoint?: ParsedDistributionPointName;
	readonly onlyContainsUserCerts?: boolean;
	readonly onlyContainsCACerts?: boolean;
	readonly onlySomeReasons?: ParsedBitFlags<DistributionPointReason>;
	readonly indirectCrl?: boolean;
	readonly onlyContainsAttributeCerts?: boolean;
}

Properties

  • readonly distributionPoint?: ParsedDistributionPointName — Where to fetch this CRL, if specified.
  • readonly onlyContainsUserCerts?: boolean — When true, this CRL only covers end-entity certificates. Default false.
  • readonly onlyContainsCACerts?: boolean — When true, this CRL only covers CA certificates. Default false.
  • readonly onlySomeReasons?: ParsedBitFlags<DistributionPointReason> — Limits the CRL to these revocation reasons. Absent means all reasons.
  • readonly indirectCrl?: boolean — When true, this CRL may contain entries from CAs other than the issuer. Default false.
  • readonly onlyContainsAttributeCerts?: boolean — When true, this CRL only covers attribute certificates. Default false.

Released under the MIT License.