git.stella-ops.org/docs/features/checked/libraries/ocsp-crl-certificate-status-provider.md

# OCSP/CRL Certificate Status Provider

## Module
__Libraries

## Status
VERIFIED

## Description
Full OCSP client and CRL fetcher for certificate revocation checking, as specified in the advisory.

## Implementation Details
- **OcspClient**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/OcspClient.cs` -- RFC 6960 OCSP client: `CheckStatusAsync(certificate, issuer, options)` extracts OCSP responder URL from AIA extension (OID 1.3.6.1.5.5.7.1.1), generates ASN.1 DER OCSP request with CertID (SHA-256 issuer name hash + issuer key hash + serial number), supports optional nonce (OID 1.3.6.1.5.5.7.48.1.2), uses GET for requests <= 255 bytes / POST for larger; parses `BasicOCSPResponse` with tbsResponseData (producedAt, certStatus: good[0]/revoked[1]/unknown[2], thisUpdate, nextUpdate); caches good responses per thumbprint; `ParseStapledResponse` for pre-fetched OCSP responses
- **CrlFetcher**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CrlFetcher.cs` -- CRL distribution point fetching and revocation checking
- **CertificateStatusProvider**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusProvider.cs` -- unified provider combining OCSP and CRL status checks
- **CertificateStatusServiceCollectionExtensions**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusServiceCollectionExtensions.cs` -- DI registration
- **Abstractions**: `src/__Libraries/StellaOps.Cryptography.CertificateStatus.Abstractions/` -- `CertificateStatusResult` (Status, Source, ProducedAt, ThisUpdate, NextUpdate, ResponderUrl, RawOcspResponse, revocation details), `RevocationStatus` enum (Good, Revoked, Unknown), `RevocationSource` enum (Ocsp, Crl), `RevocationReason` enum, `CertificateStatusOptions` (EnableCaching, IncludeOcspNonce, RequestTimeout, MaxOcspAge)
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify OCSP client generates valid ASN.1 DER request with correct CertID
- [ ] Test OCSP nonce inclusion when IncludeOcspNonce is enabled
- [ ] Verify GET method is used for small requests (<= 255 bytes) and POST for larger
- [ ] Test OCSP response parsing detects good, revoked, and unknown certificate status
- [ ] Verify revoked status includes revocation time and reason
- [ ] Test response caching for good certificates with nextUpdate expiry
- [ ] Verify CRL fetcher retrieves and parses CRL distribution point data
- [ ] Test unified CertificateStatusProvider combines OCSP and CRL results


## Verification

- **Verified**: 2026-02-13T20:30:00Z
- **Run**: run-001
- **Tier**: Tier 2d (Library/Internal)
- **Verdict**: PASS