stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
e716bc6adca8d1a3ac5a24ad491e5fa99e31cf1c
git.stella-ops.org/docs/features/unchecked/libraries/ocsp-crl-certificate-status-provider.md

2.4 KiB
Raw Blame History

OCSP/CRL Certificate Status Provider

Module

__Libraries

Status

IMPLEMENTED

Description

Full OCSP client and CRL fetcher for certificate revocation checking, as specified in the advisory.

Implementation Details

  • OcspClient: src/__Libraries/StellaOps.Cryptography.CertificateStatus/OcspClient.cs -- RFC 6960 OCSP client: CheckStatusAsync(certificate, issuer, options) extracts OCSP responder URL from AIA extension (OID 1.3.6.1.5.5.7.1.1), generates ASN.1 DER OCSP request with CertID (SHA-256 issuer name hash + issuer key hash + serial number), supports optional nonce (OID 1.3.6.1.5.5.7.48.1.2), uses GET for requests <= 255 bytes / POST for larger; parses BasicOCSPResponse with tbsResponseData (producedAt, certStatus: good[0]/revoked[1]/unknown[2], thisUpdate, nextUpdate); caches good responses per thumbprint; ParseStapledResponse for pre-fetched OCSP responses
  • CrlFetcher: src/__Libraries/StellaOps.Cryptography.CertificateStatus/CrlFetcher.cs -- CRL distribution point fetching and revocation checking
  • CertificateStatusProvider: src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusProvider.cs -- unified provider combining OCSP and CRL status checks
  • CertificateStatusServiceCollectionExtensions: src/__Libraries/StellaOps.Cryptography.CertificateStatus/CertificateStatusServiceCollectionExtensions.cs -- DI registration
  • Abstractions: src/__Libraries/StellaOps.Cryptography.CertificateStatus.Abstractions/ -- CertificateStatusResult (Status, Source, ProducedAt, ThisUpdate, NextUpdate, ResponderUrl, RawOcspResponse, revocation details), RevocationStatus enum (Good, Revoked, Unknown), RevocationSource enum (Ocsp, Crl), RevocationReason enum, CertificateStatusOptions (EnableCaching, IncludeOcspNonce, RequestTimeout, MaxOcspAge)
  • Source: Feature matrix scan

E2E Test Plan

  • Verify OCSP client generates valid ASN.1 DER request with correct CertID
  • Test OCSP nonce inclusion when IncludeOcspNonce is enabled
  • Verify GET method is used for small requests (<= 255 bytes) and POST for larger
  • Test OCSP response parsing detects good, revoked, and unknown certificate status
  • Verify revoked status includes revocation time and reason
  • Test response caching for good certificates with nextUpdate expiry
  • Verify CRL fetcher retrieves and parses CRL distribution point data
  • Test unified CertificateStatusProvider combines OCSP and CRL results