micro509

Appearance

micro509 / revocation

revocation

Canonical revocation domain surface. Owns CRL, OCSP, and revocation orchestration APIs.

Interfaces

CertificateRevocationListMaterial

Defined in: src/revocation/crl.ts:151

Encoded CRL in multiple serialisation formats, returned by createCertificateRevocationList.

Properties

base64

readonly base64: string

Defined in: src/revocation/crl.ts:157

Base64-encoded DER (no PEM armour).

der

readonly der: Uint8Array

Defined in: src/revocation/crl.ts:153

Raw DER bytes of the signed CRL.

pem

readonly pem: string

Defined in: src/revocation/crl.ts:155

PEM-encoded CRL (-----BEGIN X509 CRL-----).

CertificateRevocationStatus

Defined in: src/revocation/chain.ts:147

Revocation evaluation result for a single certificate.

One entry per certificate in CheckChainRevocationValue.certificates. The trust anchor is excluded (never checked for revocation).

Properties

certificate

readonly certificate: ParsedCertificate

Defined in: src/revocation/chain.ts:149

The certificate that was evaluated.

indeterminateReasons?

readonly optional indeterminateReasons?: readonly RevocationIndeterminateReason[]

Defined in: src/revocation/chain.ts:161

Why status could not be determined. Present when status is 'indeterminate'.

revocationInfo?

readonly optional revocationInfo?: object

Defined in: src/revocation/chain.ts:163

Revocation details. Present when status is 'revoked'.

date

readonly date: Date

When the certificate was revoked.

reason?

readonly optional reason?: RevocationReason

RFC 5280 CRLReason code, if provided by the CRL/OCSP response.

source?

readonly optional source?: RevocationSource

Defined in: src/revocation/chain.ts:159

Evidence source when status is 'good' or 'revoked'.

status

readonly status: "good" | "revoked" | "indeterminate"

Defined in: src/revocation/chain.ts:157

Revocation status determination.

  • 'good': evidence confirms certificate is not revoked
  • 'revoked': evidence confirms certificate is revoked
  • 'indeterminate': could not determine status (see indeterminateReasons)

CheckCertificateRevocationAgainstCrlFailure

Defined in: src/revocation/crl.ts:357

Failure detail for checkCertificateRevocationAgainstCrl.

Extends

Properties

code

readonly code: CheckCertificateRevocationAgainstCrlErrorCode

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: CheckCertificateRevocationAgainstCrlFailureDetails

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/revocation/crl.ts:363

Always false for failures.

CheckCertificateRevocationAgainstCrlFailureDetails

Defined in: src/revocation/crl.ts:351

Structured details attached to a CheckCertificateRevocationAgainstCrlFailure.

Properties

reason?

readonly optional reason?: CrlApplicabilityFailureReason

Defined in: src/revocation/crl.ts:353

Why the CRL was non-applicable, when the error code is non_applicable.

CheckCertificateRevocationAgainstCrlGoodValue

Defined in: src/revocation/crl.ts:367

Success value when the certificate is not found in the CRL.

Properties

crl

readonly crl: ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:371

The validated CRL that was checked.

status

readonly status: "good"

Defined in: src/revocation/crl.ts:369

Certificate is not revoked.

CheckCertificateRevocationAgainstCrlInput

Defined in: src/revocation/crl.ts:304

Input for checkCertificateRevocationAgainstCrl.

Properties

at?

readonly optional at?: Date

Defined in: src/revocation/crl.ts:314

Evaluation time. Defaults to new Date().

certificate

readonly certificate: CrlCertificateSource

Defined in: src/revocation/crl.ts:306

Certificate whose revocation status to check.

clockSkewMs?

readonly optional clockSkewMs?: number

Defined in: src/revocation/crl.ts:316

Clock-skew tolerance in milliseconds for freshness checks.

crl

readonly crl: CrlSource

Defined in: src/revocation/crl.ts:310

Complete (base) CRL to check against.

deltaCrl?

readonly optional deltaCrl?: CrlSource

Defined in: src/revocation/crl.ts:312

Optional delta CRL for more recent revocation information.

issuerCertificate

readonly issuerCertificate: CrlCertificateSource

Defined in: src/revocation/crl.ts:308

Issuer of certificate — also expected signer of the CRL.

CheckCertificateRevocationAgainstCrlRevokedValue

Defined in: src/revocation/crl.ts:375

Success value when the certificate is found as revoked in the CRL.

Properties

crl

readonly crl: ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:379

The validated CRL that contained the revocation entry.

reasonCode?

readonly optional reasonCode?: RevocationReason

Defined in: src/revocation/crl.ts:383

CRLReason from the entry, if present.

revocationDate

readonly revocationDate: Date

Defined in: src/revocation/crl.ts:381

When the CA declared this certificate revoked.

status

readonly status: "revoked"

Defined in: src/revocation/crl.ts:377

Certificate is revoked.

CheckCertificateRevocationFailureDetails

Defined in: src/revocation/revocation.ts:131

Diagnostic details attached to an unknown revocation result.

Properties

checkedSources

readonly checkedSources: readonly RevocationEvidenceKind[]

Defined in: src/revocation/revocation.ts:133

Which evidence kinds were attempted ('crl', 'ocsp', or both).

indeterminateEvidence

readonly indeterminateEvidence: readonly RevocationIndeterminateEvidence[]

Defined in: src/revocation/revocation.ts:135

Per-evidence explanations of why no definitive answer was reached.

CheckCertificateRevocationInput

Defined in: src/revocation/revocation.ts:83

Input for checkCertificateRevocation.

Properties

at?

readonly optional at?: Date

Defined in: src/revocation/revocation.ts:91

Evaluation time. Defaults to new Date().

certificate

readonly certificate: RevocationCertificateSource

Defined in: src/revocation/revocation.ts:85

Certificate whose revocation status to determine.

clockSkewMs?

readonly optional clockSkewMs?: number

Defined in: src/revocation/revocation.ts:93

Clock-skew tolerance in milliseconds.

evidence?

readonly optional evidence?: readonly RevocationEvidenceInput[]

Defined in: src/revocation/revocation.ts:89

CRL and/or OCSP evidence to evaluate. Returns unknown if empty.

issuerCertificate

readonly issuerCertificate: RevocationCertificateSource

Defined in: src/revocation/revocation.ts:87

Issuer of certificate.

CheckChainRevocationInput

Defined in: src/revocation/chain.ts:69

Input for checkChainRevocation.

Properties

at?

readonly optional at?: Date

Defined in: src/revocation/chain.ts:79

Evaluation time. Defaults to new Date().

chain

readonly chain: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/revocation/chain.ts:71

Validated certificate chain (leaf first, root last).

crls?

readonly optional crls?: readonly CrlSource[]

Defined in: src/revocation/chain.ts:73

CRLs to evaluate.

extraCertificates?

readonly optional extraCertificates?: readonly CertificateSource[]

Defined in: src/revocation/chain.ts:77

Extra certs for indirect CRL issuers / delegated OCSP responders.

ocspResponses?

readonly optional ocspResponses?: readonly OcspResponseSource[]

Defined in: src/revocation/chain.ts:75

OCSP responses to evaluate.

policy?

readonly optional policy?: RevocationPolicy

Defined in: src/revocation/chain.ts:81

Revocation policy.

CheckChainRevocationValue

Defined in: src/revocation/chain.ts:196

Detailed revocation check results.

Returned as CheckChainRevocationResult.value from checkChainRevocation. Contains both the policy decision and detailed per-certificate findings for debugging.

Properties

certificates

readonly certificates: readonly CertificateRevocationStatus[]

Defined in: src/revocation/chain.ts:212

Per-certificate evaluation results. See CertificateRevocationStatus.

decision

readonly decision: "allow" | "deny"

Defined in: src/revocation/chain.ts:203

Final policy decision based on RevocationPolicy.

  • 'allow': chain passes revocation check
  • 'deny': chain fails (revoked certificate or hard-fail on indeterminate)
executionErrors?

readonly optional executionErrors?: readonly RevocationExecutionError[]

Defined in: src/revocation/chain.ts:214

Evidence that could not be processed. See RevocationExecutionError.

summary

readonly summary: object

Defined in: src/revocation/chain.ts:205

Quick-access summary of problematic certificates.

indeterminateCertificates

readonly indeterminateCertificates: readonly ParsedCertificate<Record<never, never>>[]

Certificates whose status could not be determined.

revokedCertificates

readonly revokedCertificates: readonly ParsedCertificate<Record<never, never>>[]

Certificates confirmed as revoked.

ConfiguredOcspResponder

Defined in: src/revocation/revocation.ts:32

A manually-configured OCSP responder endpoint.

Properties

responderCertificate?

readonly optional responderCertificate?: ConfiguredOcspResponderCertificate

Defined in: src/revocation/revocation.ts:36

Known responder certificate — skips embedded-certificate discovery.

uri

readonly uri: string

Defined in: src/revocation/revocation.ts:34

OCSP responder URI (typically http://...).

CreateCertificateRevocationListInput

Defined in: src/revocation/crl.ts:125

Input for createCertificateRevocationList.

Properties

baseCrlNumber?

readonly optional baseCrlNumber?: number

Defined in: src/revocation/crl.ts:141

If set, marks this CRL as a delta CRL referencing the given base CRL number.

crlNumber?

readonly optional crlNumber?: number

Defined in: src/revocation/crl.ts:139

Monotonically-increasing CRL sequence number (CRLNumber extension).

freshestCrlDistributionPoints?

readonly optional freshestCrlDistributionPoints?: readonly DistributionPoint[]

Defined in: src/revocation/crl.ts:145

Freshest CRL distribution points — tells relying parties where to find delta CRLs.

issuer

readonly issuer: NameInput

Defined in: src/revocation/crl.ts:127

Distinguished name of the CRL issuer (typically the signing CA).

issuerPublicKey?

readonly optional issuerPublicKey?: CryptoKey

Defined in: src/revocation/crl.ts:131

Issuer public key — used to embed an Authority Key Identifier extension.

issuingDistributionPoint?

readonly optional issuingDistributionPoint?: IssuingDistributionPoint

Defined in: src/revocation/crl.ts:143

Issuing distribution point extension — scopes this CRL to a subset of certificates.

nextUpdate?

readonly optional nextUpdate?: Date

Defined in: src/revocation/crl.ts:135

Planned next issuance. Omit for an open-ended CRL.

revokedCertificates?

readonly optional revokedCertificates?: readonly RevokedCertificateInput[]

Defined in: src/revocation/crl.ts:137

Certificates to list as revoked in this CRL.

signerPrivateKey

readonly signerPrivateKey: CryptoKey

Defined in: src/revocation/crl.ts:129

Private key used to sign the CRL. Algorithm is inferred from the key.

thisUpdate?

readonly optional thisUpdate?: Date

Defined in: src/revocation/crl.ts:133

Issuance timestamp. Defaults to new Date().

CreateOcspRequestInput

Defined in: src/revocation/ocsp.ts:87

Input for createOcspRequest.

Properties

hashAlgorithm?

readonly optional hashAlgorithm?: OcspHashAlgorithm

Defined in: src/revocation/ocsp.ts:91

Hash algorithm for CertID computation. Defaults to 'SHA-1'.

nonce?

readonly optional nonce?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:93

Random nonce for replay protection. Omit to skip the nonce extension.

requests

readonly requests: readonly CreateOcspRequestItemInput[]

Defined in: src/revocation/ocsp.ts:89

One or more certificates to query (batched into a single OCSP request).

CreateOcspRequestItemInput

Defined in: src/revocation/ocsp.ts:77

One certificate whose status to query in an OCSP request. Used as an element of CreateOcspRequestInput.requests.

Extended by

Properties

certificate

readonly certificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:79

Certificate whose revocation status is being queried.

issuerCertificate

readonly issuerCertificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:81

Issuer of certificate — needed to compute the CertID hash.

CreateOcspResponseInput

Defined in: src/revocation/ocsp.ts:236

Input for createOcspResponse.

Properties

hashAlgorithm?

readonly optional hashAlgorithm?: OcspHashAlgorithm

Defined in: src/revocation/ocsp.ts:248

Hash algorithm for CertID computation. Defaults to 'SHA-1'.

includedCertificates?

readonly optional includedCertificates?: readonly OcspCertificateSource[]

Defined in: src/revocation/ocsp.ts:250

Extra certificates to embed in the response (e.g. the responder's issuer chain).

nonce?

readonly optional nonce?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:246

Nonce to echo back for replay protection.

producedAt?

readonly optional producedAt?: Date

Defined in: src/revocation/ocsp.ts:244

Timestamp for the producedAt field. Defaults to new Date().

responses

readonly responses: readonly CreateOcspSingleResponseInput[]

Defined in: src/revocation/ocsp.ts:242

Per-certificate status entries to include in the BasicOCSPResponse.

signerCertificate

readonly signerCertificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:240

Certificate of the OCSP responder — used to build the responder ID (by key hash).

signerPrivateKey

readonly signerPrivateKey: CryptoKey

Defined in: src/revocation/ocsp.ts:238

Private key used to sign the response. Algorithm is inferred from the key.

CreateOcspSingleResponseInput

Defined in: src/revocation/ocsp.ts:220

One certificate's status entry for CreateOcspResponseInput.responses. Extends CreateOcspRequestItemInput with status and timing fields.

Extends

Properties

certificate

readonly certificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:79

Certificate whose revocation status is being queried.

Inherited from

CreateOcspRequestItemInput.certificate

certStatus

readonly certStatus: OcspCertStatus

Defined in: src/revocation/ocsp.ts:222

Status to assert for this certificate.

issuerCertificate

readonly issuerCertificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:81

Issuer of certificate — needed to compute the CertID hash.

Inherited from

CreateOcspRequestItemInput.issuerCertificate

nextUpdate?

readonly optional nextUpdate?: Date

Defined in: src/revocation/ocsp.ts:226

End of the validity window. Omit for open-ended assertions.

revocationReasonCode?

readonly optional revocationReasonCode?: number

Defined in: src/revocation/ocsp.ts:230

CRLReason integer code (only meaningful when certStatus is 'revoked').

revokedAt?

readonly optional revokedAt?: Date

Defined in: src/revocation/ocsp.ts:228

Revocation time (required when certStatus is 'revoked'). Defaults to thisUpdate.

thisUpdate?

readonly optional thisUpdate?: Date

Defined in: src/revocation/ocsp.ts:224

Start of the validity window for this status assertion. Defaults to new Date().

OcspRequestMaterial

Defined in: src/revocation/ocsp.ts:99

Encoded OCSP request in multiple serialisation formats, returned by createOcspRequest.

Properties

base64

readonly base64: string

Defined in: src/revocation/ocsp.ts:105

Base64-encoded DER (no PEM armour).

der

readonly der: Uint8Array

Defined in: src/revocation/ocsp.ts:101

Raw DER bytes.

pem

readonly pem: string

Defined in: src/revocation/ocsp.ts:103

PEM-encoded request (-----BEGIN OCSP REQUEST-----).

OcspResponderCandidate

Defined in: src/revocation/revocation.ts:40

One candidate OCSP responder resolved by resolveOcspResponderCandidates.

Properties

responderCertificate?

readonly optional responderCertificate?: ConfiguredOcspResponderCertificate

Defined in: src/revocation/revocation.ts:46

Pre-known responder certificate, if available.

source

readonly source: OcspResponderSource

Defined in: src/revocation/revocation.ts:42

Whether this candidate came from configuration or the certificate's AIA extension.

uri

readonly uri: string

Defined in: src/revocation/revocation.ts:44

OCSP responder URI.

OcspResponseMaterial

Defined in: src/revocation/ocsp.ts:256

Encoded OCSP response in multiple serialisation formats, returned by createOcspResponse.

Properties

base64

readonly base64: string

Defined in: src/revocation/ocsp.ts:262

Base64-encoded DER (no PEM armour).

der

readonly der: Uint8Array

Defined in: src/revocation/ocsp.ts:258

Raw DER bytes.

pem

readonly pem: string

Defined in: src/revocation/ocsp.ts:260

PEM-encoded response (-----BEGIN OCSP RESPONSE-----).

ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:180

Decoded X.509 CRL, returned by parseCertificateRevocationListDer and parseCertificateRevocationListPem.

Properties

authorityKeyIdentifier?

readonly optional authorityKeyIdentifier?: string

Defined in: src/revocation/crl.ts:206

Hex-encoded Authority Key Identifier, if the extension is present.

baseCrlNumber?

readonly optional baseCrlNumber?: number

Defined in: src/revocation/crl.ts:210

Delta CRL indicator — present only on delta CRLs, referencing the base CRL number.

crlNumber?

readonly optional crlNumber?: number

Defined in: src/revocation/crl.ts:208

CRLNumber extension value — monotonically increasing sequence number.

der?

readonly optional der?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/crl.ts:182

Original DER bytes when this object came from parseCertificateRevocationListDer or PEM parsing.

freshestCrlDistributionPoints?

readonly optional freshestCrlDistributionPoints?: readonly ParsedDistributionPoint[]

Defined in: src/revocation/crl.ts:214

Freshest CRL extension — points to delta CRL locations.

issuer

readonly issuer: ParsedName

Defined in: src/revocation/crl.ts:190

CRL issuer distinguished name.

issuerPublicKeyAlgorithmOid?

readonly optional issuerPublicKeyAlgorithmOid?: string

Defined in: src/revocation/crl.ts:202

OID of the issuer's public key algorithm, when available.

issuerPublicKeyParametersOid?

readonly optional issuerPublicKeyParametersOid?: string

Defined in: src/revocation/crl.ts:204

OID of the issuer's public key parameters (e.g. named curve), when available.

issuingDistributionPoint?

readonly optional issuingDistributionPoint?: ParsedIssuingDistributionPoint

Defined in: src/revocation/crl.ts:212

Issuing distribution point extension — scopes this CRL to a certificate subset.

nextUpdate?

readonly optional nextUpdate?: Date

Defined in: src/revocation/crl.ts:194

End of the CRL validity window. Absent if the CA does not commit to a schedule.

revokedCertificates

readonly revokedCertificates: readonly ParsedRevokedCertificate[]

Defined in: src/revocation/crl.ts:216

All revoked certificate entries (empty array if none).

signatureAlgorithmName

readonly signatureAlgorithmName: string

Defined in: src/revocation/crl.ts:198

Human-readable signature algorithm name (e.g. "ECDSA with SHA-256").

signatureAlgorithmOid

readonly signatureAlgorithmOid: string

Defined in: src/revocation/crl.ts:196

OID of the algorithm used to sign this CRL.

signatureAlgorithmParametersDer?

readonly optional signatureAlgorithmParametersDer?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/crl.ts:200

DER-encoded signature algorithm parameters (e.g. DER NULL for RSA PKCS#1 v1.5).

signatureValue

readonly signatureValue: Uint8Array

Defined in: src/revocation/crl.ts:188

Raw signature bytes from the CRL outer wrapper.

tbsCertListDer

readonly tbsCertListDer: Uint8Array

Defined in: src/revocation/crl.ts:186

DER-encoded TBSCertList — the signed payload for signature verification.

thisUpdate

readonly thisUpdate: Date

Defined in: src/revocation/crl.ts:192

Start of the CRL validity window.

version

readonly version: number

Defined in: src/revocation/crl.ts:184

CRL version (1 = v1, 2 = v2 with extensions).

ParsedOcspCertId

Defined in: src/revocation/ocsp.ts:112

Decoded OCSP CertID — identifies a certificate by hashed issuer name, hashed issuer key, and serial number.

Properties

hashAlgorithmName

readonly hashAlgorithmName: string

Defined in: src/revocation/ocsp.ts:116

Human-readable hash algorithm name (e.g. "SHA-256").

hashAlgorithmOid

readonly hashAlgorithmOid: string

Defined in: src/revocation/ocsp.ts:114

OID of the hash algorithm used for the name and key hashes.

issuerKeyHashHex

readonly issuerKeyHashHex: string

Defined in: src/revocation/ocsp.ts:120

Hex-encoded hash of the issuer's SubjectPublicKey BIT STRING content.

issuerNameHashHex

readonly issuerNameHashHex: string

Defined in: src/revocation/ocsp.ts:118

Hex-encoded hash of the issuer's distinguished name DER.

serialNumberHex

readonly serialNumberHex: string

Defined in: src/revocation/ocsp.ts:122

Hex-encoded serial number of the certificate.

ParsedOcspRequest

Defined in: src/revocation/ocsp.ts:128

Decoded OCSP request, returned by parseOcspRequestDer / parseOcspRequestPem.

Properties

der?

readonly optional der?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:130

Original DER bytes when this object came from parseOcspRequestDer or PEM parsing.

nonce?

readonly optional nonce?: string

Defined in: src/revocation/ocsp.ts:134

Hex-encoded nonce extension value, if present.

requests

readonly requests: readonly ParsedOcspCertId[]

Defined in: src/revocation/ocsp.ts:132

CertIDs of the certificates being queried.

ParsedOcspResponse

Defined in: src/revocation/ocsp.ts:189

Decoded OCSP response, returned by parseOcspResponseDer / parseOcspResponsePem.

When responseStatus is not 'successful', most fields are absent.

Properties

certificates?

readonly optional certificates?: readonly ParsedCertificate<Record<never, never>>[]

Defined in: src/revocation/ocsp.ts:213

Certificates embedded in the response (typically the responder's chain).

der?

readonly optional der?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:191

Original DER bytes when this object came from parseOcspResponseDer or PEM parsing.

nonce?

readonly optional nonce?: string

Defined in: src/revocation/ocsp.ts:211

Hex-encoded nonce, if the response echoed one.

producedAt?

readonly optional producedAt?: Date

Defined in: src/revocation/ocsp.ts:207

Timestamp when the responder produced this response.

responderId?

readonly optional responderId?: ParsedOcspResponderId

Defined in: src/revocation/ocsp.ts:199

How the responder identifies itself.

responseDataDer?

readonly optional responseDataDer?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:197

DER-encoded ResponseData — the signed payload for signature verification.

responses?

readonly optional responses?: readonly ParsedOcspSingleResponse[]

Defined in: src/revocation/ocsp.ts:209

Per-certificate status entries.

responseStatus

readonly responseStatus: OcspResponseStatus

Defined in: src/revocation/ocsp.ts:193

Overall response status. Only 'successful' carries a BasicOCSPResponse body.

responseTypeOid?

readonly optional responseTypeOid?: string

Defined in: src/revocation/ocsp.ts:195

OID of the response type (normally id-pkix-ocsp-basic).

signatureAlgorithmName?

readonly optional signatureAlgorithmName?: string

Defined in: src/revocation/ocsp.ts:203

Human-readable signature algorithm name.

signatureAlgorithmOid?

readonly optional signatureAlgorithmOid?: string

Defined in: src/revocation/ocsp.ts:201

OID of the algorithm used to sign this response.

signatureValue?

readonly optional signatureValue?: Uint8Array<ArrayBufferLike>

Defined in: src/revocation/ocsp.ts:205

Raw signature bytes.

ParsedOcspSingleResponse

Defined in: src/revocation/ocsp.ts:151

Status of one certificate inside an OCSP BasicResponse.

Properties

certId

readonly certId: ParsedOcspCertId

Defined in: src/revocation/ocsp.ts:153

Which certificate this status applies to.

certStatus

readonly certStatus: OcspCertStatus

Defined in: src/revocation/ocsp.ts:155

Responder's verdict: good, revoked, or unknown.

nextUpdate?

readonly optional nextUpdate?: Date

Defined in: src/revocation/ocsp.ts:159

End of the validity window. Absent if the responder does not commit to a schedule.

revocationReasonCode?

readonly optional revocationReasonCode?: number

Defined in: src/revocation/ocsp.ts:163

CRLReason integer (only for certStatus === 'revoked').

revokedAt?

readonly optional revokedAt?: Date

Defined in: src/revocation/ocsp.ts:161

When the certificate was revoked (only for certStatus === 'revoked').

thisUpdate

readonly thisUpdate: Date

Defined in: src/revocation/ocsp.ts:157

Start of the validity window for this status assertion.

ParsedRevokedCertificate

Defined in: src/revocation/crl.ts:163

A single revoked-certificate entry decoded from a CRL.

Properties

certificateIssuer?

readonly optional certificateIssuer?: readonly SubjectAltName[]

Defined in: src/revocation/crl.ts:173

Indirect-CRL certificate issuer override (RFC 5280 §5.3.3).

invalidityDate?

readonly optional invalidityDate?: Date

Defined in: src/revocation/crl.ts:171

When the key or certificate actually became suspect, if present.

reasonCode?

readonly optional reasonCode?: RevocationReason

Defined in: src/revocation/crl.ts:169

RFC 5280 CRLReason, if the entry carries one.

revocationDate

readonly revocationDate: Date

Defined in: src/revocation/crl.ts:167

When the CA declared this certificate revoked.

serialNumberHex

readonly serialNumberHex: string

Defined in: src/revocation/crl.ts:165

Hex-encoded serial number of the revoked certificate.

ResolveOcspResponderCandidatesInput

Defined in: src/revocation/revocation.ts:50

Input for resolveOcspResponderCandidates.

Properties

certificate

readonly certificate: RevocationCertificateSource

Defined in: src/revocation/revocation.ts:52

Certificate whose AIA extension will be inspected for OCSP URIs.

configuredResponders?

readonly optional configuredResponders?: readonly ConfiguredOcspResponder[]

Defined in: src/revocation/revocation.ts:54

Manually-configured responders — checked before AIA-derived ones.

RevocationCheckGoodValue

Defined in: src/revocation/revocation.ts:151

Certificate is not revoked according to the checked evidence.

Properties

message

readonly message: string

Defined in: src/revocation/revocation.ts:157

Human-readable diagnostic message.

source

readonly source: RevocationEvidenceKind

Defined in: src/revocation/revocation.ts:155

Which evidence kind confirmed the good status.

status

readonly status: "good"

Defined in: src/revocation/revocation.ts:153

Certificate is not revoked.

RevocationCheckRevokedValue

Defined in: src/revocation/revocation.ts:161

Certificate is revoked according to the checked evidence.

Properties

message

readonly message: string

Defined in: src/revocation/revocation.ts:167

Human-readable diagnostic message.

revocationReason?

readonly optional revocationReason?: RevocationReason

Defined in: src/revocation/revocation.ts:171

CRL reason string (from CRL evidence).

revocationReasonCode?

readonly optional revocationReasonCode?: number

Defined in: src/revocation/revocation.ts:173

CRL reason integer code (from OCSP evidence).

revokedAt?

readonly optional revokedAt?: Date

Defined in: src/revocation/revocation.ts:169

When the certificate was revoked (from CRL entry or OCSP response).

source

readonly source: RevocationEvidenceKind

Defined in: src/revocation/revocation.ts:165

Which evidence kind reported the revocation.

status

readonly status: "revoked"

Defined in: src/revocation/revocation.ts:163

Certificate is revoked.

RevocationCheckUnknownValue

Defined in: src/revocation/revocation.ts:139

Revocation status could not be determined from the provided evidence.

Properties

code

readonly code: CheckCertificateRevocationErrorCode

Defined in: src/revocation/revocation.ts:143

Why revocation status is unknown.

details

readonly details: CheckCertificateRevocationFailureDetails

Defined in: src/revocation/revocation.ts:147

What evidence was attempted and why each failed.

message

readonly message: string

Defined in: src/revocation/revocation.ts:145

Human-readable diagnostic message.

status

readonly status: "unknown"

Defined in: src/revocation/revocation.ts:141

Status is indeterminate.

RevocationCrlEvidenceInput

Defined in: src/revocation/revocation.ts:58

CRL-based revocation evidence for CheckCertificateRevocationInput.evidence.

Properties

crl

readonly crl: CrlSource

Defined in: src/revocation/revocation.ts:62

Complete (base) CRL.

deltaCrl?

readonly optional deltaCrl?: CrlSource

Defined in: src/revocation/revocation.ts:64

Optional delta CRL for more recent revocation information.

kind

readonly kind: "crl"

Defined in: src/revocation/revocation.ts:60

Discriminator for the CRL evidence variant.

RevocationExecutionError

Defined in: src/revocation/chain.ts:180

Errors encountered while processing revocation evidence.

Distinct from RevocationIndeterminateReason: execution errors are code failures (malformed CRL, unsupported extension) rather than evaluation outcomes (CRL doesn't cover this certificate).

Collected in CheckChainRevocationValue.executionErrors.

Properties

evidenceIdentifier?

readonly optional evidenceIdentifier?: string

Defined in: src/revocation/chain.ts:186

Which evidence caused the error (e.g., CRL issuer DN).

kind

readonly kind: "parse_error" | "unsupported_extension" | "internal_error"

Defined in: src/revocation/chain.ts:182

Error category.

message

readonly message: string

Defined in: src/revocation/chain.ts:184

Human-readable error description.

RevocationIndeterminateEvidence

Defined in: src/revocation/revocation.ts:119

One piece of evidence that failed to produce a definitive revocation answer.

Properties

code

readonly code: RevocationIndeterminateReasonCode

Defined in: src/revocation/revocation.ts:123

Machine-readable reason code.

message

readonly message: string

Defined in: src/revocation/revocation.ts:125

Human-readable explanation.

reason?

readonly optional reason?: CrlApplicabilityFailureReason

Defined in: src/revocation/revocation.ts:127

CRL-specific applicability failure reason, when source is 'crl'.

source

readonly source: RevocationEvidenceKind

Defined in: src/revocation/revocation.ts:121

Whether this evidence was CRL or OCSP.

RevocationOcspEvidenceInput

Defined in: src/revocation/revocation.ts:68

OCSP-based revocation evidence for CheckCertificateRevocationInput.evidence.

Properties

kind

readonly kind: "ocsp"

Defined in: src/revocation/revocation.ts:70

Discriminator for the OCSP evidence variant.

request?

readonly optional request?: OcspRequestSource

Defined in: src/revocation/revocation.ts:74

Original OCSP request — enables nonce and coverage checks.

responderCertificate?

readonly optional responderCertificate?: OcspCertificateSource

Defined in: src/revocation/revocation.ts:76

Explicit responder certificate — overrides embedded certificate discovery.

response

readonly response: string | Uint8Array<ArrayBufferLike> | ParsedOcspResponse

Defined in: src/revocation/revocation.ts:72

OCSP response to validate.

RevocationPolicy

Defined in: src/revocation/chain.ts:50

Revocation checking policy for checkChainRevocation.

Controls how indeterminate results (missing evidence, expired CRLs) affect the final decision.

Properties

mode?

readonly optional mode?: "soft-fail" | "hard-fail"

Defined in: src/revocation/chain.ts:57

How to handle indeterminate status.

  • 'soft-fail': indeterminate certificates are allowed (default)
  • 'hard-fail': indeterminate certificates cause denial
prefer?

readonly optional prefer?: "ocsp" | "crl" | "best-available"

Defined in: src/revocation/chain.ts:65

Evidence preference when multiple sources are available.

  • 'best-available': use whichever evidence is freshest (default)
  • 'ocsp': prefer OCSP over CRL
  • 'crl': prefer CRL over OCSP

RevocationSource

Defined in: src/revocation/chain.ts:132

Identifies the source of revocation evidence.

Included in CertificateRevocationStatus.source when status is 'good' or 'revoked' to indicate which CRL or OCSP response provided the answer.

Properties

evidenceIdentifier?

readonly optional evidenceIdentifier?: string

Defined in: src/revocation/chain.ts:138

Identifier for debugging (e.g., CRL issuer DN or OCSP responder URL).

signerCertificate?

readonly optional signerCertificate?: ParsedCertificate<Record<never, never>>

Defined in: src/revocation/chain.ts:136

Certificate that signed the evidence (CRL issuer or OCSP responder).

type

readonly type: "ocsp" | "crl"

Defined in: src/revocation/chain.ts:134

Whether evidence came from a CRL or OCSP response.

RevokedCertificateInput

Defined in: src/revocation/crl.ts:94

Single revoked certificate entry for createCertificateRevocationList.

Properties

invalidityDate?

readonly optional invalidityDate?: Date

Defined in: src/revocation/crl.ts:102

When the key or certificate became suspect — may predate revocationDate.

reasonCode?

readonly optional reasonCode?: RevocationReason

Defined in: src/revocation/crl.ts:100

RFC 5280 CRLReason code. Omit for unspecified.

revocationDate?

readonly optional revocationDate?: Date

Defined in: src/revocation/crl.ts:98

When the certificate was revoked. Defaults to thisUpdate of the CRL.

serialNumber

readonly serialNumber: Uint8Array

Defined in: src/revocation/crl.ts:96

DER-encoded certificate serial number to revoke.

ValidateCertificateRevocationListFailure

Defined in: src/revocation/crl.ts:276

Failure detail for validateCertificateRevocationList.

Possible codes: signature_invalid, issuer_mismatch, stale_crl, crl_sign_not_permitted.

Extends

  • Micro509Error<"signature_invalid" | "issuer_mismatch" | "stale_crl" | "crl_sign_not_permitted">

Properties

code

readonly code: "signature_invalid" | "issuer_mismatch" | "stale_crl" | "crl_sign_not_permitted"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/revocation/crl.ts:281

Always false for failures.

ValidateCertificateRevocationListInput

Defined in: src/revocation/crl.ts:260

Input for validateCertificateRevocationList.

Properties

at?

readonly optional at?: Date

Defined in: src/revocation/crl.ts:266

Evaluation time for freshness checks. Defaults to new Date().

clockSkewMs?

readonly optional clockSkewMs?: number

Defined in: src/revocation/crl.ts:268

Tolerance in milliseconds for clock skew when checking thisUpdate/nextUpdate.

crl

readonly crl: CrlSource

Defined in: src/revocation/crl.ts:262

The CRL to validate.

issuerCertificate

readonly issuerCertificate: CrlCertificateSource

Defined in: src/revocation/crl.ts:264

Certificate of the CA that should have signed the CRL.

ValidateOcspResponseFailure

Defined in: src/revocation/ocsp.ts:312

Failure detail for validateOcspResponse.

Possible codes: response_status_invalid, signature_invalid, responder_id_mismatch, nonce_mismatch, request_mismatch, issuer_mismatch, responder_chain_invalid, ocsp_signing_missing, stale_response.

Extends

  • Micro509Error<"response_status_invalid" | "signature_invalid" | "responder_id_mismatch" | "nonce_mismatch" | "request_mismatch" | "issuer_mismatch" | "responder_chain_invalid" | "ocsp_signing_missing" | "stale_response">

Properties

code

readonly code: "signature_invalid" | "issuer_mismatch" | "response_status_invalid" | "responder_id_mismatch" | "nonce_mismatch" | "request_mismatch" | "responder_chain_invalid" | "ocsp_signing_missing" | "stale_response"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/revocation/ocsp.ts:325

Always false for failures.

ValidateOcspResponseInput

Defined in: src/revocation/ocsp.ts:287

Input for validateOcspResponse.

Properties

allowChainedResponderCertificate?

readonly optional allowChainedResponderCertificate?: boolean

Defined in: src/revocation/ocsp.ts:297

When true, allows delegated responder chain validation beyond direct issuance.

at?

readonly optional at?: Date

Defined in: src/revocation/ocsp.ts:299

Evaluation time for freshness checks. Defaults to new Date().

clockSkewMs?

readonly optional clockSkewMs?: number

Defined in: src/revocation/ocsp.ts:301

Clock-skew tolerance in milliseconds for thisUpdate/nextUpdate/producedAt.

issuerCertificate

readonly issuerCertificate: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:291

Certificate of the CA that issued the target certificate.

request?

readonly optional request?: OcspRequestSource

Defined in: src/revocation/ocsp.ts:293

Original request — enables nonce and request-coverage checks.

responderCertificate?

readonly optional responderCertificate?: OcspCertificateSource

Defined in: src/revocation/ocsp.ts:295

Explicit responder certificate — overrides embedded certificate discovery.

response

readonly response: string | Uint8Array<ArrayBufferLike> | ParsedOcspResponse

Defined in: src/revocation/ocsp.ts:289

The OCSP response to validate.

VerifyCertificateRevocationListFailure

Defined in: src/revocation/crl.ts:239

Failure detail when CRL signature verification fails.

Extends

Properties

code

readonly code: "signature_invalid"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/revocation/crl.ts:241

Always false for failures.

VerifyOcspResponseFailure

Defined in: src/revocation/ocsp.ts:266

Failure detail when OCSP response signature verification fails.

Extends

Properties

code

readonly code: "signature_invalid"

Defined in: src/result/result.ts:59

Machine-readable failure reason (e.g. 'malformed', 'expired').

Inherited from

Micro509Error.code

details?

readonly optional details?: Record<never, never>

Defined in: src/result/result.ts:63

Optional structured context for the failure.

Inherited from

Micro509Error.details

message

readonly message: string

Defined in: src/result/result.ts:61

Human-readable diagnostic message.

Inherited from

Micro509Error.message

ok

readonly ok: false

Defined in: src/revocation/ocsp.ts:268

Always false for failures.

Type Aliases

CertificateSource

CertificateSource = string | Uint8Array | ParsedCertificate

Defined in: src/revocation/chain.ts:34

Certificate in any supported format.

Accepts PEM string, DER bytes, or an already-parsed ParsedCertificate. Used for CheckChainRevocationInput.extraCertificates.

CheckCertificateRevocationAgainstCrlErrorCode

CheckCertificateRevocationAgainstCrlErrorCode = "signature_invalid" | "issuer_mismatch" | "stale_crl" | "crl_sign_not_permitted" | "non_applicable"

Defined in: src/revocation/crl.ts:320

Error codes that checkCertificateRevocationAgainstCrl may return.

CheckCertificateRevocationAgainstCrlResult

CheckCertificateRevocationAgainstCrlResult = { ok: true; value: CheckCertificateRevocationAgainstCrlValue; } | ErrorResult<CheckCertificateRevocationAgainstCrlErrorCode, CheckCertificateRevocationAgainstCrlFailureDetails, CheckCertificateRevocationAgainstCrlFailure>

Defined in: src/revocation/crl.ts:397

Result of checkCertificateRevocationAgainstCrl.

On success value.status is 'good' or 'revoked'. On failure the CRL could not be validated or was non-applicable.

CheckCertificateRevocationAgainstCrlValue

CheckCertificateRevocationAgainstCrlValue = CheckCertificateRevocationAgainstCrlGoodValue | CheckCertificateRevocationAgainstCrlRevokedValue

Defined in: src/revocation/crl.ts:387

Discriminated union of good and revoked outcomes.

CheckCertificateRevocationErrorCode

CheckCertificateRevocationErrorCode = "revocation_evidence_missing" | "revocation_status_unknown"

Defined in: src/revocation/revocation.ts:97

Error codes that checkCertificateRevocation may surface inside an unknown result.

CheckCertificateRevocationResult

CheckCertificateRevocationResult = Result<CheckCertificateRevocationValue, never>

Defined in: src/revocation/revocation.ts:186

Result of checkCertificateRevocation. Always succeeds (ok: true) — the value.status discriminator carries the actual outcome.

CheckCertificateRevocationValue

CheckCertificateRevocationValue = RevocationCheckGoodValue | RevocationCheckRevokedValue | RevocationCheckUnknownValue

Defined in: src/revocation/revocation.ts:177

Discriminated union of good, revoked, and unknown revocation outcomes.

CheckChainRevocationResult

CheckChainRevocationResult = object

Defined in: src/revocation/chain.ts:218

Result type for checkChainRevocation.

Properties

ok

readonly ok: true

Defined in: src/revocation/chain.ts:219

value

readonly value: CheckChainRevocationValue

Defined in: src/revocation/chain.ts:220

ConfiguredOcspResponderCertificate

ConfiguredOcspResponderCertificate = string | Uint8Array

Defined in: src/revocation/revocation.ts:29

PEM or DER bytes of a pre-configured OCSP responder certificate.

CrlApplicabilityFailureReason

CrlApplicabilityFailureReason = "certificate_scope_mismatch" | "delta_crl_incompatible" | "delta_crl_unsupported" | "distribution_point_mismatch" | "indirect_crl_unsupported" | "issuer_mismatch" | "reasons_mismatch"

Defined in: src/revocation/crl.ts:328

Structured reason why a CRL was deemed non-applicable to a given certificate.

CrlCertificateSource

CrlCertificateSource = string | Uint8Array | ParsedCertificate

Defined in: src/revocation/crl.ts:236

PEM string, DER bytes, or already-parsed certificate.

CrlSource

CrlSource = string | Uint8Array | ParsedCertificateRevocationList

Defined in: src/revocation/crl.ts:234

PEM string, DER bytes, or already-parsed CRL.

OcspCertificateSource

OcspCertificateSource = string | Uint8Array | ParsedCertificate

Defined in: src/revocation/ocsp.ts:69

PEM string, DER bytes, or already-parsed certificate.

OcspCertStatus

OcspCertStatus = "good" | "revoked" | "unknown"

Defined in: src/revocation/ocsp.ts:138

RFC 6960 certificate status reported by the responder for a single CertID.

OcspHashAlgorithm

OcspHashAlgorithm = "SHA-1" | "SHA-256"

Defined in: src/revocation/ocsp.ts:67

Hash algorithm used to compute OCSP CertID fields. SHA-1 is the RFC 6960 default.

OcspRequestSource

OcspRequestSource = string | Uint8Array | ParsedOcspRequest

Defined in: src/revocation/ocsp.ts:71

PEM string, DER bytes, or already-parsed OCSP request.

OcspResponderSource

OcspResponderSource = "configured" | "authorityInfoAccess"

Defined in: src/revocation/revocation.ts:27

Where the OCSP responder URI came from.

OcspResponseSource

OcspResponseSource = string | Uint8Array

Defined in: src/revocation/chain.ts:42

OCSP response in any supported format.

Accepts PEM string or DER bytes. Reserved for future OCSP support in CheckChainRevocationInput.ocspResponses.

OcspResponseStatus

OcspResponseStatus = "successful" | "malformedRequest" | "internalError" | "tryLater" | "sigRequired" | "unauthorized"

Defined in: src/revocation/ocsp.ts:140

RFC 6960 overall response status — anything other than 'successful' means the response body is absent or unusable.

ParsedOcspResponderId

ParsedOcspResponderId = { name: ParsedName; type: "byName"; } | { keyHashHex: string; type: "byKeyHash"; }

Defined in: src/revocation/ocsp.ts:170

How the OCSP responder identifies itself — either by distinguished name or by SHA-1 hash of its public key.

Union Members

Type Literal

{ name: ParsedName; type: "byName"; }

name

readonly name: ParsedName

Parsed distinguished name of the responder.

type

readonly type: "byName"

Responder identified by its certificate subject name.

Type Literal

{ keyHashHex: string; type: "byKeyHash"; }

keyHashHex

readonly keyHashHex: string

Hex-encoded SHA-1 hash of the responder's SubjectPublicKey content.

type

readonly type: "byKeyHash"

Responder identified by public-key hash.

RevocationCertificateSource

RevocationCertificateSource = string | Uint8Array | ParsedCertificate

Defined in: src/revocation/revocation.ts:25

PEM string, DER bytes, or already-parsed certificate.

RevocationEvidenceInput

RevocationEvidenceInput = RevocationCrlEvidenceInput | RevocationOcspEvidenceInput

Defined in: src/revocation/revocation.ts:80

Discriminated union of CRL and OCSP evidence inputs.

RevocationEvidenceKind

RevocationEvidenceKind = "crl" | "ocsp"

Defined in: src/revocation/revocation.ts:23

Which revocation mechanism produced the evidence.

RevocationIndeterminateReason

RevocationIndeterminateReason = "no_applicable_crl" | "no_applicable_ocsp" | "distribution_point_mismatch" | "issuer_name_mismatch" | "reason_scope_mismatch" | "indirect_crl_scope_mismatch" | "reason_coverage_incomplete" | "crl_signer_not_found" | "crl_signer_not_authorized" | "crl_signer_revoked" | "crl_signer_indeterminate" | "ocsp_responder_not_found" | "ocsp_responder_not_authorized" | "ocsp_responder_revoked" | "ocsp_responder_indeterminate" | "crl_expired" | "ocsp_response_expired" | "ocsp_status_unknown"

Defined in: src/revocation/chain.ts:101

Granular reasons why revocation status could not be determined.

Returned in CertificateRevocationStatus.indeterminateReasons when status is 'indeterminate'. Grouped by category:

  • Evidence not found: no_applicable_crl, no_applicable_ocsp
  • Scope mismatch: distribution_point_mismatch, issuer_name_mismatch, reason_scope_mismatch, indirect_crl_scope_mismatch, reason_coverage_incomplete
  • Signer trust: crl_signer_not_found, crl_signer_not_authorized, crl_signer_revoked, crl_signer_indeterminate, and OCSP equivalents
  • Freshness: crl_expired, ocsp_response_expired

RevocationIndeterminateReasonCode

RevocationIndeterminateReasonCode = "certificate_status_missing" | "certificate_status_unknown" | "crl_sign_not_permitted" | "issuer_mismatch" | "non_applicable" | "nonce_mismatch" | "ocsp_signing_missing" | "request_mismatch" | "responder_id_mismatch" | "responder_chain_invalid" | "response_status_invalid" | "signature_invalid" | "stale_crl" | "stale_response"

Defined in: src/revocation/revocation.ts:102

Why a particular piece of evidence could not produce a definitive good/revoked answer.

RevocationReason

RevocationReason = "unspecified" | "keyCompromise" | "cACompromise" | "affiliationChanged" | "superseded" | "cessationOfOperation" | "certificateHold" | "removeFromCRL" | "privilegeWithdrawn" | "aACompromise"

Defined in: src/revocation/crl.ts:110

RFC 5280 §5.3.1 CRLReason code values.

removeFromCRL is used in delta CRLs to un-hold a certificate.

RevocationStatus

RevocationStatus = "good" | "revoked" | "unknown"

Defined in: src/revocation/revocation.ts:20

Unified revocation outcome across CRL and OCSP evidence.

ValidateCertificateRevocationListResult

ValidateCertificateRevocationListResult = { ok: true; value: ParsedCertificateRevocationList; } | ErrorResult<"signature_invalid" | "issuer_mismatch" | "stale_crl" | "crl_sign_not_permitted", Record<never, never>, ValidateCertificateRevocationListFailure>

Defined in: src/revocation/crl.ts:289

Result of validateCertificateRevocationList.

On success, the CRL has passed signature, issuer, key-usage, and freshness checks.

Union Members

Type Literal

{ ok: true; value: ParsedCertificateRevocationList; }

ok

readonly ok: true

value

readonly value: ParsedCertificateRevocationList

Validated and parsed CRL.

ErrorResult<"signature_invalid" | "issuer_mismatch" | "stale_crl" | "crl_sign_not_permitted", Record<never, never>, ValidateCertificateRevocationListFailure>

ValidateOcspResponseResult

ValidateOcspResponseResult = { ok: true; value: ParsedOcspResponse; } | ErrorResult<"response_status_invalid" | "signature_invalid" | "responder_id_mismatch" | "nonce_mismatch" | "request_mismatch" | "issuer_mismatch" | "responder_chain_invalid" | "ocsp_signing_missing" | "stale_response", Record<never, never>, ValidateOcspResponseFailure>

Defined in: src/revocation/ocsp.ts:334

Result of validateOcspResponse.

On success, the response has passed status, signature, responder binding, freshness, nonce, and request-coverage checks.

Union Members

Type Literal

{ ok: true; value: ParsedOcspResponse; }

ok

readonly ok: true

value

readonly value: ParsedOcspResponse

Fully validated OCSP response.

ErrorResult<"response_status_invalid" | "signature_invalid" | "responder_id_mismatch" | "nonce_mismatch" | "request_mismatch" | "issuer_mismatch" | "responder_chain_invalid" | "ocsp_signing_missing" | "stale_response", Record<never, never>, ValidateOcspResponseFailure>

VerifyCertificateRevocationListResult

VerifyCertificateRevocationListResult = { ok: true; value: ParsedCertificateRevocationList; } | ErrorResult<"signature_invalid", Record<never, never>, VerifyCertificateRevocationListFailure>

Defined in: src/revocation/crl.ts:249

Result of verifyCertificateRevocationList.

On success, value is the parsed CRL whose signature has been verified.

Union Members

Type Literal

{ ok: true; value: ParsedCertificateRevocationList; }

ok

readonly ok: true

value

readonly value: ParsedCertificateRevocationList

Parsed CRL with a verified signature.

ErrorResult<"signature_invalid", Record<never, never>, VerifyCertificateRevocationListFailure>

VerifyOcspResponseResult

VerifyOcspResponseResult = { ok: true; value: ParsedOcspResponse; } | ErrorResult<"signature_invalid", Record<never, never>, VerifyOcspResponseFailure>

Defined in: src/revocation/ocsp.ts:276

Result of verifyOcspResponse.

On success, value is the parsed response whose signature has been verified.

Union Members

Type Literal

{ ok: true; value: ParsedOcspResponse; }

ok

readonly ok: true

value

readonly value: ParsedOcspResponse

Parsed response with a verified signature.

ErrorResult<"signature_invalid", Record<never, never>, VerifyOcspResponseFailure>

Released under the MIT License.

Copyright © 2026-present Kaj Kowalski