Skip to main content

OCSP-based Swarmauri certificate verification service for RFC 6960 revocation checks, responder lookup, and X.509 metadata parsing.

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_certs_ocspverify Discord

Swarmauri OCSP Verify Service

swarmauri_certs_ocspverify provides OcspVerifyService, a Swarmauri certificate service for Online Certificate Status Protocol checks. It reads OCSP responder URLs from the certificate Authority Information Access extension, builds DER OCSP requests with the issuer certificate, posts them with httpx, and reports whether the responder returned a GOOD certificate status.

Why Swarmauri OCSP Verify Service?

Use this package when Swarmauri applications need live revocation checks for PEM X.509 certificates. It keeps OCSP request construction, responder lookup, HTTP submission, status parsing, and basic certificate metadata extraction behind the common Swarmauri certificate-service interface.

FAQ

Q: Does this package issue or sign certificates?

A: No. create_csr(), create_self_signed(), and sign_cert() intentionally raise NotImplementedError; this service is verification-only.

Q: What input does OCSP verification require?

A: verify_cert() requires the leaf certificate as PEM bytes and the issuer certificate as the first item in intermediates. The issuer certificate is required to build the OCSP request.

Q: What happens when a certificate has no OCSP URL?

A: The service returns valid=False, reason="no_ocsp_url", and ocsp_checked=False.

Q: Which standards does this package target?

A: The implementation documents RFC 6960 for OCSP behavior and RFC 5280 for X.509 certificate and Authority Information Access metadata.

Features

  • OcspVerifyService class registered under the swarmauri.certs entry point.
  • OCSP responder URL extraction from the Authority Information Access extension.
  • DER OCSP request construction with cryptography.x509.ocsp.OCSPRequestBuilder.
  • Async HTTP OCSP responder calls through httpx.AsyncClient.
  • GOOD-status mapping to valid=True.
  • this_update and next_update timestamp reporting from OCSP responses.
  • Certificate metadata parsing for subject, issuer, not-before, not-after, and OCSP URLs.
  • Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.

Prerequisites

  • PEM-encoded leaf certificate to inspect and validate.
  • PEM-encoded issuer certificate supplied through intermediates.
  • Network access to the OCSP responder URL embedded in the leaf certificate.
  • Application-level retry, timeout, and cache policy for production revocation checks.

Installation

Install with uv:

uv add swarmauri_certs_ocspverify

Install with pip:

pip install swarmauri_certs_ocspverify

Usage

Perform an OCSP status check for a leaf certificate using its issuer certificate:

import asyncio
from pathlib import Path

from swarmauri_certs_ocspverify import OcspVerifyService


async def main() -> None:
    service = OcspVerifyService()
    verification = await service.verify_cert(
        cert=Path("leaf.pem").read_bytes(),
        intermediates=[Path("issuer.pem").read_bytes()],
        check_revocation=True,
    )

    if verification["valid"]:
        print("Certificate status: GOOD")
    else:
        print("Certificate status:", verification["reason"])
    print("Next update:", verification.get("next_update"))


asyncio.run(main())

Inspect certificate metadata and embedded OCSP responder URLs:

import asyncio
from pathlib import Path

from swarmauri_certs_ocspverify import OcspVerifyService


async def main() -> None:
    service = OcspVerifyService()
    metadata = await service.parse_cert(Path("leaf.pem").read_bytes())

    print("Subject:", metadata["subject"])
    print("Issuer:", metadata["issuer"])
    print("OCSP URLs:", metadata.get("ocsp_urls", []))


asyncio.run(main())

Related Packages

Certificate service packages:

Foundational packages:

Best Practices

  • Cache issuer certificates alongside leaf certificates so OCSP requests can be constructed quickly.
  • Respect OCSP responder rate limits and cache GOOD responses until next_update when policy allows.
  • Combine OCSP checks with CRL fallback for authorities that support multiple revocation mechanisms.
  • Log reason, ocsp_checked, this_update, and next_update fields for incident response and compliance reporting.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz (9.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 9.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 40c0bcd76fed62d03ea20cc9d480375d03e2d2b70aff31d4bd2d05654b3299df
MD5 bc046bb3996fe0a54b6c12e9b4b00225
BLAKE2b-256 f19f0341d47ac52d85055278a2dcef66070a1370b687cb6c0d912ff365b94e26

See more details on using hashes here.

File details

Details for the file swarmauri_certs_ocspverify-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_certs_ocspverify-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 10.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_certs_ocspverify-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 b060d67b740249c805693def94560e52f4b75eb9339fed3d92a4a43766acdaac
MD5 c82e6b101eebeb8c9ecd217ef3d2e9f8
BLAKE2b-256 d2c9ea26abec7eed7a787f40c9804c890ca89ee6bb7efd6648207e9c847b7ae0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page