OCSP-based Swarmauri certificate verification service for RFC 6960 revocation checks, responder lookup, and X.509 metadata parsing.
Project description
Swarmauri OCSP Verify Service
swarmauri_certs_ocspverify provides OcspVerifyService, a Swarmauri certificate service for Online Certificate Status Protocol checks. It reads OCSP responder URLs from the certificate Authority Information Access extension, builds DER OCSP requests with the issuer certificate, posts them with httpx, and reports whether the responder returned a GOOD certificate status.
Why Swarmauri OCSP Verify Service?
Use this package when Swarmauri applications need live revocation checks for PEM X.509 certificates. It keeps OCSP request construction, responder lookup, HTTP submission, status parsing, and basic certificate metadata extraction behind the common Swarmauri certificate-service interface.
FAQ
Q: Does this package issue or sign certificates?
A: No. create_csr(), create_self_signed(), and sign_cert() intentionally raise NotImplementedError; this service is verification-only.
Q: What input does OCSP verification require?
A: verify_cert() requires the leaf certificate as PEM bytes and the issuer certificate as the first item in intermediates. The issuer certificate is required to build the OCSP request.
Q: What happens when a certificate has no OCSP URL?
A: The service returns valid=False, reason="no_ocsp_url", and ocsp_checked=False.
Q: Which standards does this package target?
A: The implementation documents RFC 6960 for OCSP behavior and RFC 5280 for X.509 certificate and Authority Information Access metadata.
Features
OcspVerifyServiceclass registered under theswarmauri.certsentry point.- OCSP responder URL extraction from the Authority Information Access extension.
- DER OCSP request construction with
cryptography.x509.ocsp.OCSPRequestBuilder. - Async HTTP OCSP responder calls through
httpx.AsyncClient. - GOOD-status mapping to
valid=True. this_updateandnext_updatetimestamp reporting from OCSP responses.- Certificate metadata parsing for subject, issuer, not-before, not-after, and OCSP URLs.
- Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- PEM-encoded leaf certificate to inspect and validate.
- PEM-encoded issuer certificate supplied through
intermediates. - Network access to the OCSP responder URL embedded in the leaf certificate.
- Application-level retry, timeout, and cache policy for production revocation checks.
Installation
Install with uv:
uv add swarmauri_certs_ocspverify
Install with pip:
pip install swarmauri_certs_ocspverify
Usage
Perform an OCSP status check for a leaf certificate using its issuer certificate:
import asyncio
from pathlib import Path
from swarmauri_certs_ocspverify import OcspVerifyService
async def main() -> None:
service = OcspVerifyService()
verification = await service.verify_cert(
cert=Path("leaf.pem").read_bytes(),
intermediates=[Path("issuer.pem").read_bytes()],
check_revocation=True,
)
if verification["valid"]:
print("Certificate status: GOOD")
else:
print("Certificate status:", verification["reason"])
print("Next update:", verification.get("next_update"))
asyncio.run(main())
Inspect certificate metadata and embedded OCSP responder URLs:
import asyncio
from pathlib import Path
from swarmauri_certs_ocspverify import OcspVerifyService
async def main() -> None:
service = OcspVerifyService()
metadata = await service.parse_cert(Path("leaf.pem").read_bytes())
print("Subject:", metadata["subject"])
print("Issuer:", metadata["issuer"])
print("OCSP URLs:", metadata.get("ocsp_urls", []))
asyncio.run(main())
Related Packages
Certificate service packages:
- swarmauri_certs_crlverifyservice
- swarmauri_certs_x509
- swarmauri_certs_local_ca
- swarmauri_certs_self_signed
- swarmauri_certs_acme
- swarmauri_certs_cfssl
Foundational packages:
- swarmauri_core defines certificate-service interfaces.
- swarmauri_base provides
CertServiceBase. - swarmauri_standard provides standard Swarmauri components for certificate-adjacent workflows.
- swarmauri provides namespace imports and plugin discovery.
Best Practices
- Cache issuer certificates alongside leaf certificates so OCSP requests can be constructed quickly.
- Respect OCSP responder rate limits and cache GOOD responses until
next_updatewhen policy allows. - Combine OCSP checks with CRL fallback for authorities that support multiple revocation mechanisms.
- Log
reason,ocsp_checked,this_update, andnext_updatefields for incident response and compliance reporting.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_certs_ocspverify-0.11.0.dev1.tar.gz
- Upload date:
- Size: 9.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40c0bcd76fed62d03ea20cc9d480375d03e2d2b70aff31d4bd2d05654b3299df
|
|
| MD5 |
bc046bb3996fe0a54b6c12e9b4b00225
|
|
| BLAKE2b-256 |
f19f0341d47ac52d85055278a2dcef66070a1370b687cb6c0d912ff365b94e26
|
File details
Details for the file swarmauri_certs_ocspverify-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_certs_ocspverify-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 10.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b060d67b740249c805693def94560e52f4b75eb9339fed3d92a4a43766acdaac
|
|
| MD5 |
c82e6b101eebeb8c9ecd217ef3d2e9f8
|
|
| BLAKE2b-256 |
d2c9ea26abec7eed7a787f40c9804c890ca89ee6bb7efd6648207e9c847b7ae0
|