Checking Revocation

is_revoked ¶

is_revoked(cert: Certificate, chain: Chain, crl_cache_seconds: int = 3600, ocsp_res_cache_seconds: int = 3600, revoke_mode: RevokeMode = RevokeMode.OCSP_FALLBACK_CRL) -> bool

Checks if a certificate is revoked using OCSP extension and/or CRL extension.

By default, the OCSP is checked first with a fallback to CRL. If you only want to check OCSP or only CRL set the "revoke_mode" to either RevokeMode.OCSP_ONLY or RevokeMode.CRL_ONLY

Parameters:

cert (Certificate) –

The Certificate to check revocation for.
chain (Chain) –

The CA chain including one or more certificates and the issuer of the cert, signer of the OCSP response and CRL issuer. See [Loading Chain][chain] for examples how the chain can be created
crl_cache_seconds (int, default: 3600 ) –

[CRL Only] Specifies how long the CRL should be cached, default is 1 hour.
ocsp_res_cache_seconds (int, default: 3600 ) –

[OCSP Only] Specifies how long the OCSP response should be cached, default is 1 hour.
revoke_mode (RevokeMode, default: RevokeMode.OCSP_FALLBACK_CRL ) –

A RevokeMode specifying how to check for revocation, default is OCSP with CRL fallback

Returns:	`bool` – True if the certificate is revoked, False otherwise

Raises:	`SignatureVerificationFailed` – When the Chain contains more than one certificate and the trust fails either because of some certificate has expired or some signature in the chain is invalid `RevokeCheckFailed` – When both OCSP and CRL checks fail

Examples¶

from pki_tools import Certificate, Chain, is_revoked

chain = Chain.from_uri(
    [
        "https://letsencrypt.org/certs/isrgrootx1.pem",
        "https://letsencrypt.org/certs/2024/r11.pem",
        "https://letsencrypt.org/certs/2024/r10.pem",
    ]
)

valid_cert = Certificate.from_server(
    "https://valid-isrgrootx1.letsencrypt.org"
)
revoked_cert = Certificate.from_server(
    "https://revoked-isrgrootx1.letsencrypt.org"
)


if not is_revoked(valid_cert, chain):
    print("Valid cert not revoked")

if is_revoked(revoked_cert, chain):
    print("Cert revoked")

Print output

Valid cert not revoked
Cert revoked

Only OCSP¶

from pki_tools import Certificate, Chain, is_revoked, RevokeMode

cert = Certificate.from_server("https://revoked-isrgrootx1.letsencrypt.org")

chain = Chain.from_uri(
    [
        "https://letsencrypt.org/certs/isrgrootx1.pem",
        "https://letsencrypt.org/certs/2024/r10.pem",
        "https://letsencrypt.org/certs/2024/r11.pem",
    ]
)

if is_revoked(cert, chain, revoke_mode=RevokeMode.OCSP_ONLY):
    print("Cert revoked")

Print output

Cert revoked

Only CRL¶

from pki_tools import Certificate, Chain, is_revoked, RevokeMode

cert = Certificate.from_uri(
    "https://letsencrypt.org/certs/lets-encrypt-r3.pem"
)

chain = Chain.from_uri(
    [
        "https://letsencrypt.org/certs/isrgrootx1.pem",
    ]
)

if not is_revoked(cert, chain, revoke_mode=RevokeMode.CRL_ONLY):
    print("Cert not revoked")

Print output

Cert not revoked

For different ways of loading certificate and chain see: [Loading objects][loading-objects].

is_revoked_multiple_issuers ¶

is_revoked_multiple_issuers(cert: Certificate, cert_issuer: Chain, ocsp_issuer: Chain, crl_issuer: Chain, crl_cache_seconds: int = 3600, ocsp_res_cache_seconds: int = 3600, revoke_mode: RevokeMode = RevokeMode.OCSP_FALLBACK_CRL) -> bool

Checks if a certificate is revoked first using the OCSP extension and then the CRL extensions.

Note that OCSP has precedence over CRL meaning that if OCSP check is successful this function will return the bool without checking CRL.

Otherwise, if OCSP check fails, CRL will be tried next.

Parameters:

cert (Certificate) –

The Certificate to check revocation for.
cert_issuer (Chain) –

The CA chain including one or more certificates and the issuer of the cert. See [Loading Chain][chain] for examples how the chain can be created.
ocsp_issuer (Chain) –

The CA chain including one or more certificates used for signing of the OCSP response
crl_issuer (Chain) –

The CA chain including one or more certificates used for signing the CRL
crl_cache_seconds (int, default: 3600 ) –

[CRL Only] Specifies how long the CRL should be cached, default is 1 hour.
ocsp_res_cache_seconds (int, default: 3600 ) –

[OCSP Only] Specifies how long the OCSP response should be cached, default is 1 hour.
revoke_mode (RevokeMode, default: RevokeMode.OCSP_FALLBACK_CRL ) –

A RevokeMode specifying how to check for revocation, default is OCSP with CRL fallback

Returns:	`bool` – True if the certificate is revoked, False otherwise

Raises:	`SignatureVerificationFailed` – When the Chain contains more than one certificate and the trust fails either because of some certificate has expired or some signature in the chain is invalid `RevokeCheckFailed` – When both OCSP and CRL checks fail