Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds RFC 5280 CRL conformance coverage to the certserver test suite and updates the CA/certserver implementation to better align CRL encoding, extensions, and endpoint configuration with the spec.
Changes:
- Introduces a comprehensive CRL conformance feature (Reqnroll scenarios + step implementations) validating RFC 5280 CRL structure, extensions, and HTTP delivery.
- Updates CRL generation to use the custom
CertificateRevocationListbuilder and improves extension encoding/decoding (CRL number, AKI injection, inner/outer algorithm checks, invalidityDate time encoding). - Adds
--crlCLI support and test plumbing so issued certificates can include CRL Distribution Points when configured.
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/opencertserver.certserver.tests/StepDefinitions/CrlConformance.cs | Adds step implementations for RFC 5280 CRL conformance scenarios. |
| tests/opencertserver.certserver.tests/StepDefinitions/CertificateServerFeatures.cs | Adds _crlUrls test configuration passed into the test CA setup. |
| tests/opencertserver.certserver.tests/StepDefinitions/CertificateAuthority.cs | Fixes serial number bytes used when removing CRL entries in tests. |
| tests/opencertserver.certserver.tests/Features/CrlConformance.feature | Adds RFC 5280 CRL conformance scenarios (Gherkin). |
| tests/opencertserver.certserver.tests/Features/CrlConformance.feature.cs | Generated Reqnroll glue for the new CRL conformance feature. |
| tests/opencertserver.certserver.tests/CrlConformance.md | Documents CRL conformance assessment and tracked tasks. |
| tests/opencertserver.ca.tests/CrlTests.cs | Updates expectations for CRL extension count (AKI injection). |
| src/opencertserver.certserver/Program.cs | Adds --crl CLI arg parsing and wires CRL URLs into CA configuration. |
| src/opencertserver.ca/CertificateAuthority.cs | Reworks CRL generation to use custom CRL builder and increments CRL number. |
| src/opencertserver.ca.utils/X509Extensions/X509DeltaCrlIndicatorExtension.cs | Enforces deltaCRLIndicator criticality and adjusts number parsing. |
| src/opencertserver.ca.utils/X509Extensions/X509CrlNumberExtension.cs | Switches CRL number to DER INTEGER encoding/decoding. |
| src/opencertserver.ca.utils/X509Extensions/CertificateExtension.cs | Fixes invalidityDate to use GeneralizedTime encoding. |
| src/opencertserver.ca.utils/RevokedCertificate.cs | Fixes revocationTime UTCTime vs GeneralizedTime encoding. |
| src/opencertserver.ca.utils/EncodingExtensions.cs | Improves CRL extension decode mapping (incl. issuerAltName) and refactors switch. |
| src/opencertserver.ca.utils/CertificateRevocationList.cs | Adds AlgorithmIdentifier parameter handling, AKI auto-injection, and inner/outer algorithm OID checks. |
| .gitignore | Minor comment whitespace cleanup + ignores for memory.md / lessons_learned.md. |
| .github/copilot-instructions.md | Adds repo-local Copilot working instructions (memory + lessons learned files). |
Files not reviewed (1)
- tests/opencertserver.certserver.tests/Features/CrlConformance.feature.cs: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… thread-safety, bounds checking Agent-Logs-Url: https://github.com/jjrdk/opencertserver/sessions/c00d655b-7673-4136-8a95-09d253f503a8 Co-authored-by: jjrdk <149390+jjrdk@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Verify conformance to RFC 5280 - Certificate Revocation List (CRL)