Skip to content

did:x509 resolver: CRL check and set expires/revoked on keys #4083

New issue
New issue
Open
Open
did:x509 resolver: CRL check and set expires/revoked on keys#4083
Labels
LSPxNutsProject GF
@stevenvegt

Description

@stevenvegt
stevenvegt
opened on Mar 21, 2026

Parent PRD

#4079

What to build

Extend the did:x509 resolver to perform CRL checking during DID resolution and annotate the resulting DID document's verification methods with expires and revoked metadata.

  • Inject pki.Validator into the did:x509 resolver via constructor injection (NewResolver(pkiValidator))
  • Update vdr.go to pass pkiValidator when constructing the resolver
  • In Resolve(), after chain validation succeeds:
    • Perform CRL check via pkiValidator.CheckCRL(chain)
    • If a certificate is revoked, set Revoked on the verification method with the revocation date
    • Set Expires on the verification method from the leaf certificate's notAfter date
  • Remove the CRL check and cert-time validation from X509CredentialValidator (these are now handled by the resolver)
  • Remove the ad-hoc resolver instantiation in X509CredentialValidator (didx509.NewResolver() at validator.go:276)

This makes CRL and cert-time information available for any credential with a did:x509 issuer, regardless of credential type (PatientEnrollmentCredential, HealthcareProfessionalDelegationCredential, HealthcareProviderCredential, etc.).

See PRD #4079 Part A and PSA 10.4.2 / 10.4.3 for full context.

Acceptance criteria

  • did:x509 resolver accepts pki.Validator via constructor injection
  • CRL check is performed during Resolve() after chain validation
  • Revoked field is set on the verification method when the certificate is on the CRL
  • Expires field is set on the verification method from the leaf cert's notAfter
  • CRL check and cert-time validation are removed from X509CredentialValidator
  • Ad-hoc resolver instantiation in X509CredentialValidator is removed
  • Existing X509Credential tests pass
  • New test: credential with a revoked did:x509 cert gets Revoked set on the key
  • New test: credential with a did:x509 cert gets Expires set from notAfter

Blocked by

User stories addressed

  • User story 1: PatientEnrollmentCredentials get CRL checks
  • User story 4: CRL checks at the key resolution layer for all did:x509 credentials
  • User story 5: trust anchor validation at DID resolution layer
  • User story 6: key validity information available for time-based checks
  • User story 7: existing X509Credential behavior preserved

Metadata

Metadata

Assignees

No one assigned

    Labels

    LSPxNutsProject GF

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions