mcp-security-framework 1.1.1__py3-none-any.whl → 1.2.0__py3-none-any.whl

mcp_security_framework/cli/cert_cli.py

@@ -314,12 +314,18 @@ def create_client(
     type=click.Path(exists=True),
     help="Path to CA certificate for validation",
 )
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
 @click.pass_context
-def validate(ctx, cert_path: str, ca_cert: Optional[str]):
+def validate(ctx, cert_path: str, ca_cert: Optional[str], crl: Optional[str]):
     """
     Validate a certificate.
 
-    This command validates a certificate and optionally checks it against a CA.
+    This command validates a certificate and optionally checks it against a CA
+    and CRL for revocation status.
     """
     try:
         config = ctx.obj["config"]
@@ -330,12 +336,16 @@ def validate(ctx, cert_path: str, ca_cert: Optional[str]):
             click.echo(f"Validating certificate: {cert_path}")
             if ca_cert:
                 click.echo(f"Using CA certificate: {ca_cert}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
 
         # Validate certificate
-        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert)
+        is_valid = cert_manager.validate_certificate_chain(cert_path, ca_cert, crl)
 
         if is_valid:
             click.echo(f"✅ Certificate is valid!")
+            if crl:
+                click.echo(f"✅ Certificate is not revoked according to CRL")
         else:
             click.echo(f"❌ Certificate validation failed!", err=True)
             raise click.Abort()
@@ -543,5 +553,159 @@ def revoke(ctx, serial_number: str, reason: str):
         raise click.Abort()
 
 
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for revocation check",
+)
+@click.pass_context
+def check_revocation(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Check if certificate is revoked according to CRL.
+
+    This command checks if a certificate is revoked according to the provided CRL.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Checking revocation status for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Check if certificate is revoked
+        is_revoked = cert_manager.is_certificate_revoked(cert_path, crl)
+
+        if is_revoked:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to check revocation status: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("cert_path", type=click.Path(exists=True))
+@click.option(
+    "--crl",
+    type=click.Path(exists=True),
+    help="Path to CRL file for detailed revocation check",
+)
+@click.pass_context
+def revocation_info(ctx, cert_path: str, crl: Optional[str]):
+    """
+    Get detailed revocation information for certificate.
+
+    This command provides detailed revocation information including
+    revocation date, reason, and CRL details.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting revocation information for certificate: {cert_path}")
+            if crl:
+                click.echo(f"Using CRL file: {crl}")
+
+        # Get detailed revocation information
+        revocation_info = cert_manager.validate_certificate_against_crl(cert_path, crl)
+
+        click.echo(f"Certificate Serial Number: {revocation_info['serial_number']}")
+        click.echo(f"CRL Issuer: {revocation_info['crl_issuer']}")
+        click.echo(f"CRL Last Update: {revocation_info['crl_last_update']}")
+        click.echo(f"CRL Next Update: {revocation_info['crl_next_update']}")
+
+        if revocation_info["is_revoked"]:
+            click.echo(f"❌ Certificate is REVOKED!", err=True)
+            click.echo(f"Revocation Date: {revocation_info['revocation_date']}")
+            click.echo(f"Revocation Reason: {revocation_info['revocation_reason']}")
+        else:
+            click.echo(f"✅ Certificate is NOT revoked")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get revocation information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def crl_info(ctx, crl_path: str):
+    """
+    Display CRL information.
+
+    This command displays detailed information about a CRL including
+    issuer, validity period, and revoked certificate count.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Getting CRL information: {crl_path}")
+
+        # Get CRL information
+        crl_info = cert_manager.get_crl_info(crl_path)
+
+        click.echo(f"CRL Issuer: {crl_info['issuer']}")
+        click.echo(f"Last Update: {crl_info['last_update']}")
+        click.echo(f"Next Update: {crl_info['next_update']}")
+        click.echo(f"Revoked Certificates: {crl_info['revoked_certificates_count']}")
+        click.echo(f"Status: {crl_info['status']}")
+        click.echo(f"Version: {crl_info['version']}")
+        click.echo(f"Signature Algorithm: {crl_info['signature_algorithm']}")
+
+        if crl_info["is_expired"]:
+            click.echo(f"❌ CRL is EXPIRED!", err=True)
+        elif crl_info["expires_soon"]:
+            click.echo(f"⚠️  CRL expires soon ({crl_info['days_until_expiry']} days)", err=True)
+        else:
+            click.echo(f"✅ CRL is valid")
+
+    except Exception as e:
+        click.echo(f"❌ Failed to get CRL information: {str(e)}", err=True)
+        raise click.Abort()
+
+
+@cert_cli.command()
+@click.argument("crl_path", type=click.Path(exists=True))
+@click.pass_context
+def validate_crl(ctx, crl_path: str):
+    """
+    Validate CRL file.
+
+    This command validates a CRL file for format and validity period.
+    """
+    try:
+        config = ctx.obj["config"]
+        cert_manager = ctx.obj["cert_manager"]
+        verbose = ctx.obj["verbose"]
+
+        if verbose:
+            click.echo(f"Validating CRL: {crl_path}")
+
+        # Validate CRL
+        is_valid = cert_manager.is_crl_valid(crl_path)
+
+        if is_valid:
+            click.echo(f"✅ CRL is valid!")
+        else:
+            click.echo(f"❌ CRL validation failed!", err=True)
+            raise click.Abort()
+
+    except Exception as e:
+        click.echo(f"❌ CRL validation failed: {str(e)}", err=True)
+        raise click.Abort()
+
+
 if __name__ == "__main__":
     cert_cli()

mcp_security_framework/core/auth_manager.py

@@ -628,8 +628,10 @@ class AuthManager:
             # Validate certificate chain if CA is configured
             if self.config.ca_cert_file:
                 try:
+                    # Check if CRL is configured for certificate validation
+                    crl_file = getattr(self.config, 'crl_file', None)
                     is_valid_chain = validate_certificate_chain(
-                        cert_pem, self.config.ca_cert_file
+                        cert_pem, self.config.ca_cert_file, crl_file
                     )
                     if not is_valid_chain:
                         return AuthResult(

mcp_security_framework/core/cert_manager.py

@@ -56,8 +56,12 @@ from mcp_security_framework.utils.cert_utils import (
     extract_roles_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
+    get_crl_info,
+    is_certificate_revoked,
     is_certificate_self_signed,
+    is_crl_valid,
     parse_certificate,
+    validate_certificate_against_crl,
     validate_certificate_chain,
 )
 from mcp_security_framework.utils.datetime_compat import (
@@ -1327,21 +1331,27 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             return False
 
     def validate_certificate_chain(
-        self, cert_path: str, ca_cert_path: Optional[str] = None
+        self, 
+        cert_path: str, 
+        ca_cert_path: Optional[str] = None,
+        crl_path: Optional[str] = None
     ) -> bool:
         """
-        Validate certificate chain against CA.
+        Validate certificate chain against CA and optionally check CRL.
 
         This method validates a certificate chain by checking the certificate
-        against the CA certificate and verifying the chain of trust.
+        against the CA certificate and verifying the chain of trust. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate to validate
             ca_cert_path (Optional[str]): Path to CA certificate. If None,
                 uses CA certificate from configuration.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate chain is valid, False otherwise
+            bool: True if certificate chain is valid and not revoked, False otherwise
 
         Raises:
             FileNotFoundError: When certificate files are not found
@@ -1352,6 +1362,11 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             >>> is_valid = cert_manager.validate_certificate_chain("client.crt")
             >>> if is_valid:
             ...     print("Certificate chain is valid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = cert_manager.validate_certificate_chain(
+            ...     "client.crt", crl_path="crl.pem"
+            ... )
         """
         try:
             # Use configured CA certificate if not provided
@@ -1361,8 +1376,12 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
             if not ca_cert_path:
                 raise CertificateConfigurationError("CA certificate path is required")
 
-            # Validate certificate chain
-            return validate_certificate_chain(cert_path, ca_cert_path)
+            # Use configured CRL path if not provided
+            if not crl_path and self.config.crl_enabled:
+                crl_path = self.config.crl_path
+
+            # Validate certificate chain with optional CRL check
+            return validate_certificate_chain(cert_path, ca_cert_path, crl_path)
 
         except Exception as e:
             self.logger.error(
@@ -1370,6 +1389,7 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 extra={
                     "cert_path": cert_path,
                     "ca_cert_path": ca_cert_path,
+                    "crl_path": crl_path,
                     "error": str(e),
                 },
             )
@@ -1929,6 +1949,221 @@ WvWwM6xqxW0Sf6s5AxJmTn3amZ0G+aP4Y2AEojlbQR7g5aigKbFQqGDFW07egp6
                 f"CA private key file not found: {self.config.ca_key_path}"
             )
 
+    def validate_certificate_against_crl(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> Dict[str, any]:
+        """
+        Validate certificate against CRL and return detailed revocation status.
+
+        This method checks if a certificate is revoked according to the
+        provided CRL and returns detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to validate
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict[str, any]: Dictionary containing revocation status and details:
+                - is_revoked (bool): True if certificate is revoked
+                - serial_number (str): Certificate serial number
+                - revocation_date (datetime): Date of revocation (if revoked)
+                - revocation_reason (str): Reason for revocation (if revoked)
+                - crl_issuer (str): CRL issuer information
+                - crl_last_update (datetime): CRL last update time
+                - crl_next_update (datetime): CRL next update time
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> result = cert_manager.validate_certificate_against_crl("client.crt")
+            >>> if result["is_revoked"]:
+            ...     print(f"Certificate revoked: {result['revocation_reason']}")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Validate certificate against CRL
+            return validate_certificate_against_crl(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate CRL validation failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
+    def is_certificate_revoked(
+        self, 
+        cert_path: str, 
+        crl_path: Optional[str] = None
+    ) -> bool:
+        """
+        Check if certificate is revoked according to CRL.
+
+        This method provides a simple boolean check for certificate revocation
+        without detailed revocation information.
+
+        Args:
+            cert_path (str): Path to certificate to check
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if certificate is revoked, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_certificate_revoked("client.crt"):
+            ...     print("Certificate is revoked")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if certificate is revoked
+            return is_certificate_revoked(cert_path, crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "Certificate revocation check failed",
+                extra={
+                    "cert_path": cert_path,
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"Revocation check failed: {str(e)}")
+
+    def get_crl_info(self, crl_path: Optional[str] = None) -> Dict:
+        """
+        Get detailed information from CRL.
+
+        This method extracts comprehensive information from a CRL including
+        issuer details, validity period, and revoked certificate count.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            Dict: Dictionary containing CRL information:
+                - issuer (str): CRL issuer information
+                - last_update (datetime): CRL last update time
+                - next_update (datetime): CRL next update time
+                - revoked_certificates_count (int): Number of revoked certificates
+                - days_until_expiry (int): Days until CRL expires
+                - is_expired (bool): True if CRL is expired
+                - expires_soon (bool): True if CRL expires within 7 days
+                - status (str): CRL status (valid, expires_soon, expired)
+                - version (str): CRL version
+                - signature_algorithm (str): Signature algorithm used
+                - signature (str): CRL signature in hex format
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL information extraction fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> crl_info = cert_manager.get_crl_info()
+            >>> print(f"CRL has {crl_info['revoked_certificates_count']} revoked certificates")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Get CRL information
+            return get_crl_info(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL information extraction failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL information extraction failed: {str(e)}")
+
+    def is_crl_valid(self, crl_path: Optional[str] = None) -> bool:
+        """
+        Check if CRL is valid (not expired and properly formatted).
+
+        This method validates CRL format and checks if it's within its
+        validity period.
+
+        Args:
+            crl_path (Optional[str]): Path to CRL file. If None, uses CRL
+                from configuration if CRL is enabled.
+
+        Returns:
+            bool: True if CRL is valid, False otherwise
+
+        Raises:
+            CertificateConfigurationError: When CRL configuration is invalid
+            CertificateValidationError: When CRL validation fails
+
+        Example:
+            >>> cert_manager = CertificateManager(config)
+            >>> if cert_manager.is_crl_valid():
+            ...     print("CRL is valid")
+        """
+        try:
+            # Use configured CRL path if not provided
+            if not crl_path:
+                if not self.config.crl_enabled:
+                    raise CertificateConfigurationError("CRL is not enabled in configuration")
+                crl_path = self.config.crl_path
+
+            if not crl_path:
+                raise CertificateConfigurationError("CRL path is required")
+
+            # Check if CRL is valid
+            return is_crl_valid(crl_path)
+
+        except Exception as e:
+            self.logger.error(
+                "CRL validation failed",
+                extra={
+                    "crl_path": crl_path,
+                    "error": str(e),
+                },
+            )
+            raise CertificateValidationError(f"CRL validation failed: {str(e)}")
+
 
 class CertificateConfigurationError(Exception):
     """Raised when certificate configuration is invalid."""

mcp_security_framework/core/ssl_manager.py

@@ -37,6 +37,7 @@ from ..schemas.models import CertificateInfo
 from ..utils.cert_utils import (
     extract_certificate_info,
     get_certificate_expiry,
+    is_certificate_revoked,
     is_certificate_self_signed,
     parse_certificate,
     validate_certificate_chain,
@@ -349,21 +350,24 @@ class SSLManager:
                 f"Failed to create client SSL context: {str(e)}"
             )
 
-    def validate_certificate(self, cert_path: str) -> bool:
+    def validate_certificate(self, cert_path: str, crl_path: Optional[str] = None) -> bool:
         """
-        Validate certificate file.
+        Validate certificate file with optional CRL check.
 
         This method validates a certificate file by checking its format,
-        parsing it, and verifying basic certificate properties.
+        parsing it, and verifying basic certificate properties. If CRL
+        is provided, it also checks if the certificate is revoked.
 
         Args:
             cert_path (str): Path to certificate file to validate.
                 Must be a valid PEM or DER certificate file path.
+            crl_path (Optional[str]): Path to CRL file. If None, CRL check
+                is skipped. If provided, certificate revocation is checked.
 
         Returns:
-            bool: True if certificate is valid, False otherwise.
-                Returns True when certificate can be parsed and has
-                valid basic properties.
+            bool: True if certificate is valid and not revoked, False otherwise.
+                Returns True when certificate can be parsed, has valid basic
+                properties, and is not revoked (if CRL is provided).
 
         Raises:
             FileNotFoundError: If certificate file is not found.
@@ -374,8 +378,9 @@ class SSLManager:
             >>> is_valid = ssl_manager.validate_certificate("server.crt")
             >>> if is_valid:
             ...     print("Certificate is valid")
-            >>> else:
-            ...     print("Certificate is invalid")
+            >>> 
+            >>> # With CRL check
+            >>> is_valid = ssl_manager.validate_certificate("server.crt", "crl.pem")
         """
         try:
             # Check if file exists
@@ -402,8 +407,35 @@ class SSLManager:
                 )
                 return False
 
+            # Check CRL if provided
+            if crl_path:
+                try:
+                    if is_certificate_revoked(cert_path, crl_path):
+                        self.logger.warning(
+                            "Certificate is revoked",
+                            extra={
+                                "cert_path": cert_path,
+                                "crl_path": crl_path,
+                            },
+                        )
+                        return False
+                except Exception as e:
+                    self.logger.error(
+                        "CRL validation failed",
+                        extra={
+                            "cert_path": cert_path,
+                            "crl_path": crl_path,
+                            "error": str(e),
+                        },
+                    )
+                    return False
+
             self.logger.info(
-                "Certificate validation successful", extra={"cert_path": cert_path}
+                "Certificate validation successful", 
+                extra={
+                    "cert_path": cert_path,
+                    "crl_checked": crl_path is not None,
+                }
             )
 
             return True

mcp_security_framework/middleware/mtls_middleware.py

@@ -223,9 +223,17 @@ class MTLSMiddleware(SecurityMiddleware):
             Dict[str, Any]: Validation result with status and details
         """
         try:
-            # Use security manager's certificate validation
+            # Get CA certificate file
+            ca_cert_file = self.config.ssl.ca_cert_file if self.config.ssl else None
+            
+            # Get CRL file if configured
+            crl_file = None
+            if self.config.ssl and hasattr(self.config.ssl, 'crl_file'):
+                crl_file = self.config.ssl.crl_file
+            
+            # Use security manager's certificate validation with optional CRL check
             is_valid = self.security_manager.cert_manager.validate_certificate_chain(
-                cert_pem, self.config.ssl.ca_cert_file if self.config.ssl else None
+                cert_pem, ca_cert_file, crl_file
             )
 
             if is_valid:

mcp_security_framework/utils/cert_utils.py

@@ -20,10 +20,15 @@ Functions:
     validate_certificate_format: Validate certificate format
     extract_roles_from_certificate: Extract roles from certificate
     extract_permissions_from_certificate: Extract permissions from certificate
-    validate_certificate_chain: Validate certificate chain
+    validate_certificate_chain: Validate certificate chain with optional CRL check
     get_certificate_expiry: Get certificate expiry information
     convert_certificate_format: Convert between certificate formats
     extract_public_key: Extract public key from certificate
+    parse_crl: Parse Certificate Revocation List from PEM/DER format
+    is_certificate_revoked: Check if certificate is revoked according to CRL
+    validate_certificate_against_crl: Validate certificate against CRL with details
+    is_crl_valid: Check if CRL is valid and not expired
+    get_crl_info: Get detailed information from CRL
 
 Author: MCP Security Team
 Version: 1.0.0
@@ -33,12 +38,12 @@ License: MIT
 import base64
 from datetime import datetime, timezone
 from pathlib import Path
-from typing import Dict, List, Union
+from typing import Dict, List, Union, Optional
 
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from cryptography.x509.oid import ExtensionOID, NameOID
+from cryptography.x509.oid import ExtensionOID, NameOID, CRLEntryExtensionOID
 
 from mcp_security_framework.utils.datetime_compat import (
     get_not_valid_after_utc,
@@ -273,16 +278,18 @@ def extract_permissions_from_certificate(
 def validate_certificate_chain(
     cert_data: Union[str, bytes, Path],
     ca_cert_data: Union[str, bytes, Path, List[Union[str, bytes, Path]]],
+    crl_data: Optional[Union[str, bytes, Path]] = None,
 ) -> bool:
     """
-    Validate certificate chain against CA certificate(s).
+    Validate certificate chain against CA certificate(s) and optionally check CRL.
 
     Args:
         cert_data: Certificate data to validate
         ca_cert_data: CA certificate data or list of CA certificates
+        crl_data: Optional CRL data to check for certificate revocation
 
     Returns:
-        True if chain is valid, False otherwise
+        True if chain is valid and not revoked, False otherwise
 
     Raises:
         CertificateError: If validation fails
@@ -296,13 +303,28 @@ def validate_certificate_chain(
         else:
             ca_certs = [parse_certificate(ca_cert_data)]
 
-        # For now, just check that the certificate was issued by one of the CA certificates
+        # Check that the certificate was issued by one of the CA certificates
         # This is a simplified validation - in a real scenario, you would use OpenSSL or similar
+        chain_valid = False
         for ca_cert in ca_certs:
             if cert.issuer == ca_cert.subject:
-                return True
+                chain_valid = True
+                break
+
+        if not chain_valid:
+            return False
+
+        # If CRL is provided, check if certificate is revoked
+        if crl_data:
+            try:
+                if is_certificate_revoked(cert_data, crl_data):
+                    return False
+            except Exception as e:
+                # If CRL check fails, we can choose to fail validation or continue
+                # For security, we'll fail validation if CRL check fails
+                raise CertificateError(f"CRL validation failed: {str(e)}")
 
-        return False
+        return True
     except Exception as e:
         return False
 
@@ -529,3 +551,228 @@ def is_certificate_self_signed(cert_data: Union[str, bytes, Path]) -> bool:
         return cert.subject == cert.issuer
     except Exception as e:
         raise CertificateError(f"Self-signed check failed: {str(e)}")
+
+
+def parse_crl(crl_data: Union[str, bytes, Path]) -> x509.CertificateRevocationList:
+    """
+    Parse Certificate Revocation List (CRL) from PEM or DER format.
+
+    Args:
+        crl_data: CRL data as string, bytes, or file path
+
+    Returns:
+        Parsed X.509 CRL object
+
+    Raises:
+        CertificateError: If CRL parsing fails
+    """
+    try:
+        # Handle string input first (check if it's PEM data)
+        if isinstance(crl_data, str):
+            # Check if it looks like PEM data
+            if "-----BEGIN X509 CRL-----" in crl_data:
+                lines = crl_data.strip().split("\n")
+                crl_data = "".join(
+                    line for line in lines if not line.startswith("-----")
+                )
+                crl_data = base64.b64decode(crl_data)
+            else:
+                # Try to treat as file path
+                try:
+                    if Path(crl_data).exists():
+                        with open(crl_data, "rb") as f:
+                            crl_data = f.read()
+                    else:
+                        # Try to decode as base64
+                        crl_data = base64.b64decode(crl_data)
+                except (OSError, ValueError):
+                    # If file doesn't exist and not base64, try to decode anyway
+                    crl_data = base64.b64decode(crl_data)
+
+        # Handle Path object
+        elif isinstance(crl_data, Path):
+            if crl_data.exists():
+                with open(crl_data, "rb") as f:
+                    crl_data = f.read()
+            else:
+                raise CertificateError(f"CRL file not found: {crl_data}")
+
+        # Try to parse as PEM first, then as DER
+        try:
+            return x509.load_pem_x509_crl(crl_data)
+        except Exception:
+            return x509.load_der_x509_crl(crl_data)
+    except Exception as e:
+        raise CertificateError(f"CRL parsing failed: {str(e)}")
+
+
+def is_certificate_revoked(
+    cert_data: Union[str, bytes, Path], 
+    crl_data: Union[str, bytes, Path]
+) -> bool:
+    """
+    Check if certificate is revoked according to CRL.
+
+    Args:
+        cert_data: Certificate data to check
+        crl_data: CRL data to check against
+
+    Returns:
+        True if certificate is revoked, False otherwise
+
+    Raises:
+        CertificateError: If revocation check fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        crl = parse_crl(crl_data)
+        
+        # Get certificate serial number
+        cert_serial = cert.serial_number
+        
+        # Check if certificate serial number is in CRL
+        for revoked_cert in crl:
+            if revoked_cert.serial_number == cert_serial:
+                return True
+                
+        return False
+    except Exception as e:
+        raise CertificateError(f"Certificate revocation check failed: {str(e)}")
+
+
+def validate_certificate_against_crl(
+    cert_data: Union[str, bytes, Path], 
+    crl_data: Union[str, bytes, Path]
+) -> Dict[str, any]:
+    """
+    Validate certificate against CRL and return detailed revocation status.
+
+    Args:
+        cert_data: Certificate data to validate
+        crl_data: CRL data to validate against
+
+    Returns:
+        Dictionary containing revocation status and details
+
+    Raises:
+        CertificateError: If validation fails
+    """
+    try:
+        cert = parse_certificate(cert_data)
+        crl = parse_crl(crl_data)
+        
+        # Get certificate serial number
+        cert_serial = cert.serial_number
+        
+        # Check if certificate serial number is in CRL
+        for revoked_cert in crl:
+            if revoked_cert.serial_number == cert_serial:
+                # Extract revocation reason if available
+                revocation_reason = "unspecified"
+                try:
+                    reason_ext = revoked_cert.extensions.get_extension_for_oid(
+                        CRLEntryExtensionOID.CRL_REASON
+                    )
+                    if reason_ext:
+                        revocation_reason = reason_ext.value.reason.name
+                except x509.extensions.ExtensionNotFound:
+                    pass
+                
+                return {
+                    "is_revoked": True,
+                    "serial_number": str(cert_serial),
+                    "revocation_date": revoked_cert.revocation_date_utc,
+                    "revocation_reason": revocation_reason,
+                    "crl_issuer": str(crl.issuer),
+                    "crl_last_update": crl.last_update_utc,
+                    "crl_next_update": crl.next_update_utc
+                }
+        
+        return {
+            "is_revoked": False,
+            "serial_number": str(cert_serial),
+            "crl_issuer": str(crl.issuer),
+            "crl_last_update": crl.last_update_utc,
+            "crl_next_update": crl.next_update_utc
+        }
+    except Exception as e:
+        raise CertificateError(f"Certificate CRL validation failed: {str(e)}")
+
+
+def is_crl_valid(crl_data: Union[str, bytes, Path]) -> bool:
+    """
+    Check if CRL is valid (not expired and properly formatted).
+
+    Args:
+        crl_data: CRL data to validate
+
+    Returns:
+        True if CRL is valid, False otherwise
+
+    Raises:
+        CertificateError: If CRL validation fails
+    """
+    try:
+        crl = parse_crl(crl_data)
+        now = datetime.now(timezone.utc)
+        
+        # Check if CRL is expired
+        if crl.next_update_utc and crl.next_update_utc < now:
+            return False
+            
+        # Check if CRL is not yet valid
+        if crl.last_update_utc and crl.last_update_utc > now:
+            return False
+            
+        return True
+    except Exception as e:
+        raise CertificateError(f"CRL validation failed: {str(e)}")
+
+
+def get_crl_info(crl_data: Union[str, bytes, Path]) -> Dict:
+    """
+    Get detailed information from CRL.
+
+    Args:
+        crl_data: CRL data to analyze
+
+    Returns:
+        Dictionary containing CRL information
+
+    Raises:
+        CertificateError: If CRL information extraction fails
+    """
+    try:
+        crl = parse_crl(crl_data)
+        now = datetime.now(timezone.utc)
+        
+        # Calculate time until CRL expiry
+        time_until_expiry = crl.next_update_utc - now if crl.next_update_utc else None
+        days_until_expiry = time_until_expiry.days if time_until_expiry else None
+        
+        # Determine CRL status
+        if crl.next_update_utc and crl.next_update_utc < now:
+            status = "expired"
+        elif days_until_expiry and days_until_expiry <= 7:
+            status = "expires_soon"
+        else:
+            status = "valid"
+        
+        # Count revoked certificates
+        revoked_count = len(list(crl))
+        
+        return {
+            "issuer": str(crl.issuer),
+            "last_update": crl.last_update_utc,
+            "next_update": crl.next_update_utc,
+            "revoked_certificates_count": revoked_count,
+            "days_until_expiry": days_until_expiry,
+            "is_expired": crl.next_update_utc < now if crl.next_update_utc else False,
+            "expires_soon": days_until_expiry <= 7 if days_until_expiry else False,
+            "status": status,
+            "version": "v2",  # CRL version is typically v2
+            "signature_algorithm": crl.signature_algorithm_oid._name,
+            "signature": crl.signature.hex(),
+        }
+    except Exception as e:
+        raise CertificateError(f"CRL information extraction failed: {str(e)}")

{mcp_security_framework-1.1.1.dist-info → mcp_security_framework-1.2.0.dist-info}/METADATA

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: mcp-security-framework
-Version: 1.1.1
-Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting
+Version: 1.2.0
+Summary: Universal security framework for microservices with SSL/TLS, authentication, authorization, and rate limiting. Requires cryptography>=42.0.0 for certificate operations.
 Author-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 Maintainer-email: Vasiliy Zdanovskiy <vasilyvz@gmail.com>
 License: MIT
@@ -26,7 +26,7 @@ Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: System :: Systems Administration :: Authentication/Directory
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
-Requires-Dist: cryptography>=3.4.0
+Requires-Dist: cryptography>=42.0.0
 Requires-Dist: pydantic<3.0.0,>=1.8.0
 Requires-Dist: PyJWT>=2.0.0
 Requires-Dist: click>=8.0.0

{mcp_security_framework-1.1.1.dist-info → mcp_security_framework-1.2.0.dist-info}/RECORD

@@ -1,15 +1,15 @@
 mcp_security_framework/__init__.py,sha256=TM8y71Navd_6woEab2cO07MefRsL0tRBItEYfVO7DS8,3172
 mcp_security_framework/constants.py,sha256=k7NMSrgc83Cci8aoilybQxdC7jir7J-mVFE_EpqVrDk,5307
 mcp_security_framework/cli/__init__.py,sha256=plpWdiWMp2dcLvUuGwXynRg5CDjz8YKnNTBn7lcta08,369
-mcp_security_framework/cli/cert_cli.py,sha256=ME8RgTBrjNvOAMPVnXGLr3cbTpOZ2NN4Ei1SouGRPQs,18297
+mcp_security_framework/cli/cert_cli.py,sha256=LdZ3SYKM3e3dP5LsVR5Y0OENtlG0ENu64aHefHjuiN8,23818
 mcp_security_framework/cli/security_cli.py,sha256=Thine_Zzfesz7j29y2k_XZFYUK5YSrhCc6w2FilgEiE,28486
 mcp_security_framework/core/__init__.py,sha256=LiX8_M5qWiTXccJFjSLxup9emhklp-poq57SvznsKEg,1729
-mcp_security_framework/core/auth_manager.py,sha256=vCa6YBlz7P_vmif-KGWrCCUE54bHO5F3jN-bDJF2o9Y,38909
-mcp_security_framework/core/cert_manager.py,sha256=s625nyMsmrglT7QaqRZtX4oAJVKla5zu0sptHmXJnh4,78750
+mcp_security_framework/core/auth_manager.py,sha256=6k-Bv7-P7K6TV1KDIzoJGTKYbJmrEUX8uCoZXrNT8Q4,39065
+mcp_security_framework/core/cert_manager.py,sha256=FHwcUAKkTuCRcDANiEBSC3ggHYplDpKR_26qoZKWAdw,88001
 mcp_security_framework/core/permission_manager.py,sha256=SADS_oXpwp9MhXHKJMCsvjEq8KWcz7vPYL05Yr-zfio,26478
 mcp_security_framework/core/rate_limiter.py,sha256=6qjVBxK2YHouSxQuCcbr0PBpRqA5toQss_Ce178RElY,20682
 mcp_security_framework/core/security_manager.py,sha256=mAF-5znqxin-MSSgXISB7t1kTkqHltEqGzzmlLAhRGs,37766
-mcp_security_framework/core/ssl_manager.py,sha256=nCDrukaELONQs_uAfb30g69HDxRp2u4k0Bpq8eJH6Zo,27718
+mcp_security_framework/core/ssl_manager.py,sha256=SXuN5PMTAnMNz04CEKzHbxRKjzF-VqvS-QCFhV-wFeo,29133
 mcp_security_framework/examples/__init__.py,sha256=nfYPVvIQ5wHuDkQvyCYDd1VjCsZMw9HnvjeUORqKyuQ,1915
 mcp_security_framework/examples/comprehensive_example.py,sha256=6CXkqLFjWIQ2rRMYPnDrBdBuWFKbeu2gd2GI_SFVjds,35421
 mcp_security_framework/examples/django_example.py,sha256=IHk-aHsah-cEHjvsngUx91lup1aRC8W9XHzK6jfOMdA,24628
@@ -25,7 +25,7 @@ mcp_security_framework/middleware/fastapi_auth_middleware.py,sha256=LWVEn90I1XpV
 mcp_security_framework/middleware/fastapi_middleware.py,sha256=Ye0qJsEMwgeUqVJpqXgbjJJbbf-ZU-6SysMQPmQba-s,26658
 mcp_security_framework/middleware/flask_auth_middleware.py,sha256=ubBlKO0ponOV_KuxkUK4xGcSoslXTaikrdsIZQtGeV0,20228
 mcp_security_framework/middleware/flask_middleware.py,sha256=Ag0zYDKwlvU78LBQ-7Za14IYOAlEVZaXJPD0Qc4MUvA,20666
-mcp_security_framework/middleware/mtls_middleware.py,sha256=iCOX3PVro49GMlTSUtYQFaWLrqtqoWPgI5DEa6Cnst4,13881
+mcp_security_framework/middleware/mtls_middleware.py,sha256=WSyWIk1fCN96hkofODKj_kzLG0d7A0NmDnTr3HHZ5xw,14213
 mcp_security_framework/middleware/rate_limit_middleware.py,sha256=deCwwigI0Pt7pBUnk2jDurI9ZyjujWTsexEWWndXm3g,13177
 mcp_security_framework/middleware/security_middleware.py,sha256=PQ251Fr2UrYVPgGfhXq6QJyqK2tRk0WCIg9_FBvfVkg,16844
 mcp_security_framework/schemas/__init__.py,sha256=lefkbRlbj2ICfasSj51MQ04o3z1YycnbnknSJCFfXbU,2590
@@ -34,7 +34,7 @@ mcp_security_framework/schemas/models.py,sha256=n-Ug8O1cpMeA0mIdOd9h1i3kkBZOJsCQ
 mcp_security_framework/schemas/responses.py,sha256=nVXaqF5GTSprXTa_wiUEu38nvSw9WAXtKViAJNbO-Xg,23206
 mcp_security_framework/tests/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 mcp_security_framework/utils/__init__.py,sha256=wwwdmQYHTSz0Puvs9FD6aIKmWp3NFARe3JPWNH-b_wk,3098
-mcp_security_framework/utils/cert_utils.py,sha256=DNzCqFKbFgYvQxxUUJPgeWe1XCnM4DpUBDqQYRYtlOQ,17266
+mcp_security_framework/utils/cert_utils.py,sha256=roxpUa2CqFHMLvkm8618Epac-U6_xUlNuV8bhEZoU9E,25865
 mcp_security_framework/utils/crypto_utils.py,sha256=OH2V7_C3FjStxFTIXMUPfNXZuWG2-QjgoBrIH4Lv4p0,12392
 mcp_security_framework/utils/datetime_compat.py,sha256=ool-xs-EevhuYygdzhiAenLAacLuZwGwjPkF43i-9gg,3859
 mcp_security_framework/utils/validation_utils.py,sha256=e9BX3kw9gdXSmFsc7lmG-qnzSlK0-Ynn7Xs4uKHquF4,16279
@@ -73,12 +73,12 @@ tests/test_schemas/test_models.py,sha256=bBeZOPqveuVJuEi_BTVWdVsdj08JXJTEFwvBM4e
 tests/test_schemas/test_responses.py,sha256=ZSbO7A3ThPBovTXO8PFF-2ONWAjJx2dMOoV2lQIfd8s,40774
 tests/test_schemas/test_serialization.py,sha256=jCugAyrdD6Mw1U7Kxni9oTukarZmMMl6KUcl6cq_NTk,18599
 tests/test_utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-tests/test_utils/test_cert_utils.py,sha256=2k1kUCJy0T2HPBwOcU5USGfEBQZ_rGzumAGkDdywLak,21232
+tests/test_utils/test_cert_utils.py,sha256=yZGHPuJcjgSHFeT7gnMdsw6UYXmlGUiuHkErukOm8II,28238
 tests/test_utils/test_crypto_utils.py,sha256=yEb4hzG6-irj2DPoXY0DUboJfbeR87ussgTuBpxLGz4,20737
 tests/test_utils/test_datetime_compat.py,sha256=n8S4X5HN-_ejSNpgymDXRyZkmxhnyxwwjxFPdX23I40,5656
 tests/test_utils/test_validation_utils.py,sha256=lus_wHJ2WyVnBGQ28S7dSv78uWcCIuLhn5uflJw-uGw,18569
-mcp_security_framework-1.1.1.dist-info/METADATA,sha256=3Kh50icpzF53SGGXCU8XWt1Ov2xJAiTMoyLLkGqyuvk,11711
-mcp_security_framework-1.1.1.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-mcp_security_framework-1.1.1.dist-info/entry_points.txt,sha256=qBh92fVDmd1m2f3xeW0hTu3Ksg8QfGJyV8UEkdA2itg,142
-mcp_security_framework-1.1.1.dist-info/top_level.txt,sha256=ifUiGrTDcD574MXSOoAN2rp2wpUvWlb4jD9LTUgDWCA,29
-mcp_security_framework-1.1.1.dist-info/RECORD,,
+mcp_security_framework-1.2.0.dist-info/METADATA,sha256=_mkuF75Qp_BjlrBlamvGIcP-7ejSCdJWHwVsvjZw6eQ,11771
+mcp_security_framework-1.2.0.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+mcp_security_framework-1.2.0.dist-info/entry_points.txt,sha256=qBh92fVDmd1m2f3xeW0hTu3Ksg8QfGJyV8UEkdA2itg,142
+mcp_security_framework-1.2.0.dist-info/top_level.txt,sha256=ifUiGrTDcD574MXSOoAN2rp2wpUvWlb4jD9LTUgDWCA,29
+mcp_security_framework-1.2.0.dist-info/RECORD,,

tests/test_utils/test_cert_utils.py

@@ -32,8 +32,13 @@ from mcp_security_framework.utils.cert_utils import (
     extract_roles_from_certificate,
     get_certificate_expiry,
     get_certificate_serial_number,
+    get_crl_info,
+    is_certificate_revoked,
     is_certificate_self_signed,
+    is_crl_valid,
     parse_certificate,
+    parse_crl,
+    validate_certificate_against_crl,
     validate_certificate_chain,
     validate_certificate_format,
     validate_certificate_purpose,
@@ -508,3 +513,166 @@ class TestCertificateFormatConversion:
             extract_public_key("invalid_cert_data")
 
         assert "Public key extraction failed" in str(exc_info.value)
+
+
+class TestCRLFunctionality:
+    """Test suite for CRL (Certificate Revocation List) functionality."""
+
+    @staticmethod
+    def create_test_crl():
+        """Create a test CRL for testing."""
+        # Generate private key for CRL issuer
+        private_key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
+        
+        # Create issuer name
+        issuer = x509.Name([
+            x509.NameAttribute(NameOID.COMMON_NAME, "Test CA"),
+            x509.NameAttribute(NameOID.ORGANIZATION_NAME, "Test Organization"),
+            x509.NameAttribute(NameOID.COUNTRY_NAME, "US"),
+        ])
+        
+        # Create CRL
+        now = datetime.now(timezone.utc)
+        crl = x509.CertificateRevocationListBuilder().issuer_name(
+            issuer
+        ).last_update(
+            now
+        ).next_update(
+            now + timedelta(days=30)
+        ).add_extension(
+            x509.CRLNumber(1),
+            critical=False,
+        ).sign(private_key, hashes.SHA256())
+        
+        return crl, private_key
+
+    def test_parse_crl_success(self):
+        """Test successful CRL parsing."""
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        parsed_crl = parse_crl(crl_pem)
+        
+        assert parsed_crl is not None
+        assert isinstance(parsed_crl, x509.CertificateRevocationList)
+        assert "Test CA" in str(parsed_crl.issuer)
+
+    def test_parse_crl_invalid_data(self):
+        """Test CRL parsing with invalid data."""
+        with pytest.raises(CertificateError) as exc_info:
+            parse_crl("invalid_crl_data")
+        
+        assert "CRL parsing failed" in str(exc_info.value)
+
+    def test_is_certificate_revoked_not_revoked(self):
+        """Test certificate revocation check when certificate is not revoked."""
+        # Create test certificate and CRL
+        cert, _ = TestCertificateCreation.create_test_certificate()
+        cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        # Certificate should not be revoked since it's not in the CRL
+        is_revoked = is_certificate_revoked(cert_pem, crl_pem)
+        assert is_revoked is False
+
+    def test_is_certificate_revoked_invalid_cert(self):
+        """Test certificate revocation check with invalid certificate."""
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        with pytest.raises(CertificateError) as exc_info:
+            is_certificate_revoked("invalid_cert", crl_pem)
+        
+        assert "Certificate revocation check failed" in str(exc_info.value)
+
+    def test_validate_certificate_against_crl_not_revoked(self):
+        """Test certificate validation against CRL when not revoked."""
+        # Create test certificate and CRL
+        cert, _ = TestCertificateCreation.create_test_certificate()
+        cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        result = validate_certificate_against_crl(cert_pem, crl_pem)
+        
+        assert result["is_revoked"] is False
+        assert "serial_number" in result
+        assert "crl_issuer" in result
+        assert "crl_last_update" in result
+        assert "crl_next_update" in result
+
+    def test_validate_certificate_against_crl_invalid_data(self):
+        """Test certificate validation against CRL with invalid data."""
+        with pytest.raises(CertificateError) as exc_info:
+            validate_certificate_against_crl("invalid_cert", "invalid_crl")
+        
+        assert "Certificate CRL validation failed" in str(exc_info.value)
+
+    def test_is_crl_valid_success(self):
+        """Test CRL validation success."""
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        is_valid = is_crl_valid(crl_pem)
+        assert is_valid is True
+
+    def test_is_crl_valid_invalid_data(self):
+        """Test CRL validation with invalid data."""
+        with pytest.raises(CertificateError) as exc_info:
+            is_crl_valid("invalid_crl_data")
+        
+        assert "CRL validation failed" in str(exc_info.value)
+
+    def test_get_crl_info_success(self):
+        """Test CRL information extraction success."""
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        info = get_crl_info(crl_pem)
+        
+        assert "issuer" in info
+        assert "last_update" in info
+        assert "next_update" in info
+        assert "revoked_certificates_count" in info
+        assert "status" in info
+        assert "version" in info
+        assert "signature_algorithm" in info
+        assert "signature" in info
+        assert info["revoked_certificates_count"] == 0
+        assert info["status"] == "valid"
+
+    def test_get_crl_info_invalid_data(self):
+        """Test CRL information extraction with invalid data."""
+        with pytest.raises(CertificateError) as exc_info:
+            get_crl_info("invalid_crl_data")
+        
+        assert "CRL information extraction failed" in str(exc_info.value)
+
+    def test_validate_certificate_chain_with_crl(self):
+        """Test certificate chain validation with CRL."""
+        # Create test certificate and CA certificate
+        cert, _ = TestCertificateCreation.create_test_certificate()
+        cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        ca_cert, _ = TestCertificateCreation.create_test_certificate()
+        ca_cert_pem = ca_cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        # Create test CRL
+        crl, _ = self.create_test_crl()
+        crl_pem = crl.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        # Test validation with CRL (should pass since certificate is not revoked)
+        is_valid = validate_certificate_chain(cert_pem, ca_cert_pem, crl_pem)
+        assert is_valid is True
+
+    def test_validate_certificate_chain_without_crl(self):
+        """Test certificate chain validation without CRL."""
+        # Create test certificate and CA certificate
+        cert, _ = TestCertificateCreation.create_test_certificate()
+        cert_pem = cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        ca_cert, _ = TestCertificateCreation.create_test_certificate()
+        ca_cert_pem = ca_cert.public_bytes(serialization.Encoding.PEM).decode('utf-8')
+        
+        # Test validation without CRL
+        is_valid = validate_certificate_chain(cert_pem, ca_cert_pem)
+        assert is_valid is True