Add CORS proxy support for OCSP/CRL requests

[edgarsj]

Add proxyUrl option to revocationOptions for routing OCSP, CRL, and CA issuer certificate requests through a CORS proxy in browser environments.

• Add proxyUrl to RevocationCheckOptions
• Update fetch functions to rewrite URLs through proxy when set
• Add unit tests for proxy URL functionality

[greptile-apps]

Greptile Summary

This PR adds CORS proxy support for OCSP, CRL, and CA issuer certificate requests in browser environments. The implementation allows users to provide a proxyUrl option that will automatically route all revocation-related HTTP requests through the specified proxy by URL-encoding the original URL and appending it to the proxy URL.

Key Changes:

• Added optional proxyUrl field to RevocationCheckOptions interface in types.ts
• Implemented URL rewriting logic in fetchBinary function using encodeURIComponent for proper URL encoding
• Threaded proxyUrl parameter through the entire revocation checking call chain (checkCertificateRevocation → checkOCSP/checkCRL → fetch functions)
• Added comprehensive unit tests verifying proxy URL functionality, URL encoding, and backward compatibility

Implementation Quality:

• Clean, consistent API design with optional parameter (backward compatible)
• Proper URL encoding prevents injection issues
• Excellent test coverage with both proxy and non-proxy scenarios
• Clear JSDoc documentation explaining the proxy URL format and usage

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation is well-designed, properly tested, and follows best practices. The changes are isolated to the revocation checking subsystem, maintain full backward compatibility, and include comprehensive unit tests. The URL encoding is correctly implemented to prevent security issues.
• No files require special attention

Important Files Changed

Filename	Overview
src/core/revocation/types.ts	Added proxyUrl field to RevocationCheckOptions with clear documentation. Type definitions are correct.
src/core/revocation/fetch.ts	Implemented URL rewriting in fetchBinary using encodeURIComponent. All fetch functions properly pass proxyUrl parameter.
tests/unit/core/revocation/fetch.test.ts	Comprehensive test coverage for proxy functionality including URL encoding verification and direct/proxy mode comparison.
src/core/revocation/check.ts	Correctly passes proxyUrl from top-level options to both OCSP and CRL check functions.
src/core/revocation/ocsp.ts	Added proxyUrl parameter to all OCSP-related functions including issuer certificate fetching. Properly threaded through all call sites.
src/core/revocation/crl.ts	Added proxyUrl parameter to CRL check function and correctly passed to fetchCRL call.

Sequence Diagram

sequenceDiagram
    participant User
    participant checkCertificateRevocation
    participant checkOCSP
    participant checkCRL
    participant fetchOCSP
    participant fetchCRL
    participant fetchIssuerCertificate
    participant fetchBinary
    participant Proxy
    participant Server

    User->>checkCertificateRevocation: checkCertificateRevocation(cert, {proxyUrl})
    checkCertificateRevocation->>checkOCSP: checkOCSP(cert, null, {proxyUrl})
    
    alt Issuer needed from AIA
        checkOCSP->>fetchIssuerCertificate: fetchIssuerCertificate(url, timeout, proxyUrl)
        fetchIssuerCertificate->>fetchBinary: fetchBinary(url, {proxyUrl})
        fetchBinary->>fetchBinary: Rewrite URL: proxyUrl + encodeURIComponent(url)
        alt proxyUrl provided
            fetchBinary->>Proxy: fetch(proxiedUrl)
            Proxy->>Server: fetch(original url)
            Server-->>Proxy: Response
            Proxy-->>fetchBinary: Response
        else no proxyUrl
            fetchBinary->>Server: fetch(url)
            Server-->>fetchBinary: Response
        end
        fetchBinary-->>fetchIssuerCertificate: FetchResult
        fetchIssuerCertificate-->>checkOCSP: Issuer certificate
    end
    
    checkOCSP->>fetchOCSP: fetchOCSP(ocspUrl, request, timeout, proxyUrl)
    fetchOCSP->>fetchBinary: fetchBinary(url, {proxyUrl})
    fetchBinary->>fetchBinary: Rewrite URL if proxy provided
    alt proxyUrl provided
        fetchBinary->>Proxy: POST to proxiedUrl
        Proxy->>Server: POST to original OCSP URL
        Server-->>Proxy: OCSP Response
        Proxy-->>fetchBinary: OCSP Response
    else no proxyUrl
        fetchBinary->>Server: POST to OCSP URL
        Server-->>fetchBinary: OCSP Response
    end
    fetchBinary-->>fetchOCSP: FetchResult
    fetchOCSP-->>checkOCSP: OCSP Response
    
    alt OCSP failed or unknown
        checkOCSP-->>checkCertificateRevocation: unknown/error
        checkCertificateRevocation->>checkCRL: checkCRL(cert, {proxyUrl})
        checkCRL->>fetchCRL: fetchCRL(crlUrl, timeout, proxyUrl)
        fetchCRL->>fetchBinary: fetchBinary(url, {proxyUrl})
        fetchBinary->>fetchBinary: Rewrite URL if proxy provided
        alt proxyUrl provided
            fetchBinary->>Proxy: GET from proxiedUrl
            Proxy->>Server: GET from original CRL URL
            Server-->>Proxy: CRL data
            Proxy-->>fetchBinary: CRL data
        else no proxyUrl
            fetchBinary->>Server: GET from CRL URL
            Server-->>fetchBinary: CRL data
        end
        fetchBinary-->>fetchCRL: FetchResult
        fetchCRL-->>checkCRL: CRL data
        checkCRL-->>checkCertificateRevocation: RevocationResult
    else OCSP succeeded
        checkOCSP-->>checkCertificateRevocation: RevocationResult
    end
    
    checkCertificateRevocation-->>User: RevocationResult

Loading