1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
|
OCSP
====
.. currentmodule:: cryptography.x509.ocsp
.. testsetup::
import base64
pem_cert = b"""
-----BEGIN CERTIFICATE-----
MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
-----END CERTIFICATE-----
"""
pem_issuer = b"""
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
gP8L8mJMcCaY
-----END CERTIFICATE-----
"""
der_ocsp_req = (
b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
)
der_ocsp_resp_unauth = b"0\x03\n\x01\x06"
OCSP (Online Certificate Status Protocol) is a method of checking the
revocation status of certificates. It is specified in :rfc:`6960`, as well
as other obsoleted RFCs.
Loading Requests
~~~~~~~~~~~~~~~~
.. function:: load_der_ocsp_request(data)
.. versionadded:: 2.4
Deserialize an OCSP request from DER encoded data.
:param bytes data: The DER encoded OCSP request data.
:returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
.. doctest::
>>> from cryptography.x509 import ocsp
>>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
>>> print(ocsp_req.serial_number)
872625873161273451176241581705670534707360122361
Creating Requests
~~~~~~~~~~~~~~~~~
.. class:: OCSPRequestBuilder
.. versionadded:: 2.4
This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
objects.
.. method:: add_certificate(cert, issuer, algorithm)
Adds a request using a certificate, issuer certificate, and hash
algorithm. This can only be called once.
:param cert: The :class:`~cryptography.x509.Certificate` whose validity
is being checked.
:param issuer: The issuer :class:`~cryptography.x509.Certificate` of
the certificate that is being checked.
:param algorithm: A
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
instance. For OCSP only
:class:`~cryptography.hazmat.primitives.hashes.SHA1`,
:class:`~cryptography.hazmat.primitives.hashes.SHA224`,
:class:`~cryptography.hazmat.primitives.hashes.SHA256`,
:class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
:class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
.. method:: build()
:returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
.. doctest::
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import serialization
>>> from cryptography.hazmat.primitives.hashes import SHA1
>>> from cryptography.x509 import load_pem_x509_certificate, ocsp
>>> cert = load_pem_x509_certificate(pem_cert, default_backend())
>>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
>>> builder = ocsp.OCSPRequestBuilder()
>>> # SHA1 is in this example because RFC 5019 mandates its use.
>>> builder = builder.add_certificate(cert, issuer, SHA1())
>>> req = builder.build()
>>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
Loading Responses
~~~~~~~~~~~~~~~~~
.. function:: load_der_ocsp_response(data)
.. versionadded:: 2.4
Deserialize an OCSP response from DER encoded data.
:param bytes data: The DER encoded OCSP response data.
:returns: An instance of :class:`~cryptography.x509.ocsp.OCSPResponse`.
.. doctest::
>>> from cryptography.x509 import ocsp
>>> ocsp_resp = ocsp.load_der_ocsp_response(der_ocsp_resp_unauth)
>>> print(ocsp_resp.response_status)
OCSPResponseStatus.UNAUTHORIZED
Interfaces
~~~~~~~~~~
.. class:: OCSPRequest
.. versionadded:: 2.4
An ``OCSPRequest`` is an object containing information about a certificate
whose status is being checked.
.. attribute:: issuer_key_hash
:type: bytes
The hash of the certificate issuer's key. The hash algorithm used
is defined by the ``hash_algorithm`` property.
.. attribute:: issuer_name_hash
:type: bytes
The hash of the certificate issuer's name. The hash algorithm used
is defined by the ``hash_algorithm`` property.
.. attribute:: hash_algorithm
:type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
The algorithm used to generate the ``issuer_key_hash`` and
``issuer_name_hash``.
.. attribute:: serial_number
:type: int
The serial number of the certificate to check.
.. attribute:: extensions
:type: :class:`~cryptography.x509.Extensions`
The extensions encoded in the request.
.. method:: public_bytes(encoding)
:param encoding: The encoding to use. Only
:attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
is supported.
:return bytes: The serialized OCSP request.
.. class:: OCSPResponse
.. versionadded:: 2.4
An ``OCSPResponse`` is the data provided by an OCSP responder in response
to an ``OCSPRequest``.
.. attribute:: response_status
:type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`
The status of the response.
.. attribute:: signature_algorithm_oid
:type: :class:`~cryptography.x509.ObjectIdentifier`
Returns the object identifier of the signature algorithm used
to sign the response. This will be one of the OIDs from
:class:`~cryptography.x509.oid.SignatureAlgorithmOID`.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: signature
:type: bytes
The signature bytes.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: tbs_response_bytes
:type: bytes
The DER encoded bytes payload that is hashed and then signed. This
data may be used to validate the signature on the OCSP response.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: certificates
:type: list
A list of zero or more :class:`~cryptography.x509.Certificate` objects
used to help build a chain to verify the OCSP response. This situation
occurs when the OCSP responder uses a delegate certificate.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: responder_key_hash
:type: bytes or None
The responder's key hash or ``None`` if the response has a
``responder_name``.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: responder_name
:type: :class:`~cryptography.x509.Name` or None
The responder's ``Name`` or ``None`` if the response has a
``responder_key_hash``.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: produced_at
:type: :class:`datetime.datetime`
A naïve datetime representing the time when the response was produced.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: certificate_status
:type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`
The status of the certificate being checked.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: revocation_time
:type: :class:`datetime.datetime` or None
A naïve datetime representing the time when the certificate was revoked
or ``None`` if the certificate has not been revoked.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: revocation_reason
:type: :class:`~cryptography.x509.ReasonFlags` or None
The reason the certificate was revoked or ``None`` if not specified or
not revoked.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: this_update
:type: :class:`datetime.datetime`
A naïve datetime representing the most recent time at which the status
being indicated is known by the responder to have been correct.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: next_update
:type: :class:`datetime.datetime`
A naïve datetime representing the time when newer information will
be available.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: issuer_key_hash
:type: bytes
The hash of the certificate issuer's key. The hash algorithm used
is defined by the ``hash_algorithm`` property.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: issuer_name_hash
:type: bytes
The hash of the certificate issuer's name. The hash algorithm used
is defined by the ``hash_algorithm`` property.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: hash_algorithm
:type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
The algorithm used to generate the ``issuer_key_hash`` and
``issuer_name_hash``.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: serial_number
:type: int
The serial number of the certificate that was checked.
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
.. attribute:: extensions
:type: :class:`~cryptography.x509.Extensions`
The extensions encoded in the response.
.. class:: OCSPResponseStatus
.. versionadded:: 2.4
An enumeration of response statuses.
.. attribute:: SUCCESSFUL
Represents a successful OCSP response.
.. attribute:: MALFORMED_REQUEST
May be returned by an OCSP responder that is unable to parse a
given request.
.. attribute:: INTERNAL_ERROR
May be returned by an OCSP responder that is currently experiencing
operational problems.
.. attribute:: TRY_LATER
May be returned by an OCSP responder that is overloaded.
.. attribute:: SIG_REQUIRED
May be returned by an OCSP responder that requires signed OCSP
requests.
.. attribute:: UNAUTHORIZED
May be returned by an OCSP responder when queried for a certificate for
which the responder is unaware or an issuer for which the responder is
not authoritative.
.. class:: OCSPCertStatus
.. versionadded:: 2.4
An enumeration of certificate statuses in an OCSP response.
.. attribute:: GOOD
The value for a certificate that is not revoked.
.. attribute:: REVOKED
The certificate being checked is revoked.
.. attribute:: UNKNOWN
The certificate being checked is not known to the OCSP responder.
|
