dwww Home | Show directory contents | Find package


.. currentmodule:: cryptography.x509.ocsp

.. testsetup::

    import base64
    pem_cert = b"""
    -----END CERTIFICATE-----
    pem_issuer = b"""
    -----END CERTIFICATE-----
    pem_responder_cert = b"""
    -----END CERTIFICATE-----
    pem_responder_key = b"""
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    der_ocsp_req = (
    der_ocsp_resp_unauth = b"0\x03\n\x01\x06"

OCSP (Online Certificate Status Protocol) is a method of checking the
revocation status of certificates. It is specified in :rfc:`6960`, as well
as other obsoleted RFCs.

Loading Requests

.. function:: load_der_ocsp_request(data)

    .. versionadded:: 2.4

    Deserialize an OCSP request from DER encoded data.

    :param bytes data: The DER encoded OCSP request data.

    :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.

    .. doctest::

        >>> from cryptography.x509 import ocsp
        >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
        >>> print(ocsp_req.serial_number)

Creating Requests

.. class:: OCSPRequestBuilder

    .. versionadded:: 2.4

    This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`

    .. method:: add_certificate(cert, issuer, algorithm)

        Adds a request using a certificate, issuer certificate, and hash
        algorithm. This can only be called once.

        :param cert: The :class:`~cryptography.x509.Certificate` whose validity
            is being checked.

        :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
            the certificate that is being checked.

        :param algorithm: A
            instance. For OCSP only
            :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
            :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.

    .. method:: add_extension(extval, critical)

        Adds an extension to the request.

        :param extval: An extension conforming to the
            :class:`~cryptography.x509.ExtensionType` interface.

        :param critical: Set to ``True`` if the extension must be understood and

    .. method:: build()

        :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.

    .. doctest::

        >>> from cryptography.hazmat.primitives import serialization
        >>> from cryptography.hazmat.primitives.hashes import SHA256
        >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
        >>> cert = load_pem_x509_certificate(pem_cert)
        >>> issuer = load_pem_x509_certificate(pem_issuer)
        >>> builder = ocsp.OCSPRequestBuilder()
        >>> # SHA256 is in this example because while RFC 5019 originally
        >>> # required SHA1 RFC 6960 updates that to SHA256.
        >>> # However, depending on your requirements you may need to use SHA1
        >>> # for compatibility reasons.
        >>> builder = builder.add_certificate(cert, issuer, SHA256())
        >>> req = builder.build()
        >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))

Loading Responses

.. function:: load_der_ocsp_response(data)

    .. versionadded:: 2.4

    Deserialize an OCSP response from DER encoded data.

    :param bytes data: The DER encoded OCSP response data.

    :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPResponse`.

    .. doctest::

        >>> from cryptography.x509 import ocsp
        >>> ocsp_resp = ocsp.load_der_ocsp_response(der_ocsp_resp_unauth)
        >>> print(ocsp_resp.response_status)

Creating Responses

.. class:: OCSPResponseBuilder

    .. versionadded:: 2.4

    This class is used to create :class:`~cryptography.x509.ocsp.OCSPResponse`
    objects. You cannot set ``produced_at`` on OCSP responses at this time.
    Instead the field is set to current UTC time when calling ``sign``. For
    unsuccessful statuses call the class method

    .. method:: add_response(cert, issuer, algorithm, cert_status, this_update, next_update, revocation_time, revocation_reason)

        This method adds status information about the certificate that was
        requested to the response.

        :param cert: The :class:`~cryptography.x509.Certificate` whose validity
            is being checked.

        :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
            the certificate that is being checked.

        :param algorithm: A
            instance. For OCSP only
            :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
            :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.

        :param cert_status: An item from the
            :class:`~cryptography.x509.ocsp.OCSPCertStatus` enumeration.

        :param this_update: A naïve :class:`datetime.datetime` object
            representing the most recent time in UTC at which the status being
            indicated is known by the responder to be correct.

        :param next_update: A naïve :class:`datetime.datetime` object or
            ``None``. The time in UTC at or before which newer information will
            be available about the status of the certificate.

        :param revocation_time: A naïve :class:`datetime.datetime` object or
            ``None`` if the ``cert`` is not revoked. The time in UTC at which
            the certificate was revoked.

        :param revocation_reason: An item from the
            :class:`~cryptography.x509.ReasonFlags` enumeration or ``None`` if
            the ``cert`` is not revoked.

    .. method:: certificates(certs)

        Add additional certificates that should be used to verify the
        signature on the response. This is typically used when the responder
        utilizes an OCSP delegate.

        :param list certs: A list of :class:`~cryptography.x509.Certificate`

    .. method:: responder_id(encoding, responder_cert)

        Set the ``responderID`` on the OCSP response. This is the data a
        client will use to determine what certificate signed the response.

        :param responder_cert: The :class:`~cryptography.x509.Certificate`
            object for the certificate whose private key will sign the
            OCSP response. If the certificate and key do not match an
            error will be raised when calling ``sign``.
        :param encoding: Either
            :attr:`~cryptography.x509.ocsp.OCSPResponderEncoding.HASH` or

    .. method:: add_extension(extval, critical)

        Adds an extension to the response.

        :param extval: An extension conforming to the
            :class:`~cryptography.x509.ExtensionType` interface.

        :param critical: Set to ``True`` if the extension must be understood and

    .. method:: sign(private_key, algorithm)

        Creates the OCSP response that can then be serialized and sent to
        clients. This method will create a
        :attr:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` response.

        :param private_key: The
            :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or
            that will be used to sign the certificate.

        :param algorithm: The
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that
            will be used to generate the signature.  This must be ``None`` if
            the ``private_key`` is an
            or an
            and an instance of a

        :returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`.

    .. doctest::

        >>> import datetime
        >>> from cryptography.hazmat.primitives import hashes, serialization
        >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
        >>> cert = load_pem_x509_certificate(pem_cert)
        >>> issuer = load_pem_x509_certificate(pem_issuer)
        >>> responder_cert = load_pem_x509_certificate(pem_responder_cert)
        >>> responder_key = serialization.load_pem_private_key(pem_responder_key, None)
        >>> builder = ocsp.OCSPResponseBuilder()
        >>> # SHA256 is in this example because while RFC 5019 originally
        >>> # required SHA1 RFC 6960 updates that to SHA256.
        >>> # However, depending on your requirements you may need to use SHA1
        >>> # for compatibility reasons.
        >>> builder = builder.add_response(
        ...     cert=cert, issuer=issuer, algorithm=hashes.SHA256(),
        ...     cert_status=ocsp.OCSPCertStatus.GOOD,
        ...     this_update=datetime.datetime.now(),
        ...     next_update=datetime.datetime.now(),
        ...     revocation_time=None, revocation_reason=None
        ... ).responder_id(
        ...     ocsp.OCSPResponderEncoding.HASH, responder_cert
        ... )
        >>> response = builder.sign(responder_key, hashes.SHA256())
        >>> response.certificate_status
        <OCSPCertStatus.GOOD: 0>

    .. classmethod:: build_unsuccessful(response_status)

        Creates an unsigned OCSP response which can then be serialized and
        sent to clients. ``build_unsuccessful`` may only be called with a
        :class:`~cryptography.x509.ocsp.OCSPResponseStatus` that is not
        ``SUCCESSFUL``. Since this is a class method note that no other
        methods can or should be called as unsuccessful statuses do not
        encode additional data.

        :returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`.

    .. doctest::

        >>> from cryptography.hazmat.primitives import hashes, serialization
        >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
        >>> response = ocsp.OCSPResponseBuilder.build_unsuccessful(
        ...     ocsp.OCSPResponseStatus.UNAUTHORIZED
        ... )
        >>> response.response_status
        <OCSPResponseStatus.UNAUTHORIZED: 6>


.. class:: OCSPRequest

    .. versionadded:: 2.4

    An ``OCSPRequest`` is an object containing information about a certificate
    whose status is being checked.

    .. attribute:: issuer_key_hash

        :type: bytes

        The hash of the certificate issuer's key. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: issuer_name_hash

        :type: bytes

        The hash of the certificate issuer's name. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        The algorithm used to generate the ``issuer_key_hash`` and

    .. attribute:: serial_number

        :type: int

        The serial number of the certificate to check.

    .. attribute:: extensions

        :type: :class:`~cryptography.x509.Extensions`

        The extensions encoded in the request.

    .. method:: public_bytes(encoding)

        :param encoding: The encoding to use. Only
            is supported.

        :return bytes: The serialized OCSP request.

.. class:: OCSPResponse

    .. versionadded:: 2.4

    An ``OCSPResponse`` is the data provided by an OCSP responder in response
    to an ``OCSPRequest``.

    .. attribute:: response_status

        :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`

        The status of the response.

    .. attribute:: signature_algorithm_oid

        :type: :class:`~cryptography.x509.ObjectIdentifier`

        Returns the object identifier of the signature algorithm used
        to sign the response. This will be one of the OIDs from

        :raises ValueError: If ``response_status`` is not

    .. attribute:: signature_hash_algorithm

        .. versionadded:: 2.5

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        Returns the
        :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which
        was used in signing this response.  Can be ``None`` if signature
        did not use separate hash

    .. attribute:: signature

        :type: bytes

        The signature bytes.

        :raises ValueError: If ``response_status`` is not

    .. attribute:: tbs_response_bytes

        :type: bytes

        The DER encoded bytes payload that is hashed and then signed. This
        data may be used to validate the signature on the OCSP response.

        :raises ValueError: If ``response_status`` is not

    .. attribute:: certificates

        :type: list

        A list of zero or more :class:`~cryptography.x509.Certificate` objects
        used to help build a chain to verify the OCSP response. This situation
        occurs when the OCSP responder uses a delegate certificate.

        :raises ValueError: If ``response_status`` is not

    .. attribute:: responder_key_hash

        :type: bytes or None

        The responder's key hash or ``None`` if the response has a

        :raises ValueError: If ``response_status`` is not

    .. attribute:: responder_name

        :type: :class:`~cryptography.x509.Name` or None

        The responder's ``Name`` or ``None`` if the response has a

        :raises ValueError: If ``response_status`` is not

    .. attribute:: produced_at

        :type: :class:`datetime.datetime`

        A naïve datetime representing the time when the response was produced.

        :raises ValueError: If ``response_status`` is not

    .. attribute:: certificate_status

        :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`

        The status of the certificate being checked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: revocation_time

        :type: :class:`datetime.datetime` or None

        A naïve datetime representing the time when the certificate was revoked
        or ``None`` if the certificate has not been revoked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: revocation_reason

        :type: :class:`~cryptography.x509.ReasonFlags` or None

        The reason the certificate was revoked or ``None`` if not specified or
        not revoked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: this_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the most recent time at which the status
        being indicated is known by the responder to have been correct.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: next_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the time when newer information will
        be available.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: issuer_key_hash

        :type: bytes

        The hash of the certificate issuer's key. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: issuer_name_hash

        :type: bytes

        The hash of the certificate issuer's name. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        The algorithm used to generate the ``issuer_key_hash`` and

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: serial_number

        :type: int

        The serial number of the certificate that was checked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` or
            if multiple SINGLERESPs are present.

    .. attribute:: extensions

        :type: :class:`~cryptography.x509.Extensions`

        The extensions encoded in the response.

    .. attribute:: single_extensions

        .. versionadded:: 2.9

        :type: :class:`~cryptography.x509.Extensions`

        The single extensions encoded in the response.

    .. attribute:: responses

        .. versionadded:: 37.0.0

        :type: an iterator over :class:`~cryptography.x509.ocsp.OCSPSingleResponse`

        An iterator to access individual SINGLERESP structures.

    .. method:: public_bytes(encoding)

        :param encoding: The encoding to use. Only
            is supported.

        :return bytes: The serialized OCSP response.

.. class:: OCSPResponseStatus

    .. versionadded:: 2.4

    An enumeration of response statuses.

    .. attribute:: SUCCESSFUL

        Represents a successful OCSP response.

    .. attribute:: MALFORMED_REQUEST

        May be returned by an OCSP responder that is unable to parse a
        given request.

    .. attribute:: INTERNAL_ERROR

        May be returned by an OCSP responder that is currently experiencing
        operational problems.

    .. attribute:: TRY_LATER

        May be returned by an OCSP responder that is overloaded.

    .. attribute:: SIG_REQUIRED

        May be returned by an OCSP responder that requires signed OCSP

    .. attribute:: UNAUTHORIZED

        May be returned by an OCSP responder when queried for a certificate for
        which the responder is unaware or an issuer for which the responder is
        not authoritative.

.. class:: OCSPCertStatus

    .. versionadded:: 2.4

    An enumeration of certificate statuses in an OCSP response.

    .. attribute:: GOOD

        The value for a certificate that is not revoked.

    .. attribute:: REVOKED

        The certificate being checked is revoked.

    .. attribute:: UNKNOWN

        The certificate being checked is not known to the OCSP responder.

.. class:: OCSPResponderEncoding

    .. versionadded:: 2.4

    An enumeration of ``responderID`` encodings that can be passed to

    .. attribute:: HASH

        Encode the hash of the public key whose corresponding private key
        signed the response.

    .. attribute:: NAME

        Encode the X.509 ``Name`` of the certificate whose private key signed
        the response.

.. class:: OCSPSingleResponse

    .. versionadded:: 37.0.0

    A class representing a single certificate response bundled into a
    larger OCSPResponse.  Accessed via OCSPResponse.responses.

    .. attribute:: certificate_status

        :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`

        The status of the certificate being checked.

    .. attribute:: revocation_time

        :type: :class:`datetime.datetime` or None

        A naïve datetime representing the time when the certificate was revoked
        or ``None`` if the certificate has not been revoked.

    .. attribute:: revocation_reason

        :type: :class:`~cryptography.x509.ReasonFlags` or None

        The reason the certificate was revoked or ``None`` if not specified or
        not revoked.

    .. attribute:: this_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the most recent time at which the status
        being indicated is known by the responder to have been correct.

    .. attribute:: next_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the time when newer information will
        be available.

    .. attribute:: issuer_key_hash

        :type: bytes

        The hash of the certificate issuer's key. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: issuer_name_hash

        :type: bytes

        The hash of the certificate issuer's name. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        The algorithm used to generate the ``issuer_key_hash`` and

    .. attribute:: serial_number

        :type: int

        The serial number of the certificate that was checked.

Generated by dwww version 1.15 on Fri Jun 21 17:26:44 CEST 2024.