Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / asn1crypto / d62ed9a17802c8b2136cfe119fcb56b1edc99d5c / . / asn1crypto / ocsp.py
blob: f18d8e83f7dd71eda0715fa4cd27cc04a01c02b5 [file] [log] [blame]
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]1# coding: utf-8
wbondea25fc22015-06-19 15:07:04 -0400[diff] [blame]2
3"""
4ASN.1 type classes for the online certificate status protocol (OCSP). Exports
5the following items:
6
7 - OCSPRequest()
8 - OCSPResponse()
9
10Other type classes are defined that help compose the types listed above.
11"""
12
wbond6b66ab52015-06-21 10:26:45 -0400[diff] [blame]13from __future__ import unicode_literals, division, absolute_import, print_function
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]14
15from .algos import DigestAlgorithm, SignedDigestAlgorithm
16from .core import (
17 Boolean,
18 Choice,
19 Enumerated,
20 GeneralizedTime,
21 IA5String,
22 Integer,
23 Null,
24 ObjectIdentifier,
25 OctetBitString,
26 OctetString,
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]27 ParsableOctetString,
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]28 Sequence,
29 SequenceOf,
30)
31from .crl import AuthorityInfoAccessSyntax, CRLReason
32from .keys import PublicKeyAlgorithm
33from .x509 import Certificate, GeneralName, GeneralNames, Name
34
35
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]36# The structures in this file are taken from https://tools.ietf.org/html/rfc6960
37
38
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]39class Version(Integer):
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]40 _map = {
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]41 0: 'v1'
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]42 }
43
44
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]45class CertId(Sequence):
46 _fields = [
47 ('hash_algorithm', DigestAlgorithm),
48 ('issuer_name_hash', OctetString),
49 ('issuer_key_hash', OctetString),
50 ('serial_number', Integer),
51 ]
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]52
53
54class ServiceLocator(Sequence):
55 _fields = [
56 ('issuer', Name),
57 ('locator', AuthorityInfoAccessSyntax),
58 ]
59
60
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]61class RequestExtensionId(ObjectIdentifier):
62 _map = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]63 '1.3.6.1.5.5.7.48.1.7': 'service_locator',
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]64 }
65
66
67class RequestExtension(Sequence):
68 _fields = [
69 ('extn_id', RequestExtensionId),
70 ('critical', Boolean, {'default': False}),
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]71 ('extn_value', ParsableOctetString),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]72 ]
73
74 _oid_pair = ('extn_id', 'extn_value')
75 _oid_specs = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]76 'service_locator': ServiceLocator,
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]77 }
78
79
80class RequestExtensions(SequenceOf):
81 _child_spec = RequestExtension
82
83
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]84class Request(Sequence):
85 _fields = [
86 ('req_cert', CertId),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]87 ('single_request_extensions', RequestExtensions, {'explicit': 0, 'optional': True}),
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]88 ]
89
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]90 _processed_extensions = False
91 _critical_extensions = None
92 _service_locator_value = None
93
94 def _set_extensions(self):
95 """
96 Sets common named extensions to private attributes and creates a list
97 of critical extensions
98 """
99
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]100 self._critical_extensions = set()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]101
102 for extension in self['single_request_extensions']:
103 name = extension['extn_id'].native
104 attribute_name = '_%s_value' % name
105 if hasattr(self, attribute_name):
106 setattr(self, attribute_name, extension['extn_value'].parsed)
107 if extension['critical'].native:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]108 self._critical_extensions.add(name)
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]109
110 self._processed_extensions = True
111
112 @property
113 def critical_extensions(self):
114 """
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]115 Returns a set of the names (or OID if not a known extension) of the
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]116 extensions marked as critical
117
118 :return:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]119 A set of unicode strings
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]120 """
121
122 if not self._processed_extensions:
123 self._set_extensions()
124 return self._critical_extensions
125
126 @property
127 def service_locator_value(self):
128 """
129 This extension is used when communicating with an OCSP responder that
130 acts as a proxy for OCSP requests
131
132 :return:
133 None or a ServiceLocator object
134 """
135
136 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]137 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]138 return self._service_locator_value
139
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]140
141class Requests(SequenceOf):
142 _child_spec = Request
143
144
145class ResponseType(ObjectIdentifier):
146 _map = {
147 '1.3.6.1.5.5.7.48.1.1': 'basic_ocsp_response',
148 }
149
150
151class AcceptableResponses(SequenceOf):
152 _child_spec = ResponseType
153
154
155class PreferredSignatureAlgorithm(Sequence):
156 _fields = [
157 ('sig_identifier', SignedDigestAlgorithm),
158 ('cert_identifier', PublicKeyAlgorithm, {'optional': True}),
159 ]
160
161
162class PreferredSignatureAlgorithms(SequenceOf):
163 _child_spec = PreferredSignatureAlgorithm
164
165
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]166class TBSRequestExtensionId(ObjectIdentifier):
167 _map = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]168 '1.3.6.1.5.5.7.48.1.2': 'nonce',
169 '1.3.6.1.5.5.7.48.1.4': 'acceptable_responses',
170 '1.3.6.1.5.5.7.48.1.8': 'preferred_signature_algorithms',
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]171 }
172
173
174class TBSRequestExtension(Sequence):
175 _fields = [
176 ('extn_id', TBSRequestExtensionId),
177 ('critical', Boolean, {'default': False}),
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]178 ('extn_value', ParsableOctetString),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]179 ]
180
181 _oid_pair = ('extn_id', 'extn_value')
182 _oid_specs = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]183 'nonce': OctetString,
184 'acceptable_responses': AcceptableResponses,
185 'preferred_signature_algorithms': PreferredSignatureAlgorithms,
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]186 }
187
188
189class TBSRequestExtensions(SequenceOf):
190 _child_spec = TBSRequestExtension
191
192
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]193class TBSRequest(Sequence):
194 _fields = [
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]195 ('version', Version, {'explicit': 0, 'default': 'v1'}),
196 ('requestor_name', GeneralName, {'explicit': 1, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]197 ('request_list', Requests),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]198 ('request_extensions', TBSRequestExtensions, {'explicit': 2, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]199 ]
200
201
202class Certificates(SequenceOf):
203 _child_spec = Certificate
204
205
206class Signature(Sequence):
207 _fields = [
208 ('signature_algorithm', SignedDigestAlgorithm),
209 ('signature', OctetBitString),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]210 ('certs', Certificates, {'explicit': 0, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]211 ]
212
213
214class OCSPRequest(Sequence):
215 _fields = [
216 ('tbs_request', TBSRequest),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]217 ('optional_signature', Signature, {'explicit': 0, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]218 ]
219
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]220 _processed_extensions = False
221 _critical_extensions = None
222 _nonce_value = None
223 _acceptable_responses_value = None
224 _preferred_signature_algorithms_value = None
225
226 def _set_extensions(self):
227 """
228 Sets common named extensions to private attributes and creates a list
229 of critical extensions
230 """
231
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]232 self._critical_extensions = set()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]233
234 for extension in self['tbs_request']['request_extensions']:
235 name = extension['extn_id'].native
236 attribute_name = '_%s_value' % name
237 if hasattr(self, attribute_name):
238 setattr(self, attribute_name, extension['extn_value'].parsed)
239 if extension['critical'].native:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]240 self._critical_extensions.add(name)
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]241
242 self._processed_extensions = True
243
244 @property
245 def critical_extensions(self):
246 """
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]247 Returns a set of the names (or OID if not a known extension) of the
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]248 extensions marked as critical
249
250 :return:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]251 A set of unicode strings
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]252 """
253
254 if not self._processed_extensions:
255 self._set_extensions()
256 return self._critical_extensions
257
258 @property
259 def nonce_value(self):
260 """
261 This extension is used to prevent replay attacks by including a unique,
262 random value with each request/response pair
263
264 :return:
265 None or an OctetString object
266 """
267
268 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]269 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]270 return self._nonce_value
271
272 @property
273 def acceptable_responses_value(self):
274 """
275 This extension is used to allow the client and server to communicate
276 with alternative response formats other than just basic_ocsp_response,
277 although no other formats are defined in the standard.
278
279 :return:
280 None or an AcceptableResponses object
281 """
282
283 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]284 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]285 return self._acceptable_responses_value
286
287 @property
288 def preferred_signature_algorithms_value(self):
289 """
290 This extension is used by the client to define what signature algorithms
291 are preferred, including both the hash algorithm and the public key
292 algorithm, with a level of detail down to even the public key algorithm
293 parameters, such as curve name.
294
295 :return:
296 None or a PreferredSignatureAlgorithms object
297 """
298
299 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]300 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]301 return self._preferred_signature_algorithms_value
302
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]303
304class OCSPResponseStatus(Enumerated):
305 _map = {
306 0: 'successful',
307 1: 'malformed_request',
308 2: 'internal_error',
309 3: 'try_later',
310 5: 'sign_required',
wbond77b0ccd2015-07-17 11:17:02 -0400[diff] [blame]311 6: 'unauthorized',
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]312 }
313
314
315class ResponderId(Choice):
316 _alternatives = [
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]317 ('by_name', Name, {'explicit': 1}),
318 ('by_key', OctetString, {'explicit': 2}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]319 ]
320
321
322class RevokedInfo(Sequence):
323 _fields = [
324 ('revocation_time', GeneralizedTime),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]325 ('revocation_reason', CRLReason, {'explicit': 0, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]326 ]
327
328
329class CertStatus(Choice):
330 _alternatives = [
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]331 ('good', Null, {'implicit': 0}),
332 ('revoked', RevokedInfo, {'implicit': 1}),
333 ('unknown', Null, {'implicit': 2}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]334 ]
335
336
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]337class CrlId(Sequence):
338 _fields = [
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]339 ('crl_url', IA5String, {'explicit': 0, 'optional': True}),
340 ('crl_num', Integer, {'explicit': 1, 'optional': True}),
341 ('crl_time', GeneralizedTime, {'explicit': 2, 'optional': True}),
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]342 ]
343
344
345class SingleResponseExtensionId(ObjectIdentifier):
346 _map = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]347 '1.3.6.1.5.5.7.48.1.3': 'crl',
348 '1.3.6.1.5.5.7.48.1.6': 'archive_cutoff',
349 # These are CRLEntryExtension values from
350 # https://tools.ietf.org/html/rfc5280
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]351 '2.5.29.21': 'crl_reason',
352 '2.5.29.24': 'invalidity_date',
353 '2.5.29.29': 'certificate_issuer',
wbond9e74abf2017-06-13 20:34:22 -0400[diff] [blame]354 # https://tools.ietf.org/html/rfc6962.html#page-13
355 '1.3.6.1.4.1.11129.2.4.5': 'signed_certificate_timestamp_list',
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]356 }
357
358
359class SingleResponseExtension(Sequence):
360 _fields = [
361 ('extn_id', SingleResponseExtensionId),
362 ('critical', Boolean, {'default': False}),
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]363 ('extn_value', ParsableOctetString),
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]364 ]
365
366 _oid_pair = ('extn_id', 'extn_value')
367 _oid_specs = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]368 'crl': CrlId,
369 'archive_cutoff': GeneralizedTime,
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]370 'crl_reason': CRLReason,
371 'invalidity_date': GeneralizedTime,
372 'certificate_issuer': GeneralNames,
wbond9e74abf2017-06-13 20:34:22 -0400[diff] [blame]373 'signed_certificate_timestamp_list': OctetString,
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]374 }
375
376
377class SingleResponseExtensions(SequenceOf):
378 _child_spec = SingleResponseExtension
379
380
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]381class SingleResponse(Sequence):
382 _fields = [
383 ('cert_id', CertId),
384 ('cert_status', CertStatus),
385 ('this_update', GeneralizedTime),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]386 ('next_update', GeneralizedTime, {'explicit': 0, 'optional': True}),
387 ('single_extensions', SingleResponseExtensions, {'explicit': 1, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]388 ]
389
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]390 _processed_extensions = False
391 _critical_extensions = None
392 _crl_value = None
393 _archive_cutoff_value = None
394 _crl_reason_value = None
395 _invalidity_date_value = None
396 _certificate_issuer_value = None
397
398 def _set_extensions(self):
399 """
400 Sets common named extensions to private attributes and creates a list
401 of critical extensions
402 """
403
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]404 self._critical_extensions = set()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]405
406 for extension in self['single_extensions']:
407 name = extension['extn_id'].native
408 attribute_name = '_%s_value' % name
409 if hasattr(self, attribute_name):
410 setattr(self, attribute_name, extension['extn_value'].parsed)
411 if extension['critical'].native:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]412 self._critical_extensions.add(name)
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]413
414 self._processed_extensions = True
415
416 @property
417 def critical_extensions(self):
418 """
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]419 Returns a set of the names (or OID if not a known extension) of the
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]420 extensions marked as critical
421
422 :return:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]423 A set of unicode strings
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]424 """
425
426 if not self._processed_extensions:
427 self._set_extensions()
428 return self._critical_extensions
429
430 @property
431 def crl_value(self):
432 """
433 This extension is used to locate the CRL that a certificate's revocation
434 is contained within.
435
436 :return:
437 None or a CrlId object
438 """
439
440 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]441 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]442 return self._crl_value
443
444 @property
445 def archive_cutoff_value(self):
446 """
447 This extension is used to indicate the date at which an archived
448 (historical) certificate status entry will no longer be available.
449
450 :return:
451 None or a GeneralizedTime object
452 """
453
454 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]455 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]456 return self._archive_cutoff_value
457
458 @property
459 def crl_reason_value(self):
460 """
461 This extension indicates the reason that a certificate was revoked.
462
463 :return:
464 None or a CRLReason object
465 """
466
467 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]468 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]469 return self._crl_reason_value
470
471 @property
472 def invalidity_date_value(self):
473 """
474 This extension indicates the suspected date/time the private key was
475 compromised or the certificate became invalid. This would usually be
476 before the revocation date, which is when the CA processed the
477 revocation.
478
479 :return:
480 None or a GeneralizedTime object
481 """
482
483 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]484 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]485 return self._invalidity_date_value
486
487 @property
488 def certificate_issuer_value(self):
489 """
490 This extension indicates the issuer of the certificate in question.
491
492 :return:
493 None or an x509.GeneralNames object
494 """
495
496 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]497 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]498 return self._certificate_issuer_value
499
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]500
501class Responses(SequenceOf):
502 _child_spec = SingleResponse
503
504
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]505class ResponseDataExtensionId(ObjectIdentifier):
506 _map = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]507 '1.3.6.1.5.5.7.48.1.2': 'nonce',
508 '1.3.6.1.5.5.7.48.1.9': 'extended_revoke',
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]509 }
510
511
512class ResponseDataExtension(Sequence):
513 _fields = [
514 ('extn_id', ResponseDataExtensionId),
515 ('critical', Boolean, {'default': False}),
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]516 ('extn_value', ParsableOctetString),
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]517 ]
518
519 _oid_pair = ('extn_id', 'extn_value')
520 _oid_specs = {
wbond65593fe2015-07-20 10:14:50 -0400[diff] [blame]521 'nonce': OctetString,
522 'extended_revoke': Null,
wbond90ec1302015-07-20 09:10:50 -0400[diff] [blame]523 }
524
525
526class ResponseDataExtensions(SequenceOf):
527 _child_spec = ResponseDataExtension
528
529
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]530class ResponseData(Sequence):
531 _fields = [
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]532 ('version', Version, {'explicit': 0, 'default': 'v1'}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]533 ('responder_id', ResponderId),
534 ('produced_at', GeneralizedTime),
535 ('responses', Responses),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]536 ('response_extensions', ResponseDataExtensions, {'explicit': 1, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]537 ]
538
539
540class BasicOCSPResponse(Sequence):
541 _fields = [
542 ('tbs_response_data', ResponseData),
543 ('signature_algorithm', SignedDigestAlgorithm),
544 ('signature', OctetBitString),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]545 ('certs', Certificates, {'explicit': 0, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]546 ]
547
548
549class ResponseBytes(Sequence):
550 _fields = [
551 ('response_type', ResponseType),
wbonde5a1c6e2015-08-03 07:42:28 -0400[diff] [blame]552 ('response', ParsableOctetString),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]553 ]
554
555 _oid_pair = ('response_type', 'response')
556 _oid_specs = {
557 'basic_ocsp_response': BasicOCSPResponse,
558 }
559
560
561class OCSPResponse(Sequence):
562 _fields = [
563 ('response_status', OCSPResponseStatus),
wbondd62ed9a2017-09-15 07:13:52 -0400[diff] [blame^]564 ('response_bytes', ResponseBytes, {'explicit': 0, 'optional': True}),
wbonde91513e2015-06-03 14:52:18 -0400[diff] [blame]565 ]
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]566
567 _processed_extensions = False
568 _critical_extensions = None
569 _nonce_value = None
570 _extended_revoke_value = None
571
572 def _set_extensions(self):
573 """
574 Sets common named extensions to private attributes and creates a list
575 of critical extensions
576 """
577
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]578 self._critical_extensions = set()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]579
580 for extension in self['response_bytes']['response'].parsed['tbs_response_data']['response_extensions']:
581 name = extension['extn_id'].native
582 attribute_name = '_%s_value' % name
583 if hasattr(self, attribute_name):
584 setattr(self, attribute_name, extension['extn_value'].parsed)
585 if extension['critical'].native:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]586 self._critical_extensions.add(name)
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]587
588 self._processed_extensions = True
589
590 @property
591 def critical_extensions(self):
592 """
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]593 Returns a set of the names (or OID if not a known extension) of the
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]594 extensions marked as critical
595
596 :return:
wbond2fde6452015-07-23 10:54:13 -0400[diff] [blame]597 A set of unicode strings
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]598 """
599
600 if not self._processed_extensions:
601 self._set_extensions()
602 return self._critical_extensions
603
604 @property
605 def nonce_value(self):
606 """
607 This extension is used to prevent replay attacks on the request/response
608 exchange
609
610 :return:
611 None or an OctetString object
612 """
613
614 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]615 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]616 return self._nonce_value
617
618 @property
619 def extended_revoke_value(self):
620 """
621 This extension is used to signal that the responder will return a
622 "revoked" status for non-issued certificates.
623
624 :return:
625 None or a Null object (if present)
626 """
627
628 if self._processed_extensions is False:
wbondad218f92015-07-20 10:43:16 -0400[diff] [blame]629 self._set_extensions()
wbondbcb62642015-07-20 10:16:27 -0400[diff] [blame]630 return self._extended_revoke_value
wbondfbdd5812015-10-30 19:59:23 -0400[diff] [blame]631
632 @property
633 def basic_ocsp_response(self):
634 """
635 A shortcut into the BasicOCSPResponse sequence
636
637 :return:
638 None or an asn1crypto.ocsp.BasicOCSPResponse object
639 """
640
641 return self['response_bytes']['response'].parsed
642
643 @property
644 def response_data(self):
645 """
646 A shortcut into the parsed, ResponseData sequence
647
648 :return:
649 None or an asn1crypto.ocsp.ResponseData object
650 """
651
652 return self['response_bytes']['response'].parsed['tbs_response_data']