wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 1 | # coding: utf-8 |
wbond | ea25fc2 | 2015-06-19 15:07:04 -0400 | [diff] [blame] | 2 | |
| 3 | """ |
| 4 | ASN.1 type classes for the online certificate status protocol (OCSP). Exports |
| 5 | the following items: |
| 6 | |
| 7 | - OCSPRequest() |
| 8 | - OCSPResponse() |
| 9 | |
| 10 | Other type classes are defined that help compose the types listed above. |
| 11 | """ |
| 12 | |
wbond | 6b66ab5 | 2015-06-21 10:26:45 -0400 | [diff] [blame] | 13 | from __future__ import unicode_literals, division, absolute_import, print_function |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 14 | |
| 15 | from .algos import DigestAlgorithm, SignedDigestAlgorithm |
| 16 | from .core import ( |
| 17 | Boolean, |
| 18 | Choice, |
| 19 | Enumerated, |
| 20 | GeneralizedTime, |
| 21 | IA5String, |
| 22 | Integer, |
| 23 | Null, |
| 24 | ObjectIdentifier, |
| 25 | OctetBitString, |
| 26 | OctetString, |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 27 | ParsableOctetString, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 28 | Sequence, |
| 29 | SequenceOf, |
| 30 | ) |
| 31 | from .crl import AuthorityInfoAccessSyntax, CRLReason |
| 32 | from .keys import PublicKeyAlgorithm |
| 33 | from .x509 import Certificate, GeneralName, GeneralNames, Name |
| 34 | |
| 35 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 36 | # The structures in this file are taken from https://tools.ietf.org/html/rfc6960 |
| 37 | |
| 38 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 39 | class Version(Integer): |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 40 | _map = { |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 41 | 0: 'v1' |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 42 | } |
| 43 | |
| 44 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 45 | class CertId(Sequence): |
| 46 | _fields = [ |
| 47 | ('hash_algorithm', DigestAlgorithm), |
| 48 | ('issuer_name_hash', OctetString), |
| 49 | ('issuer_key_hash', OctetString), |
| 50 | ('serial_number', Integer), |
| 51 | ] |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 52 | |
| 53 | |
| 54 | class ServiceLocator(Sequence): |
| 55 | _fields = [ |
| 56 | ('issuer', Name), |
| 57 | ('locator', AuthorityInfoAccessSyntax), |
| 58 | ] |
| 59 | |
| 60 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 61 | class RequestExtensionId(ObjectIdentifier): |
| 62 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 63 | '1.3.6.1.5.5.7.48.1.7': 'service_locator', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 64 | } |
| 65 | |
| 66 | |
| 67 | class RequestExtension(Sequence): |
| 68 | _fields = [ |
| 69 | ('extn_id', RequestExtensionId), |
| 70 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 71 | ('extn_value', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 72 | ] |
| 73 | |
| 74 | _oid_pair = ('extn_id', 'extn_value') |
| 75 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 76 | 'service_locator': ServiceLocator, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 77 | } |
| 78 | |
| 79 | |
| 80 | class RequestExtensions(SequenceOf): |
| 81 | _child_spec = RequestExtension |
| 82 | |
| 83 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 84 | class Request(Sequence): |
| 85 | _fields = [ |
| 86 | ('req_cert', CertId), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 87 | ('single_request_extensions', RequestExtensions, {'explicit': 0, 'optional': True}), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 88 | ] |
| 89 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 90 | _processed_extensions = False |
| 91 | _critical_extensions = None |
| 92 | _service_locator_value = None |
| 93 | |
| 94 | def _set_extensions(self): |
| 95 | """ |
| 96 | Sets common named extensions to private attributes and creates a list |
| 97 | of critical extensions |
| 98 | """ |
| 99 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 100 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 101 | |
| 102 | for extension in self['single_request_extensions']: |
| 103 | name = extension['extn_id'].native |
| 104 | attribute_name = '_%s_value' % name |
| 105 | if hasattr(self, attribute_name): |
| 106 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 107 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 108 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 109 | |
| 110 | self._processed_extensions = True |
| 111 | |
| 112 | @property |
| 113 | def critical_extensions(self): |
| 114 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 115 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 116 | extensions marked as critical |
| 117 | |
| 118 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 119 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 120 | """ |
| 121 | |
| 122 | if not self._processed_extensions: |
| 123 | self._set_extensions() |
| 124 | return self._critical_extensions |
| 125 | |
| 126 | @property |
| 127 | def service_locator_value(self): |
| 128 | """ |
| 129 | This extension is used when communicating with an OCSP responder that |
| 130 | acts as a proxy for OCSP requests |
| 131 | |
| 132 | :return: |
| 133 | None or a ServiceLocator object |
| 134 | """ |
| 135 | |
| 136 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 137 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 138 | return self._service_locator_value |
| 139 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 140 | |
| 141 | class Requests(SequenceOf): |
| 142 | _child_spec = Request |
| 143 | |
| 144 | |
| 145 | class ResponseType(ObjectIdentifier): |
| 146 | _map = { |
| 147 | '1.3.6.1.5.5.7.48.1.1': 'basic_ocsp_response', |
| 148 | } |
| 149 | |
| 150 | |
| 151 | class AcceptableResponses(SequenceOf): |
| 152 | _child_spec = ResponseType |
| 153 | |
| 154 | |
| 155 | class PreferredSignatureAlgorithm(Sequence): |
| 156 | _fields = [ |
| 157 | ('sig_identifier', SignedDigestAlgorithm), |
| 158 | ('cert_identifier', PublicKeyAlgorithm, {'optional': True}), |
| 159 | ] |
| 160 | |
| 161 | |
| 162 | class PreferredSignatureAlgorithms(SequenceOf): |
| 163 | _child_spec = PreferredSignatureAlgorithm |
| 164 | |
| 165 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 166 | class TBSRequestExtensionId(ObjectIdentifier): |
| 167 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 168 | '1.3.6.1.5.5.7.48.1.2': 'nonce', |
| 169 | '1.3.6.1.5.5.7.48.1.4': 'acceptable_responses', |
| 170 | '1.3.6.1.5.5.7.48.1.8': 'preferred_signature_algorithms', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 171 | } |
| 172 | |
| 173 | |
| 174 | class TBSRequestExtension(Sequence): |
| 175 | _fields = [ |
| 176 | ('extn_id', TBSRequestExtensionId), |
| 177 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 178 | ('extn_value', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 179 | ] |
| 180 | |
| 181 | _oid_pair = ('extn_id', 'extn_value') |
| 182 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 183 | 'nonce': OctetString, |
| 184 | 'acceptable_responses': AcceptableResponses, |
| 185 | 'preferred_signature_algorithms': PreferredSignatureAlgorithms, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 186 | } |
| 187 | |
| 188 | |
| 189 | class TBSRequestExtensions(SequenceOf): |
| 190 | _child_spec = TBSRequestExtension |
| 191 | |
| 192 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 193 | class TBSRequest(Sequence): |
| 194 | _fields = [ |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 195 | ('version', Version, {'explicit': 0, 'default': 'v1'}), |
| 196 | ('requestor_name', GeneralName, {'explicit': 1, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 197 | ('request_list', Requests), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 198 | ('request_extensions', TBSRequestExtensions, {'explicit': 2, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 199 | ] |
| 200 | |
| 201 | |
| 202 | class Certificates(SequenceOf): |
| 203 | _child_spec = Certificate |
| 204 | |
| 205 | |
| 206 | class Signature(Sequence): |
| 207 | _fields = [ |
| 208 | ('signature_algorithm', SignedDigestAlgorithm), |
| 209 | ('signature', OctetBitString), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 210 | ('certs', Certificates, {'explicit': 0, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 211 | ] |
| 212 | |
| 213 | |
| 214 | class OCSPRequest(Sequence): |
| 215 | _fields = [ |
| 216 | ('tbs_request', TBSRequest), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 217 | ('optional_signature', Signature, {'explicit': 0, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 218 | ] |
| 219 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 220 | _processed_extensions = False |
| 221 | _critical_extensions = None |
| 222 | _nonce_value = None |
| 223 | _acceptable_responses_value = None |
| 224 | _preferred_signature_algorithms_value = None |
| 225 | |
| 226 | def _set_extensions(self): |
| 227 | """ |
| 228 | Sets common named extensions to private attributes and creates a list |
| 229 | of critical extensions |
| 230 | """ |
| 231 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 232 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 233 | |
| 234 | for extension in self['tbs_request']['request_extensions']: |
| 235 | name = extension['extn_id'].native |
| 236 | attribute_name = '_%s_value' % name |
| 237 | if hasattr(self, attribute_name): |
| 238 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 239 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 240 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 241 | |
| 242 | self._processed_extensions = True |
| 243 | |
| 244 | @property |
| 245 | def critical_extensions(self): |
| 246 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 247 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 248 | extensions marked as critical |
| 249 | |
| 250 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 251 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 252 | """ |
| 253 | |
| 254 | if not self._processed_extensions: |
| 255 | self._set_extensions() |
| 256 | return self._critical_extensions |
| 257 | |
| 258 | @property |
| 259 | def nonce_value(self): |
| 260 | """ |
| 261 | This extension is used to prevent replay attacks by including a unique, |
| 262 | random value with each request/response pair |
| 263 | |
| 264 | :return: |
| 265 | None or an OctetString object |
| 266 | """ |
| 267 | |
| 268 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 269 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 270 | return self._nonce_value |
| 271 | |
| 272 | @property |
| 273 | def acceptable_responses_value(self): |
| 274 | """ |
| 275 | This extension is used to allow the client and server to communicate |
| 276 | with alternative response formats other than just basic_ocsp_response, |
| 277 | although no other formats are defined in the standard. |
| 278 | |
| 279 | :return: |
| 280 | None or an AcceptableResponses object |
| 281 | """ |
| 282 | |
| 283 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 284 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 285 | return self._acceptable_responses_value |
| 286 | |
| 287 | @property |
| 288 | def preferred_signature_algorithms_value(self): |
| 289 | """ |
| 290 | This extension is used by the client to define what signature algorithms |
| 291 | are preferred, including both the hash algorithm and the public key |
| 292 | algorithm, with a level of detail down to even the public key algorithm |
| 293 | parameters, such as curve name. |
| 294 | |
| 295 | :return: |
| 296 | None or a PreferredSignatureAlgorithms object |
| 297 | """ |
| 298 | |
| 299 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 300 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 301 | return self._preferred_signature_algorithms_value |
| 302 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 303 | |
| 304 | class OCSPResponseStatus(Enumerated): |
| 305 | _map = { |
| 306 | 0: 'successful', |
| 307 | 1: 'malformed_request', |
| 308 | 2: 'internal_error', |
| 309 | 3: 'try_later', |
| 310 | 5: 'sign_required', |
wbond | 77b0ccd | 2015-07-17 11:17:02 -0400 | [diff] [blame] | 311 | 6: 'unauthorized', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 312 | } |
| 313 | |
| 314 | |
| 315 | class ResponderId(Choice): |
| 316 | _alternatives = [ |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 317 | ('by_name', Name, {'explicit': 1}), |
| 318 | ('by_key', OctetString, {'explicit': 2}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 319 | ] |
| 320 | |
| 321 | |
| 322 | class RevokedInfo(Sequence): |
| 323 | _fields = [ |
| 324 | ('revocation_time', GeneralizedTime), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 325 | ('revocation_reason', CRLReason, {'explicit': 0, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 326 | ] |
| 327 | |
| 328 | |
| 329 | class CertStatus(Choice): |
| 330 | _alternatives = [ |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 331 | ('good', Null, {'implicit': 0}), |
| 332 | ('revoked', RevokedInfo, {'implicit': 1}), |
| 333 | ('unknown', Null, {'implicit': 2}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 334 | ] |
| 335 | |
| 336 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 337 | class CrlId(Sequence): |
| 338 | _fields = [ |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 339 | ('crl_url', IA5String, {'explicit': 0, 'optional': True}), |
| 340 | ('crl_num', Integer, {'explicit': 1, 'optional': True}), |
| 341 | ('crl_time', GeneralizedTime, {'explicit': 2, 'optional': True}), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 342 | ] |
| 343 | |
| 344 | |
| 345 | class SingleResponseExtensionId(ObjectIdentifier): |
| 346 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 347 | '1.3.6.1.5.5.7.48.1.3': 'crl', |
| 348 | '1.3.6.1.5.5.7.48.1.6': 'archive_cutoff', |
| 349 | # These are CRLEntryExtension values from |
| 350 | # https://tools.ietf.org/html/rfc5280 |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 351 | '2.5.29.21': 'crl_reason', |
| 352 | '2.5.29.24': 'invalidity_date', |
| 353 | '2.5.29.29': 'certificate_issuer', |
wbond | 9e74abf | 2017-06-13 20:34:22 -0400 | [diff] [blame] | 354 | # https://tools.ietf.org/html/rfc6962.html#page-13 |
| 355 | '1.3.6.1.4.1.11129.2.4.5': 'signed_certificate_timestamp_list', |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 356 | } |
| 357 | |
| 358 | |
| 359 | class SingleResponseExtension(Sequence): |
| 360 | _fields = [ |
| 361 | ('extn_id', SingleResponseExtensionId), |
| 362 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 363 | ('extn_value', ParsableOctetString), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 364 | ] |
| 365 | |
| 366 | _oid_pair = ('extn_id', 'extn_value') |
| 367 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 368 | 'crl': CrlId, |
| 369 | 'archive_cutoff': GeneralizedTime, |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 370 | 'crl_reason': CRLReason, |
| 371 | 'invalidity_date': GeneralizedTime, |
| 372 | 'certificate_issuer': GeneralNames, |
wbond | 9e74abf | 2017-06-13 20:34:22 -0400 | [diff] [blame] | 373 | 'signed_certificate_timestamp_list': OctetString, |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 374 | } |
| 375 | |
| 376 | |
| 377 | class SingleResponseExtensions(SequenceOf): |
| 378 | _child_spec = SingleResponseExtension |
| 379 | |
| 380 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 381 | class SingleResponse(Sequence): |
| 382 | _fields = [ |
| 383 | ('cert_id', CertId), |
| 384 | ('cert_status', CertStatus), |
| 385 | ('this_update', GeneralizedTime), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 386 | ('next_update', GeneralizedTime, {'explicit': 0, 'optional': True}), |
| 387 | ('single_extensions', SingleResponseExtensions, {'explicit': 1, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 388 | ] |
| 389 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 390 | _processed_extensions = False |
| 391 | _critical_extensions = None |
| 392 | _crl_value = None |
| 393 | _archive_cutoff_value = None |
| 394 | _crl_reason_value = None |
| 395 | _invalidity_date_value = None |
| 396 | _certificate_issuer_value = None |
| 397 | |
| 398 | def _set_extensions(self): |
| 399 | """ |
| 400 | Sets common named extensions to private attributes and creates a list |
| 401 | of critical extensions |
| 402 | """ |
| 403 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 404 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 405 | |
| 406 | for extension in self['single_extensions']: |
| 407 | name = extension['extn_id'].native |
| 408 | attribute_name = '_%s_value' % name |
| 409 | if hasattr(self, attribute_name): |
| 410 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 411 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 412 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 413 | |
| 414 | self._processed_extensions = True |
| 415 | |
| 416 | @property |
| 417 | def critical_extensions(self): |
| 418 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 419 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 420 | extensions marked as critical |
| 421 | |
| 422 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 423 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 424 | """ |
| 425 | |
| 426 | if not self._processed_extensions: |
| 427 | self._set_extensions() |
| 428 | return self._critical_extensions |
| 429 | |
| 430 | @property |
| 431 | def crl_value(self): |
| 432 | """ |
| 433 | This extension is used to locate the CRL that a certificate's revocation |
| 434 | is contained within. |
| 435 | |
| 436 | :return: |
| 437 | None or a CrlId object |
| 438 | """ |
| 439 | |
| 440 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 441 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 442 | return self._crl_value |
| 443 | |
| 444 | @property |
| 445 | def archive_cutoff_value(self): |
| 446 | """ |
| 447 | This extension is used to indicate the date at which an archived |
| 448 | (historical) certificate status entry will no longer be available. |
| 449 | |
| 450 | :return: |
| 451 | None or a GeneralizedTime object |
| 452 | """ |
| 453 | |
| 454 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 455 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 456 | return self._archive_cutoff_value |
| 457 | |
| 458 | @property |
| 459 | def crl_reason_value(self): |
| 460 | """ |
| 461 | This extension indicates the reason that a certificate was revoked. |
| 462 | |
| 463 | :return: |
| 464 | None or a CRLReason object |
| 465 | """ |
| 466 | |
| 467 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 468 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 469 | return self._crl_reason_value |
| 470 | |
| 471 | @property |
| 472 | def invalidity_date_value(self): |
| 473 | """ |
| 474 | This extension indicates the suspected date/time the private key was |
| 475 | compromised or the certificate became invalid. This would usually be |
| 476 | before the revocation date, which is when the CA processed the |
| 477 | revocation. |
| 478 | |
| 479 | :return: |
| 480 | None or a GeneralizedTime object |
| 481 | """ |
| 482 | |
| 483 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 484 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 485 | return self._invalidity_date_value |
| 486 | |
| 487 | @property |
| 488 | def certificate_issuer_value(self): |
| 489 | """ |
| 490 | This extension indicates the issuer of the certificate in question. |
| 491 | |
| 492 | :return: |
| 493 | None or an x509.GeneralNames object |
| 494 | """ |
| 495 | |
| 496 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 497 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 498 | return self._certificate_issuer_value |
| 499 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 500 | |
| 501 | class Responses(SequenceOf): |
| 502 | _child_spec = SingleResponse |
| 503 | |
| 504 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 505 | class ResponseDataExtensionId(ObjectIdentifier): |
| 506 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 507 | '1.3.6.1.5.5.7.48.1.2': 'nonce', |
| 508 | '1.3.6.1.5.5.7.48.1.9': 'extended_revoke', |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 509 | } |
| 510 | |
| 511 | |
| 512 | class ResponseDataExtension(Sequence): |
| 513 | _fields = [ |
| 514 | ('extn_id', ResponseDataExtensionId), |
| 515 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 516 | ('extn_value', ParsableOctetString), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 517 | ] |
| 518 | |
| 519 | _oid_pair = ('extn_id', 'extn_value') |
| 520 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 521 | 'nonce': OctetString, |
| 522 | 'extended_revoke': Null, |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 523 | } |
| 524 | |
| 525 | |
| 526 | class ResponseDataExtensions(SequenceOf): |
| 527 | _child_spec = ResponseDataExtension |
| 528 | |
| 529 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 530 | class ResponseData(Sequence): |
| 531 | _fields = [ |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 532 | ('version', Version, {'explicit': 0, 'default': 'v1'}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 533 | ('responder_id', ResponderId), |
| 534 | ('produced_at', GeneralizedTime), |
| 535 | ('responses', Responses), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 536 | ('response_extensions', ResponseDataExtensions, {'explicit': 1, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 537 | ] |
| 538 | |
| 539 | |
| 540 | class BasicOCSPResponse(Sequence): |
| 541 | _fields = [ |
| 542 | ('tbs_response_data', ResponseData), |
| 543 | ('signature_algorithm', SignedDigestAlgorithm), |
| 544 | ('signature', OctetBitString), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 545 | ('certs', Certificates, {'explicit': 0, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 546 | ] |
| 547 | |
| 548 | |
| 549 | class ResponseBytes(Sequence): |
| 550 | _fields = [ |
| 551 | ('response_type', ResponseType), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame] | 552 | ('response', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 553 | ] |
| 554 | |
| 555 | _oid_pair = ('response_type', 'response') |
| 556 | _oid_specs = { |
| 557 | 'basic_ocsp_response': BasicOCSPResponse, |
| 558 | } |
| 559 | |
| 560 | |
| 561 | class OCSPResponse(Sequence): |
| 562 | _fields = [ |
| 563 | ('response_status', OCSPResponseStatus), |
wbond | d62ed9a | 2017-09-15 07:13:52 -0400 | [diff] [blame^] | 564 | ('response_bytes', ResponseBytes, {'explicit': 0, 'optional': True}), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 565 | ] |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 566 | |
| 567 | _processed_extensions = False |
| 568 | _critical_extensions = None |
| 569 | _nonce_value = None |
| 570 | _extended_revoke_value = None |
| 571 | |
| 572 | def _set_extensions(self): |
| 573 | """ |
| 574 | Sets common named extensions to private attributes and creates a list |
| 575 | of critical extensions |
| 576 | """ |
| 577 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 578 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 579 | |
| 580 | for extension in self['response_bytes']['response'].parsed['tbs_response_data']['response_extensions']: |
| 581 | name = extension['extn_id'].native |
| 582 | attribute_name = '_%s_value' % name |
| 583 | if hasattr(self, attribute_name): |
| 584 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 585 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 586 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 587 | |
| 588 | self._processed_extensions = True |
| 589 | |
| 590 | @property |
| 591 | def critical_extensions(self): |
| 592 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 593 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 594 | extensions marked as critical |
| 595 | |
| 596 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 597 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 598 | """ |
| 599 | |
| 600 | if not self._processed_extensions: |
| 601 | self._set_extensions() |
| 602 | return self._critical_extensions |
| 603 | |
| 604 | @property |
| 605 | def nonce_value(self): |
| 606 | """ |
| 607 | This extension is used to prevent replay attacks on the request/response |
| 608 | exchange |
| 609 | |
| 610 | :return: |
| 611 | None or an OctetString object |
| 612 | """ |
| 613 | |
| 614 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 615 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 616 | return self._nonce_value |
| 617 | |
| 618 | @property |
| 619 | def extended_revoke_value(self): |
| 620 | """ |
| 621 | This extension is used to signal that the responder will return a |
| 622 | "revoked" status for non-issued certificates. |
| 623 | |
| 624 | :return: |
| 625 | None or a Null object (if present) |
| 626 | """ |
| 627 | |
| 628 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 629 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 630 | return self._extended_revoke_value |
wbond | fbdd581 | 2015-10-30 19:59:23 -0400 | [diff] [blame] | 631 | |
| 632 | @property |
| 633 | def basic_ocsp_response(self): |
| 634 | """ |
| 635 | A shortcut into the BasicOCSPResponse sequence |
| 636 | |
| 637 | :return: |
| 638 | None or an asn1crypto.ocsp.BasicOCSPResponse object |
| 639 | """ |
| 640 | |
| 641 | return self['response_bytes']['response'].parsed |
| 642 | |
| 643 | @property |
| 644 | def response_data(self): |
| 645 | """ |
| 646 | A shortcut into the parsed, ResponseData sequence |
| 647 | |
| 648 | :return: |
| 649 | None or an asn1crypto.ocsp.ResponseData object |
| 650 | """ |
| 651 | |
| 652 | return self['response_bytes']['response'].parsed['tbs_response_data'] |