wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 1 | # coding: utf-8 |
wbond | ea25fc2 | 2015-06-19 15:07:04 -0400 | [diff] [blame] | 2 | |
| 3 | """ |
| 4 | ASN.1 type classes for the online certificate status protocol (OCSP). Exports |
| 5 | the following items: |
| 6 | |
| 7 | - OCSPRequest() |
| 8 | - OCSPResponse() |
| 9 | |
| 10 | Other type classes are defined that help compose the types listed above. |
| 11 | """ |
| 12 | |
wbond | 6b66ab5 | 2015-06-21 10:26:45 -0400 | [diff] [blame] | 13 | from __future__ import unicode_literals, division, absolute_import, print_function |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 14 | |
| 15 | from .algos import DigestAlgorithm, SignedDigestAlgorithm |
| 16 | from .core import ( |
| 17 | Boolean, |
| 18 | Choice, |
| 19 | Enumerated, |
| 20 | GeneralizedTime, |
| 21 | IA5String, |
| 22 | Integer, |
| 23 | Null, |
| 24 | ObjectIdentifier, |
| 25 | OctetBitString, |
| 26 | OctetString, |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 27 | ParsableOctetString, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 28 | Sequence, |
| 29 | SequenceOf, |
| 30 | ) |
| 31 | from .crl import AuthorityInfoAccessSyntax, CRLReason |
| 32 | from .keys import PublicKeyAlgorithm |
| 33 | from .x509 import Certificate, GeneralName, GeneralNames, Name |
| 34 | |
| 35 | |
| 36 | |
| 37 | # The structures in this file are taken from https://tools.ietf.org/html/rfc6960 |
| 38 | |
| 39 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 40 | class Version(Integer): |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 41 | _map = { |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 42 | 0: 'v1' |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 43 | } |
| 44 | |
| 45 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 46 | class CertId(Sequence): |
| 47 | _fields = [ |
| 48 | ('hash_algorithm', DigestAlgorithm), |
| 49 | ('issuer_name_hash', OctetString), |
| 50 | ('issuer_key_hash', OctetString), |
| 51 | ('serial_number', Integer), |
| 52 | ] |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 53 | |
| 54 | |
| 55 | class ServiceLocator(Sequence): |
| 56 | _fields = [ |
| 57 | ('issuer', Name), |
| 58 | ('locator', AuthorityInfoAccessSyntax), |
| 59 | ] |
| 60 | |
| 61 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 62 | class RequestExtensionId(ObjectIdentifier): |
| 63 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 64 | '1.3.6.1.5.5.7.48.1.7': 'service_locator', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 65 | } |
| 66 | |
| 67 | |
| 68 | class RequestExtension(Sequence): |
| 69 | _fields = [ |
| 70 | ('extn_id', RequestExtensionId), |
| 71 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 72 | ('extn_value', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 73 | ] |
| 74 | |
| 75 | _oid_pair = ('extn_id', 'extn_value') |
| 76 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 77 | 'service_locator': ServiceLocator, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 78 | } |
| 79 | |
| 80 | |
| 81 | class RequestExtensions(SequenceOf): |
| 82 | _child_spec = RequestExtension |
| 83 | |
| 84 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 85 | class Request(Sequence): |
| 86 | _fields = [ |
| 87 | ('req_cert', CertId), |
| 88 | ('single_request_extensions', RequestExtensions, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 89 | ] |
| 90 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 91 | _processed_extensions = False |
| 92 | _critical_extensions = None |
| 93 | _service_locator_value = None |
| 94 | |
| 95 | def _set_extensions(self): |
| 96 | """ |
| 97 | Sets common named extensions to private attributes and creates a list |
| 98 | of critical extensions |
| 99 | """ |
| 100 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 101 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 102 | |
| 103 | for extension in self['single_request_extensions']: |
| 104 | name = extension['extn_id'].native |
| 105 | attribute_name = '_%s_value' % name |
| 106 | if hasattr(self, attribute_name): |
| 107 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 108 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 109 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 110 | |
| 111 | self._processed_extensions = True |
| 112 | |
| 113 | @property |
| 114 | def critical_extensions(self): |
| 115 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 116 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 117 | extensions marked as critical |
| 118 | |
| 119 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 120 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 121 | """ |
| 122 | |
| 123 | if not self._processed_extensions: |
| 124 | self._set_extensions() |
| 125 | return self._critical_extensions |
| 126 | |
| 127 | @property |
| 128 | def service_locator_value(self): |
| 129 | """ |
| 130 | This extension is used when communicating with an OCSP responder that |
| 131 | acts as a proxy for OCSP requests |
| 132 | |
| 133 | :return: |
| 134 | None or a ServiceLocator object |
| 135 | """ |
| 136 | |
| 137 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 138 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 139 | return self._service_locator_value |
| 140 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 141 | |
| 142 | class Requests(SequenceOf): |
| 143 | _child_spec = Request |
| 144 | |
| 145 | |
| 146 | class ResponseType(ObjectIdentifier): |
| 147 | _map = { |
| 148 | '1.3.6.1.5.5.7.48.1.1': 'basic_ocsp_response', |
| 149 | } |
| 150 | |
| 151 | |
| 152 | class AcceptableResponses(SequenceOf): |
| 153 | _child_spec = ResponseType |
| 154 | |
| 155 | |
| 156 | class PreferredSignatureAlgorithm(Sequence): |
| 157 | _fields = [ |
| 158 | ('sig_identifier', SignedDigestAlgorithm), |
| 159 | ('cert_identifier', PublicKeyAlgorithm, {'optional': True}), |
| 160 | ] |
| 161 | |
| 162 | |
| 163 | class PreferredSignatureAlgorithms(SequenceOf): |
| 164 | _child_spec = PreferredSignatureAlgorithm |
| 165 | |
| 166 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 167 | class TBSRequestExtensionId(ObjectIdentifier): |
| 168 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 169 | '1.3.6.1.5.5.7.48.1.2': 'nonce', |
| 170 | '1.3.6.1.5.5.7.48.1.4': 'acceptable_responses', |
| 171 | '1.3.6.1.5.5.7.48.1.8': 'preferred_signature_algorithms', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 172 | } |
| 173 | |
| 174 | |
| 175 | class TBSRequestExtension(Sequence): |
| 176 | _fields = [ |
| 177 | ('extn_id', TBSRequestExtensionId), |
| 178 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 179 | ('extn_value', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 180 | ] |
| 181 | |
| 182 | _oid_pair = ('extn_id', 'extn_value') |
| 183 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 184 | 'nonce': OctetString, |
| 185 | 'acceptable_responses': AcceptableResponses, |
| 186 | 'preferred_signature_algorithms': PreferredSignatureAlgorithms, |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 187 | } |
| 188 | |
| 189 | |
| 190 | class TBSRequestExtensions(SequenceOf): |
| 191 | _child_spec = TBSRequestExtension |
| 192 | |
| 193 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 194 | class TBSRequest(Sequence): |
| 195 | _fields = [ |
| 196 | ('version', Version, {'tag_type': 'explicit', 'tag': 0, 'default': 'v1'}), |
| 197 | ('requestor_name', GeneralName, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 198 | ('request_list', Requests), |
| 199 | ('request_extensions', TBSRequestExtensions, {'tag_type': 'explicit', 'tag': 2, 'optional': True}), |
| 200 | ] |
| 201 | |
| 202 | |
| 203 | class Certificates(SequenceOf): |
| 204 | _child_spec = Certificate |
| 205 | |
| 206 | |
| 207 | class Signature(Sequence): |
| 208 | _fields = [ |
| 209 | ('signature_algorithm', SignedDigestAlgorithm), |
| 210 | ('signature', OctetBitString), |
| 211 | ('certs', Certificates, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 212 | ] |
| 213 | |
| 214 | |
| 215 | class OCSPRequest(Sequence): |
| 216 | _fields = [ |
| 217 | ('tbs_request', TBSRequest), |
| 218 | ('optional_signature', Signature, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 219 | ] |
| 220 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 221 | _processed_extensions = False |
| 222 | _critical_extensions = None |
| 223 | _nonce_value = None |
| 224 | _acceptable_responses_value = None |
| 225 | _preferred_signature_algorithms_value = None |
| 226 | |
| 227 | def _set_extensions(self): |
| 228 | """ |
| 229 | Sets common named extensions to private attributes and creates a list |
| 230 | of critical extensions |
| 231 | """ |
| 232 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 233 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 234 | |
| 235 | for extension in self['tbs_request']['request_extensions']: |
| 236 | name = extension['extn_id'].native |
| 237 | attribute_name = '_%s_value' % name |
| 238 | if hasattr(self, attribute_name): |
| 239 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 240 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 241 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 242 | |
| 243 | self._processed_extensions = True |
| 244 | |
| 245 | @property |
| 246 | def critical_extensions(self): |
| 247 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 248 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 249 | extensions marked as critical |
| 250 | |
| 251 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 252 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 253 | """ |
| 254 | |
| 255 | if not self._processed_extensions: |
| 256 | self._set_extensions() |
| 257 | return self._critical_extensions |
| 258 | |
| 259 | @property |
| 260 | def nonce_value(self): |
| 261 | """ |
| 262 | This extension is used to prevent replay attacks by including a unique, |
| 263 | random value with each request/response pair |
| 264 | |
| 265 | :return: |
| 266 | None or an OctetString object |
| 267 | """ |
| 268 | |
| 269 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 270 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 271 | return self._nonce_value |
| 272 | |
| 273 | @property |
| 274 | def acceptable_responses_value(self): |
| 275 | """ |
| 276 | This extension is used to allow the client and server to communicate |
| 277 | with alternative response formats other than just basic_ocsp_response, |
| 278 | although no other formats are defined in the standard. |
| 279 | |
| 280 | :return: |
| 281 | None or an AcceptableResponses object |
| 282 | """ |
| 283 | |
| 284 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 285 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 286 | return self._acceptable_responses_value |
| 287 | |
| 288 | @property |
| 289 | def preferred_signature_algorithms_value(self): |
| 290 | """ |
| 291 | This extension is used by the client to define what signature algorithms |
| 292 | are preferred, including both the hash algorithm and the public key |
| 293 | algorithm, with a level of detail down to even the public key algorithm |
| 294 | parameters, such as curve name. |
| 295 | |
| 296 | :return: |
| 297 | None or a PreferredSignatureAlgorithms object |
| 298 | """ |
| 299 | |
| 300 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 301 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 302 | return self._preferred_signature_algorithms_value |
| 303 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 304 | |
| 305 | class OCSPResponseStatus(Enumerated): |
| 306 | _map = { |
| 307 | 0: 'successful', |
| 308 | 1: 'malformed_request', |
| 309 | 2: 'internal_error', |
| 310 | 3: 'try_later', |
| 311 | 5: 'sign_required', |
wbond | 77b0ccd | 2015-07-17 11:17:02 -0400 | [diff] [blame] | 312 | 6: 'unauthorized', |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 313 | } |
| 314 | |
| 315 | |
| 316 | class ResponderId(Choice): |
| 317 | _alternatives = [ |
| 318 | ('by_name', Name, {'tag_type': 'explicit', 'tag': 1}), |
| 319 | ('by_key', OctetString, {'tag_type': 'explicit', 'tag': 2}), |
| 320 | ] |
| 321 | |
| 322 | |
| 323 | class RevokedInfo(Sequence): |
| 324 | _fields = [ |
| 325 | ('revocation_time', GeneralizedTime), |
| 326 | ('revocation_reason', CRLReason, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 327 | ] |
| 328 | |
| 329 | |
| 330 | class CertStatus(Choice): |
| 331 | _alternatives = [ |
| 332 | ('good', Null, {'tag_type': 'implicit', 'tag': 0}), |
| 333 | ('revoked', RevokedInfo, {'tag_type': 'implicit', 'tag': 1}), |
| 334 | ('unknown', Null, {'tag_type': 'implicit', 'tag': 2}), |
| 335 | ] |
| 336 | |
| 337 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 338 | class CrlId(Sequence): |
| 339 | _fields = [ |
| 340 | ('crl_url', IA5String, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 341 | ('crl_num', Integer, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 342 | ('crl_time', GeneralizedTime, {'tag_type': 'explicit', 'tag': 2, 'optional': True}), |
| 343 | ] |
| 344 | |
| 345 | |
| 346 | class SingleResponseExtensionId(ObjectIdentifier): |
| 347 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 348 | '1.3.6.1.5.5.7.48.1.3': 'crl', |
| 349 | '1.3.6.1.5.5.7.48.1.6': 'archive_cutoff', |
| 350 | # These are CRLEntryExtension values from |
| 351 | # https://tools.ietf.org/html/rfc5280 |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 352 | '2.5.29.21': 'crl_reason', |
| 353 | '2.5.29.24': 'invalidity_date', |
| 354 | '2.5.29.29': 'certificate_issuer', |
| 355 | } |
| 356 | |
| 357 | |
| 358 | class SingleResponseExtension(Sequence): |
| 359 | _fields = [ |
| 360 | ('extn_id', SingleResponseExtensionId), |
| 361 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 362 | ('extn_value', ParsableOctetString), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 363 | ] |
| 364 | |
| 365 | _oid_pair = ('extn_id', 'extn_value') |
| 366 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 367 | 'crl': CrlId, |
| 368 | 'archive_cutoff': GeneralizedTime, |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 369 | 'crl_reason': CRLReason, |
| 370 | 'invalidity_date': GeneralizedTime, |
| 371 | 'certificate_issuer': GeneralNames, |
| 372 | } |
| 373 | |
| 374 | |
| 375 | class SingleResponseExtensions(SequenceOf): |
| 376 | _child_spec = SingleResponseExtension |
| 377 | |
| 378 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 379 | class SingleResponse(Sequence): |
| 380 | _fields = [ |
| 381 | ('cert_id', CertId), |
| 382 | ('cert_status', CertStatus), |
| 383 | ('this_update', GeneralizedTime), |
| 384 | ('next_update', GeneralizedTime, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 385 | ('single_extensions', SingleResponseExtensions, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 386 | ] |
| 387 | |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 388 | _processed_extensions = False |
| 389 | _critical_extensions = None |
| 390 | _crl_value = None |
| 391 | _archive_cutoff_value = None |
| 392 | _crl_reason_value = None |
| 393 | _invalidity_date_value = None |
| 394 | _certificate_issuer_value = None |
| 395 | |
| 396 | def _set_extensions(self): |
| 397 | """ |
| 398 | Sets common named extensions to private attributes and creates a list |
| 399 | of critical extensions |
| 400 | """ |
| 401 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 402 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 403 | |
| 404 | for extension in self['single_extensions']: |
| 405 | name = extension['extn_id'].native |
| 406 | attribute_name = '_%s_value' % name |
| 407 | if hasattr(self, attribute_name): |
| 408 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 409 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 410 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 411 | |
| 412 | self._processed_extensions = True |
| 413 | |
| 414 | @property |
| 415 | def critical_extensions(self): |
| 416 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 417 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 418 | extensions marked as critical |
| 419 | |
| 420 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 421 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 422 | """ |
| 423 | |
| 424 | if not self._processed_extensions: |
| 425 | self._set_extensions() |
| 426 | return self._critical_extensions |
| 427 | |
| 428 | @property |
| 429 | def crl_value(self): |
| 430 | """ |
| 431 | This extension is used to locate the CRL that a certificate's revocation |
| 432 | is contained within. |
| 433 | |
| 434 | :return: |
| 435 | None or a CrlId object |
| 436 | """ |
| 437 | |
| 438 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 439 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 440 | return self._crl_value |
| 441 | |
| 442 | @property |
| 443 | def archive_cutoff_value(self): |
| 444 | """ |
| 445 | This extension is used to indicate the date at which an archived |
| 446 | (historical) certificate status entry will no longer be available. |
| 447 | |
| 448 | :return: |
| 449 | None or a GeneralizedTime object |
| 450 | """ |
| 451 | |
| 452 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 453 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 454 | return self._archive_cutoff_value |
| 455 | |
| 456 | @property |
| 457 | def crl_reason_value(self): |
| 458 | """ |
| 459 | This extension indicates the reason that a certificate was revoked. |
| 460 | |
| 461 | :return: |
| 462 | None or a CRLReason object |
| 463 | """ |
| 464 | |
| 465 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 466 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 467 | return self._crl_reason_value |
| 468 | |
| 469 | @property |
| 470 | def invalidity_date_value(self): |
| 471 | """ |
| 472 | This extension indicates the suspected date/time the private key was |
| 473 | compromised or the certificate became invalid. This would usually be |
| 474 | before the revocation date, which is when the CA processed the |
| 475 | revocation. |
| 476 | |
| 477 | :return: |
| 478 | None or a GeneralizedTime object |
| 479 | """ |
| 480 | |
| 481 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 482 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 483 | return self._invalidity_date_value |
| 484 | |
| 485 | @property |
| 486 | def certificate_issuer_value(self): |
| 487 | """ |
| 488 | This extension indicates the issuer of the certificate in question. |
| 489 | |
| 490 | :return: |
| 491 | None or an x509.GeneralNames object |
| 492 | """ |
| 493 | |
| 494 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 495 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 496 | return self._certificate_issuer_value |
| 497 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 498 | |
| 499 | class Responses(SequenceOf): |
| 500 | _child_spec = SingleResponse |
| 501 | |
| 502 | |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 503 | class ResponseDataExtensionId(ObjectIdentifier): |
| 504 | _map = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 505 | '1.3.6.1.5.5.7.48.1.2': 'nonce', |
| 506 | '1.3.6.1.5.5.7.48.1.9': 'extended_revoke', |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 507 | } |
| 508 | |
| 509 | |
| 510 | class ResponseDataExtension(Sequence): |
| 511 | _fields = [ |
| 512 | ('extn_id', ResponseDataExtensionId), |
| 513 | ('critical', Boolean, {'default': False}), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 514 | ('extn_value', ParsableOctetString), |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 515 | ] |
| 516 | |
| 517 | _oid_pair = ('extn_id', 'extn_value') |
| 518 | _oid_specs = { |
wbond | 65593fe | 2015-07-20 10:14:50 -0400 | [diff] [blame] | 519 | 'nonce': OctetString, |
| 520 | 'extended_revoke': Null, |
wbond | 90ec130 | 2015-07-20 09:10:50 -0400 | [diff] [blame] | 521 | } |
| 522 | |
| 523 | |
| 524 | class ResponseDataExtensions(SequenceOf): |
| 525 | _child_spec = ResponseDataExtension |
| 526 | |
| 527 | |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 528 | class ResponseData(Sequence): |
| 529 | _fields = [ |
| 530 | ('version', Version, {'tag_type': 'explicit', 'tag': 0, 'default': 'v1'}), |
| 531 | ('responder_id', ResponderId), |
| 532 | ('produced_at', GeneralizedTime), |
| 533 | ('responses', Responses), |
| 534 | ('response_extensions', ResponseDataExtensions, {'tag_type': 'explicit', 'tag': 1, 'optional': True}), |
| 535 | ] |
| 536 | |
| 537 | |
| 538 | class BasicOCSPResponse(Sequence): |
| 539 | _fields = [ |
| 540 | ('tbs_response_data', ResponseData), |
| 541 | ('signature_algorithm', SignedDigestAlgorithm), |
| 542 | ('signature', OctetBitString), |
| 543 | ('certs', Certificates, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 544 | ] |
| 545 | |
| 546 | |
| 547 | class ResponseBytes(Sequence): |
| 548 | _fields = [ |
| 549 | ('response_type', ResponseType), |
wbond | e5a1c6e | 2015-08-03 07:42:28 -0400 | [diff] [blame^] | 550 | ('response', ParsableOctetString), |
wbond | e91513e | 2015-06-03 14:52:18 -0400 | [diff] [blame] | 551 | ] |
| 552 | |
| 553 | _oid_pair = ('response_type', 'response') |
| 554 | _oid_specs = { |
| 555 | 'basic_ocsp_response': BasicOCSPResponse, |
| 556 | } |
| 557 | |
| 558 | |
| 559 | class OCSPResponse(Sequence): |
| 560 | _fields = [ |
| 561 | ('response_status', OCSPResponseStatus), |
| 562 | ('response_bytes', ResponseBytes, {'tag_type': 'explicit', 'tag': 0, 'optional': True}), |
| 563 | ] |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 564 | |
| 565 | _processed_extensions = False |
| 566 | _critical_extensions = None |
| 567 | _nonce_value = None |
| 568 | _extended_revoke_value = None |
| 569 | |
| 570 | def _set_extensions(self): |
| 571 | """ |
| 572 | Sets common named extensions to private attributes and creates a list |
| 573 | of critical extensions |
| 574 | """ |
| 575 | |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 576 | self._critical_extensions = set() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 577 | |
| 578 | for extension in self['response_bytes']['response'].parsed['tbs_response_data']['response_extensions']: |
| 579 | name = extension['extn_id'].native |
| 580 | attribute_name = '_%s_value' % name |
| 581 | if hasattr(self, attribute_name): |
| 582 | setattr(self, attribute_name, extension['extn_value'].parsed) |
| 583 | if extension['critical'].native: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 584 | self._critical_extensions.add(name) |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 585 | |
| 586 | self._processed_extensions = True |
| 587 | |
| 588 | @property |
| 589 | def critical_extensions(self): |
| 590 | """ |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 591 | Returns a set of the names (or OID if not a known extension) of the |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 592 | extensions marked as critical |
| 593 | |
| 594 | :return: |
wbond | 2fde645 | 2015-07-23 10:54:13 -0400 | [diff] [blame] | 595 | A set of unicode strings |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 596 | """ |
| 597 | |
| 598 | if not self._processed_extensions: |
| 599 | self._set_extensions() |
| 600 | return self._critical_extensions |
| 601 | |
| 602 | @property |
| 603 | def nonce_value(self): |
| 604 | """ |
| 605 | This extension is used to prevent replay attacks on the request/response |
| 606 | exchange |
| 607 | |
| 608 | :return: |
| 609 | None or an OctetString object |
| 610 | """ |
| 611 | |
| 612 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 613 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 614 | return self._nonce_value |
| 615 | |
| 616 | @property |
| 617 | def extended_revoke_value(self): |
| 618 | """ |
| 619 | This extension is used to signal that the responder will return a |
| 620 | "revoked" status for non-issued certificates. |
| 621 | |
| 622 | :return: |
| 623 | None or a Null object (if present) |
| 624 | """ |
| 625 | |
| 626 | if self._processed_extensions is False: |
wbond | ad218f9 | 2015-07-20 10:43:16 -0400 | [diff] [blame] | 627 | self._set_extensions() |
wbond | bcb6264 | 2015-07-20 10:16:27 -0400 | [diff] [blame] | 628 | return self._extended_revoke_value |