add OCSP basic response extension parsing (#4479)
* add OCSP basic response extension parsing
Just nonce for now. This does not support SINGLERESP extension parsing.
* also raises on extensions for non-successful
* empty commit
diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst
index b203022..bf06413 100644
--- a/docs/x509/ocsp.rst
+++ b/docs/x509/ocsp.rst
@@ -395,6 +395,11 @@
:raises ValueError: If ``response_status`` is not
:class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
+ .. attribute:: extensions
+
+ :type: :class:`~cryptography.x509.Extensions`
+
+ The extensions encoded in the response.
.. class:: OCSPResponseStatus
diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
index 8030998..b13fa05 100644
--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py
+++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -817,6 +817,10 @@
OCSPExtensionOID.NONCE: _decode_nonce,
}
+_OCSP_BASICRESP_EXTENSION_HANDLERS = {
+ OCSPExtensionOID.NONCE: _decode_nonce,
+}
+
_CERTIFICATE_EXTENSION_PARSER_NO_SCT = _X509ExtensionParser(
ext_count=lambda backend, x: backend._lib.X509_get_ext_count(x),
get_ext=lambda backend, x, i: backend._lib.X509_get_ext(x, i),
@@ -852,3 +856,9 @@
get_ext=lambda backend, x, i: backend._lib.OCSP_REQUEST_get_ext(x, i),
handlers=_OCSP_REQ_EXTENSION_HANDLERS,
)
+
+_OCSP_BASICRESP_EXT_PARSER = _X509ExtensionParser(
+ ext_count=lambda backend, x: backend._lib.OCSP_BASICRESP_get_ext_count(x),
+ get_ext=lambda backend, x, i: backend._lib.OCSP_BASICRESP_get_ext(x, i),
+ handlers=_OCSP_BASICRESP_EXTENSION_HANDLERS,
+)
diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py
index f3f18cb..413214e 100644
--- a/src/cryptography/hazmat/backends/openssl/ocsp.py
+++ b/src/cryptography/hazmat/backends/openssl/ocsp.py
@@ -9,7 +9,8 @@
from cryptography import utils, x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.backends.openssl.decode_asn1 import (
- _CRL_ENTRY_REASON_CODE_TO_ENUM, _OCSP_REQ_EXT_PARSER, _asn1_integer_to_int,
+ _CRL_ENTRY_REASON_CODE_TO_ENUM, _OCSP_BASICRESP_EXT_PARSER,
+ _OCSP_REQ_EXT_PARSER, _asn1_integer_to_int,
_asn1_string_to_bytes, _decode_x509_name, _obj2txt,
_parse_asn1_generalized_time,
)
@@ -300,6 +301,11 @@
def serial_number(self):
return _serial_number(self._backend, self._cert_id)
+ @utils.cached_property
+ @_requires_successful_response
+ def extensions(self):
+ return _OCSP_BASICRESP_EXT_PARSER.parse(self._backend, self._basic)
+
@utils.register_interface(OCSPRequest)
class _OCSPRequest(object):
diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py
index 7907bca..fbf1133 100644
--- a/src/cryptography/x509/ocsp.py
+++ b/src/cryptography/x509/ocsp.py
@@ -232,3 +232,9 @@
"""
The serial number of the cert whose status is being checked
"""
+
+ @abc.abstractproperty
+ def extensions(self):
+ """
+ The list of response extensions. Not single response extensions.
+ """
diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py
index aeaa6e6..0d98ac2 100644
--- a/tests/x509/test_ocsp.py
+++ b/tests/x509/test_ocsp.py
@@ -207,6 +207,7 @@
)
assert isinstance(resp.hash_algorithm, hashes.SHA1)
assert resp.serial_number == 271024907440004808294641238224534273948400
+ assert len(resp.extensions) == 0
def test_load_unauthorized(self):
resp = _load_data(
@@ -246,6 +247,8 @@
assert resp.hash_algorithm
with pytest.raises(ValueError):
assert resp.serial_number
+ with pytest.raises(ValueError):
+ assert resp.extensions
def test_load_revoked(self):
resp = _load_data(
@@ -283,3 +286,15 @@
ocsp.load_der_ocsp_response,
)
assert resp.revocation_reason is x509.ReasonFlags.superseded
+
+ def test_response_extensions(self):
+ resp = _load_data(
+ os.path.join("x509", "ocsp", "resp-revoked-reason.der"),
+ ocsp.load_der_ocsp_response,
+ )
+ assert len(resp.extensions) == 1
+ ext = resp.extensions[0]
+ assert ext.critical is False
+ assert ext.value == x509.OCSPNonce(
+ b'\x04\x105\x957\x9fa\x03\x83\x87\x89rW\x8f\xae\x99\xf7"'
+ )