Blame - docs/x509/ocsp.rst - platform/external/python/cryptography

blob: afbb2ef752c5874cca5d8d7a68aac16a1364cfe1 [file] [log] [blame]

Paul Kehrer	732cf64	2018-08-15 18:04:28 -0500	[diff] [blame]	1	OCSP
				2	====
				3
				4	.. currentmodule:: cryptography.x509.ocsp
				5
				6	.. testsetup::
				7
Paul Kehrer	002fa75	2018-08-30 10:41:32 -0400	[diff] [blame^]	8	import base64
				9	pem_cert = b"""
				10	-----BEGIN CERTIFICATE-----
				11	MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
				12	FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
				13	NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
				14	BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
				15	L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
				16	bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
				17	LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
				18	itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
				19	PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
				20	CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
				21	6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
				22	3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
				23	r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
				24	ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
				25	diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
				26	gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
				27	YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
				28	FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
				29	8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
				30	aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
				31	LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
				32	BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
				33	dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
				34	bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
				35	LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
				36	CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
				37	dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
				38	Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
				39	7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
				40	aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
				41	GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
				42	-----END CERTIFICATE-----
				43	"""
				44	pem_issuer = b"""
				45	-----BEGIN CERTIFICATE-----
				46	MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
				47	MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
				48	YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
				49	EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
				50	U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
				51	VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
				52	SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
				53	1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
				54	DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
				55	QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
				56	YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
				57	qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
				58	VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
				59	JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
				60	BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
				61	MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
				62	dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
				63	rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
				64	fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
				65	kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
				66	uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
				67	ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
				68	gP8L8mJMcCaY
				69	-----END CERTIFICATE-----
				70	"""
Paul Kehrer	732cf64	2018-08-15 18:04:28 -0500	[diff] [blame]	71	der_ocsp_req = (
				72	b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
				73	b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
				74	b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
				75	b"sU-\xf7\|]\x0f\x1e\xb5\x12\x8eIE\xf9"
				76	)
				77
				78	OCSP (Online Certificate Status Protocol) is a method of checking the
				79	revocation status of certificates. It is specified in :rfc:`6960`, as well
				80	as other obsoleted RFCs.
				81
				82
				83	Loading Requests
				84	~~~~~~~~~~~~~~~~
				85
				86	.. function:: load_der_ocsp_request(data)
				87
				88	.. versionadded:: 2.4
				89
				90	Deserialize an OCSP request from DER encoded data.
				91
				92	:param bytes data: The DER encoded OCSP request data.
				93
				94	:returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
				95
				96	.. doctest::
				97
				98	>>> from cryptography.x509 import ocsp
				99	>>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
				100	>>> for request in ocsp_req:
				101	... print(request.serial_number)
				102	872625873161273451176241581705670534707360122361
				103
				104
Paul Kehrer	002fa75	2018-08-30 10:41:32 -0400	[diff] [blame^]	105	Creating Requests
				106	~~~~~~~~~~~~~~~~~
				107
				108	.. class:: OCSPRequestBuilder
				109
				110	.. versionadded:: 2.4
				111
				112	This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
				113	objects.
				114
				115
				116	.. method:: add_request(cert, issuer, algorithm)
				117
				118	Adds a request using a certificate, issuer certificate, and hash
				119	algorithm.
				120
				121	:param cert: The :class:`~cryptography.x509.Certificate` whose validity
				122	is being checked.
				123
				124	:param issuer: The issuer :class:`~cryptography.x509.Certificate` of
				125	the certificate that is being checked.
				126
				127	:param algorithm: A
				128	:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
				129	instance. For OCSP only
				130	:class:`~cryptography.hazmat.primitives.hashes.SHA1`,
				131	:class:`~cryptography.hazmat.primitives.hashes.SHA224`,
				132	:class:`~cryptography.hazmat.primitives.hashes.SHA256`,
				133	:class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
				134	:class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
				135
				136	.. method:: build()
				137
				138	:returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
				139
				140	.. doctest::
				141
				142	>>> from cryptography.hazmat.backends import default_backend
				143	>>> from cryptography.hazmat.primitives import serialization
				144	>>> from cryptography.hazmat.primitives.hashes import SHA256
				145	>>> from cryptography.x509 import load_pem_x509_certificate, ocsp
				146	>>> cert = load_pem_x509_certificate(pem_cert, default_backend())
				147	>>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
				148	>>> builder = ocsp.OCSPRequestBuilder()
				149	>>> builder = builder.add_request(cert, issuer, SHA256())
				150	>>> req = builder.build()
				151	>>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
				152	b'MF8wXTBbMFkwVzANBglghkgBZQMEAgEFAAQgn3BowBaoh77h17ULfkX6781dUDPD82Taj8wO1jZWhZoEINxPgjoQth3w7q4AouKKerMxIMIuUG4EuWU2pZfwih52AgI/IA=='
				153
				154
Paul Kehrer	732cf64	2018-08-15 18:04:28 -0500	[diff] [blame]	155	Interfaces
				156	~~~~~~~~~~
				157
				158	.. class:: OCSPRequest
				159
				160	.. versionadded:: 2.4
				161
				162	An ``OCSPRequest`` is an iterable containing one or more
				163	:class:`~cryptography.x509.ocsp.Request` objects.
				164
				165	.. method:: public_bytes(encoding)
				166
				167	:param encoding: The encoding to use. Only
				168	:attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
				169	is supported.
				170
				171	:return bytes: The serialized OCSP request.
				172
				173	.. class:: Request
				174
				175	.. versionadded:: 2.4
				176
				177	A ``Request`` contains several attributes that create a unique identifier
				178	for a certificate whose status is being checked. It may also contain
				179	additional extensions (currently unsupported).
				180
				181	.. attribute:: issuer_key_hash
				182
				183	:type: bytes
				184
				185	The hash of the certificate issuer's key. The hash algorithm used
				186	is defined by the ``hash_algorithm`` property.
				187
				188	.. attribute:: issuer_name_hash
				189
				190	:type: bytes
				191
				192	The hash of the certificate issuer's name. The hash algorithm used
				193	is defined by the ``hash_algorithm`` property.
				194
				195	.. attribute:: hash_algorithm
				196
				197	:type: An instance of a
				198	:class:`~cryptography.hazmat.primitives.hashes.Hash`
				199
				200	The algorithm used to generate the ``issuer_key_hash`` and
				201	``issuer_name_hash``.
				202
				203	.. attribute:: serial_number
				204
				205	:type: int
				206
				207	The serial number of the certificate to check.