Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 09403100de2f6f1cdd0d484dcb8e620f1c335c8f / . / docs / x509 / ocsp.rst
blob: 163a6a8abca74a050e7f99381450eec97133fec5 [file] [log] [blame]
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]1OCSP
2====
3
4.. currentmodule:: cryptography.x509.ocsp
5
6.. testsetup::
7
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]8 import base64
9 pem_cert = b"""
10 -----BEGIN CERTIFICATE-----
11 MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
12 FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
13 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
14 BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
15 L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
16 bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
17 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
18 itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
19 PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
20 CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
21 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
22 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
23 r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
24 ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
25 diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
26 gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
27 YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
28 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
29 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
30 aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
31 LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
32 BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
33 dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
34 bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
35 LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
36 CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
37 dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
38 Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
39 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
40 aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
41 GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
42 -----END CERTIFICATE-----
43 """
44 pem_issuer = b"""
45 -----BEGIN CERTIFICATE-----
46 MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
47 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
48 YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
49 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
50 U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
51 VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
52 SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
53 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
54 DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
55 QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
56 YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
57 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
58 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
59 JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
60 BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
61 MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
62 dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
63 rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
64 fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
65 kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
66 uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
67 ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
68 gP8L8mJMcCaY
69 -----END CERTIFICATE-----
70 """
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]71 der_ocsp_req = (
72 b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
73 b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
74 b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
75 b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
76 )
77
78OCSP (Online Certificate Status Protocol) is a method of checking the
79revocation status of certificates. It is specified in :rfc:`6960`, as well
80as other obsoleted RFCs.
81
82
83Loading Requests
84~~~~~~~~~~~~~~~~
85
86.. function:: load_der_ocsp_request(data)
87
88 .. versionadded:: 2.4
89
90 Deserialize an OCSP request from DER encoded data.
91
92 :param bytes data: The DER encoded OCSP request data.
93
94 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
95
96 .. doctest::
97
98 >>> from cryptography.x509 import ocsp
99 >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]100 >>> print(ocsp_req.serial_number)
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]101 872625873161273451176241581705670534707360122361
102
103
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]104Creating Requests
105~~~~~~~~~~~~~~~~~
106
107.. class:: OCSPRequestBuilder
108
109 .. versionadded:: 2.4
110
111 This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
112 objects.
113
114
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]115 .. method:: add_certificate(cert, issuer, algorithm)
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]116
117 Adds a request using a certificate, issuer certificate, and hash
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]118 algorithm. This can only be called once.
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]119
120 :param cert: The :class:`~cryptography.x509.Certificate` whose validity
121 is being checked.
122
123 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
124 the certificate that is being checked.
125
126 :param algorithm: A
127 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
128 instance. For OCSP only
129 :class:`~cryptography.hazmat.primitives.hashes.SHA1`,
130 :class:`~cryptography.hazmat.primitives.hashes.SHA224`,
131 :class:`~cryptography.hazmat.primitives.hashes.SHA256`,
132 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
133 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
134
135 .. method:: build()
136
137 :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
138
139 .. doctest::
140
141 >>> from cryptography.hazmat.backends import default_backend
142 >>> from cryptography.hazmat.primitives import serialization
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]143 >>> from cryptography.hazmat.primitives.hashes import SHA1
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]144 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
145 >>> cert = load_pem_x509_certificate(pem_cert, default_backend())
146 >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
147 >>> builder = ocsp.OCSPRequestBuilder()
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]148 >>> # SHA1 is in this example because RFC 5019 mandates its use.
149 >>> builder = builder.add_certificate(cert, issuer, SHA1())
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]150 >>> req = builder.build()
151 >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]152 b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]153
154
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]155Interfaces
156~~~~~~~~~~
157
158.. class:: OCSPRequest
159
160 .. versionadded:: 2.4
161
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]162 An ``OCSPRequest`` is an object containing information about a certificate
163 whose status is being checked.
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]164
165 .. attribute:: issuer_key_hash
166
167 :type: bytes
168
169 The hash of the certificate issuer's key. The hash algorithm used
170 is defined by the ``hash_algorithm`` property.
171
172 .. attribute:: issuer_name_hash
173
174 :type: bytes
175
176 The hash of the certificate issuer's name. The hash algorithm used
177 is defined by the ``hash_algorithm`` property.
178
179 .. attribute:: hash_algorithm
180
181 :type: An instance of a
182 :class:`~cryptography.hazmat.primitives.hashes.Hash`
183
184 The algorithm used to generate the ``issuer_key_hash`` and
185 ``issuer_name_hash``.
186
187 .. attribute:: serial_number
188
189 :type: int
190
191 The serial number of the certificate to check.
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]192
Paul Kehrer09403102018-09-09 21:57:21 -0500[diff] [blame^]193 .. attribute:: extensions
194
195 :type: :class:`~cryptography.x509.Extensions`
196
197 The extensions encoded in the request.
198
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]199 .. method:: public_bytes(encoding)
200
201 :param encoding: The encoding to use. Only
202 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
203 is supported.
204
205 :return bytes: The serialized OCSP request.
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]206
207.. class:: OCSPResponse
208
209 .. versionadded:: 2.4
210
211 An ``OCSPResponse`` is the data provided by an OCSP responder in response
212 to an ``OCSPRequest``.
213
214 .. attribute:: response_status
215
216 :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`
217
218 The status of the response.
219
220 .. attribute:: signature_algorithm_oid
221
222 :type: :class:`~cryptography.x509.ObjectIdentifier`
223
224 Returns the object identifier of the signature algorithm used
225 to sign the response. This will be one of the OIDs from
226 :class:`~cryptography.x509.oid.SignatureAlgorithmOID`.
227
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]228 :raises ValueError: If ``response_status`` is not
229 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
230
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]231 .. attribute:: signature
232
233 :type: bytes
234
235 The signature bytes.
236
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]237 :raises ValueError: If ``response_status`` is not
238 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
239
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]240 .. attribute:: tbs_response_bytes
241
242 :type: bytes
243
244 The DER encoded bytes payload that is hashed and then signed. This
245 data may be used to validate the signature on the OCSP response.
246
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]247 :raises ValueError: If ``response_status`` is not
248 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
249
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]250 .. attribute:: certificates
251
252 :type: list
253
254 A list of zero or more :class:`~cryptography.x509.Certificate` objects
255 used to help build a chain to verify the OCSP response. This situation
256 occurs when the OCSP responder uses a delegate certificate.
257
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]258 :raises ValueError: If ``response_status`` is not
259 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
260
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]261 .. attribute:: responder_key_hash
262
263 :type: bytes or None
264
265 The responder's key hash or ``None`` if the response has a
266 ``responder_name``.
267
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]268 :raises ValueError: If ``response_status`` is not
269 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
270
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]271 .. attribute:: responder_name
272
273 :type: :class:`~cryptography.x509.Name` or None
274
275 The responder's ``Name`` or ``None`` if the response has a
276 ``responder_key_hash``.
277
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]278 :raises ValueError: If ``response_status`` is not
279 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
280
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]281 .. attribute:: produced_at
282
283 :type: :class:`datetime.datetime`
284
285 A naïve datetime representing the time when the response was produced.
286
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]287 :raises ValueError: If ``response_status`` is not
288 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
289
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]290 .. attribute:: certificate_status
291
292 :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`
293
294 The status of the certificate being checked.
295
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]296 :raises ValueError: If ``response_status`` is not
297 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
298
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]299 .. attribute:: revocation_time
300
301 :type: :class:`datetime.datetime` or None
302
303 A naïve datetime representing the time when the certificate was revoked
304 or ``None`` if the certificate has not been revoked.
305
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]306 :raises ValueError: If ``response_status`` is not
307 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
308
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]309 .. attribute:: revocation_reason
310
311 :type: :class:`~cryptography.x509.ReasonFlags` or None
312
313 The reason the certificate was revoked or ``None`` if not specified or
314 not revoked.
315
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]316 :raises ValueError: If ``response_status`` is not
317 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
318
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]319 .. attribute:: this_update
320
321 :type: :class:`datetime.datetime`
322
323 A naïve datetime representing the most recent time at which the status
324 being indicated is known by the responder to have been correct.
325
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]326 :raises ValueError: If ``response_status`` is not
327 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
328
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]329 .. attribute:: next_update
330
331 :type: :class:`datetime.datetime`
332
333 A naïve datetime representing the time when newer information will
334 be available.
335
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]336 :raises ValueError: If ``response_status`` is not
337 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
338
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]339 .. attribute:: issuer_key_hash
340
341 :type: bytes
342
343 The hash of the certificate issuer's key. The hash algorithm used
344 is defined by the ``hash_algorithm`` property.
345
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]346 :raises ValueError: If ``response_status`` is not
347 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
348
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]349 .. attribute:: issuer_name_hash
350
351 :type: bytes
352
353 The hash of the certificate issuer's name. The hash algorithm used
354 is defined by the ``hash_algorithm`` property.
355
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]356 :raises ValueError: If ``response_status`` is not
357 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
358
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]359 .. attribute:: hash_algorithm
360
361 :type: An instance of a
362 :class:`~cryptography.hazmat.primitives.hashes.Hash`
363
364 The algorithm used to generate the ``issuer_key_hash`` and
365 ``issuer_name_hash``.
366
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]367 :raises ValueError: If ``response_status`` is not
368 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
369
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]370 .. attribute:: serial_number
371
372 :type: int
373
374 The serial number of the certificate that was checked.
375
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]376 :raises ValueError: If ``response_status`` is not
377 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
378
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]379
380.. class:: OCSPResponseStatus
381
382 .. versionadded:: 2.4
383
384 An enumeration of response statuses.
385
386 .. attribute:: SUCCESSFUL
387
388 Represents a successful OCSP response.
389
390 .. attribute:: MALFORMED_REQUEST
391
392 May be returned by an OCSP responder that is unable to parse a
393 given request.
394
395 .. attribute:: INTERNAL_ERROR
396
397 May be returned by an OCSP responder that is currently experiencing
398 operational problems.
399
400 .. attribute:: TRY_LATER
401
402 May be returned by an OCSP responder that is overloaded.
403
404 .. attribute:: SIG_REQUIRED
405
406 May be returned by an OCSP responder that requires signed OCSP
407 requests.
408
409 .. attribute:: UNAUTHORIZED
410
411 May be returned by an OCSP responder when queried for a certificate for
412 which the responder is unaware or an issuer for which the responder is
413 not authoritative.
414
415
416.. class:: OCSPCertStatus
417
418 .. versionadded:: 2.4
419
420 An enumeration of certificate statuses in an OCSP response.
421
422 .. attribute:: GOOD
423
424 The value for a certificate that is not revoked.
425
426 .. attribute:: REVOKED
427
428 The certificate being checked is revoked.
429
430 .. attribute:: UNKNOWN
431
432 The certificate being checked is not known to the OCSP responder.