docs/x509/ocsp.rst

OCSP
====

.. currentmodule:: cryptography.x509.ocsp

.. testsetup::

    import base64
    pem_cert = b"""
    -----BEGIN CERTIFICATE-----
    MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
    FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
    NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
    BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
    L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
    bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
    LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
    itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
    PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
    CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
    6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
    3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
    r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
    ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
    diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
    gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
    YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
    FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
    8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
    aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
    LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
    BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
    dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
    bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
    LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
    CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
    dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
    Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
    7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
    aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
    GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
    -----END CERTIFICATE-----
    """
    pem_issuer = b"""
    -----BEGIN CERTIFICATE-----
    MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
    EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
    U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
    VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
    SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
    1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
    DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
    QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
    YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
    qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
    VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
    JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
    BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
    MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
    dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
    rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
    fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
    kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
    uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
    ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
    gP8L8mJMcCaY
    -----END CERTIFICATE-----
    """
    der_ocsp_req = (
        b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
        b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
        b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
        b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
    )
    der_ocsp_resp_unauth = b"0\x03\n\x01\x06"

OCSP (Online Certificate Status Protocol) is a method of checking the
revocation status of certificates. It is specified in :rfc:`6960`, as well
as other obsoleted RFCs.


Loading Requests
~~~~~~~~~~~~~~~~

.. function:: load_der_ocsp_request(data)

    .. versionadded:: 2.4

    Deserialize an OCSP request from DER encoded data.

    :param bytes data: The DER encoded OCSP request data.

    :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.

    .. doctest::

        >>> from cryptography.x509 import ocsp
        >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
        >>> print(ocsp_req.serial_number)
        872625873161273451176241581705670534707360122361


Creating Requests
~~~~~~~~~~~~~~~~~

.. class:: OCSPRequestBuilder

    .. versionadded:: 2.4

    This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
    objects.


    .. method:: add_certificate(cert, issuer, algorithm)

        Adds a request using a certificate, issuer certificate, and hash
        algorithm. This can only be called once.

        :param cert: The :class:`~cryptography.x509.Certificate` whose validity
            is being checked.

        :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
            the certificate that is being checked.

        :param algorithm: A
            :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
            instance. For OCSP only
            :class:`~cryptography.hazmat.primitives.hashes.SHA1`,
            :class:`~cryptography.hazmat.primitives.hashes.SHA224`,
            :class:`~cryptography.hazmat.primitives.hashes.SHA256`,
            :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
            :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.

    .. method:: add_extension(extension, critical)

        Adds an extension to the request.

        :param extension: An extension conforming to the
            :class:`~cryptography.x509.ExtensionType` interface.

        :param critical: Set to ``True`` if the extension must be understood and
             handled.

    .. method:: build()

        :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.

    .. doctest::

        >>> from cryptography.hazmat.backends import default_backend
        >>> from cryptography.hazmat.primitives import serialization
        >>> from cryptography.hazmat.primitives.hashes import SHA1
        >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
        >>> cert = load_pem_x509_certificate(pem_cert, default_backend())
        >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
        >>> builder = ocsp.OCSPRequestBuilder()
        >>> # SHA1 is in this example because RFC 5019 mandates its use.
        >>> builder = builder.add_certificate(cert, issuer, SHA1())
        >>> req = builder.build()
        >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
        b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'

Loading Responses
~~~~~~~~~~~~~~~~~

.. function:: load_der_ocsp_response(data)

    .. versionadded:: 2.4

    Deserialize an OCSP response from DER encoded data.

    :param bytes data: The DER encoded OCSP response data.

    :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPResponse`.

    .. doctest::

        >>> from cryptography.x509 import ocsp
        >>> ocsp_resp = ocsp.load_der_ocsp_response(der_ocsp_resp_unauth)
        >>> print(ocsp_resp.response_status)
        OCSPResponseStatus.UNAUTHORIZED


Interfaces
~~~~~~~~~~

.. class:: OCSPRequest

    .. versionadded:: 2.4

    An ``OCSPRequest`` is an object containing information about a certificate
    whose status is being checked.

    .. attribute:: issuer_key_hash

        :type: bytes

        The hash of the certificate issuer's key. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: issuer_name_hash

        :type: bytes

        The hash of the certificate issuer's name. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

    .. attribute:: hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        The algorithm used to generate the ``issuer_key_hash`` and
        ``issuer_name_hash``.

    .. attribute:: serial_number

        :type: int

        The serial number of the certificate to check.

    .. attribute:: extensions

        :type: :class:`~cryptography.x509.Extensions`

        The extensions encoded in the request.

    .. method:: public_bytes(encoding)

        :param encoding: The encoding to use. Only
            :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
            is supported.

        :return bytes: The serialized OCSP request.

.. class:: OCSPResponse

    .. versionadded:: 2.4

    An ``OCSPResponse`` is the data provided by an OCSP responder in response
    to an ``OCSPRequest``.

    .. attribute:: response_status

        :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`

        The status of the response.

    .. attribute:: signature_algorithm_oid

        :type: :class:`~cryptography.x509.ObjectIdentifier`

        Returns the object identifier of the signature algorithm used
        to sign the response. This will be one of the OIDs from
        :class:`~cryptography.x509.oid.SignatureAlgorithmOID`.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: signature

        :type: bytes

        The signature bytes.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: tbs_response_bytes

        :type: bytes

        The DER encoded bytes payload that is hashed and then signed. This
        data may be used to validate the signature on the OCSP response.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: certificates

        :type: list

        A list of zero or more :class:`~cryptography.x509.Certificate` objects
        used to help build a chain to verify the OCSP response. This situation
        occurs when the OCSP responder uses a delegate certificate.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: responder_key_hash

        :type: bytes or None

        The responder's key hash or ``None`` if the response has a
        ``responder_name``.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: responder_name

        :type: :class:`~cryptography.x509.Name` or None

        The responder's ``Name`` or ``None`` if the response has a
        ``responder_key_hash``.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: produced_at

        :type: :class:`datetime.datetime`

        A naïve datetime representing the time when the response was produced.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: certificate_status

        :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`

        The status of the certificate being checked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: revocation_time

        :type: :class:`datetime.datetime` or None

        A naïve datetime representing the time when the certificate was revoked
        or ``None`` if the certificate has not been revoked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: revocation_reason

        :type: :class:`~cryptography.x509.ReasonFlags` or None

        The reason the certificate was revoked or ``None`` if not specified or
        not revoked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: this_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the most recent time at which the status
        being indicated is known by the responder to have been correct.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: next_update

        :type: :class:`datetime.datetime`

        A naïve datetime representing the time when newer information will
        be available.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: issuer_key_hash

        :type: bytes

        The hash of the certificate issuer's key. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: issuer_name_hash

        :type: bytes

        The hash of the certificate issuer's name. The hash algorithm used
        is defined by the ``hash_algorithm`` property.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: hash_algorithm

        :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`

        The algorithm used to generate the ``issuer_key_hash`` and
        ``issuer_name_hash``.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: serial_number

        :type: int

        The serial number of the certificate that was checked.

        :raises ValueError: If ``response_status`` is not
            :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.

    .. attribute:: extensions

        :type: :class:`~cryptography.x509.Extensions`

        The extensions encoded in the response.

.. class:: OCSPResponseStatus

    .. versionadded:: 2.4

    An enumeration of response statuses.

    .. attribute:: SUCCESSFUL

        Represents a successful OCSP response.

    .. attribute:: MALFORMED_REQUEST

        May be returned by an OCSP responder that is unable to parse a
        given request.

    .. attribute:: INTERNAL_ERROR

        May be returned by an OCSP responder that is currently experiencing
        operational problems.

    .. attribute:: TRY_LATER

        May be returned by an OCSP responder that is overloaded.

    .. attribute:: SIG_REQUIRED

        May be returned by an OCSP responder that requires signed OCSP
        requests.

    .. attribute:: UNAUTHORIZED

        May be returned by an OCSP responder when queried for a certificate for
        which the responder is unaware or an issuer for which the responder is
        not authoritative.


.. class:: OCSPCertStatus

    .. versionadded:: 2.4

    An enumeration of certificate statuses in an OCSP response.

    .. attribute:: GOOD

        The value for a certificate that is not revoked.

    .. attribute:: REVOKED

        The certificate being checked is revoked.

    .. attribute:: UNKNOWN

        The certificate being checked is not known to the OCSP responder.