Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 26c425dd74d941b0d010325f8f150d898585a015 / . / docs / x509 / ocsp.rst
blob: b706b323817f487b465dd8f695f9f7f62ff086cc [file] [log] [blame]
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]1OCSP
2====
3
4.. currentmodule:: cryptography.x509.ocsp
5
6.. testsetup::
7
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]8 import base64
9 pem_cert = b"""
10 -----BEGIN CERTIFICATE-----
11 MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
12 FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
13 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
14 BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
15 L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
16 bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
17 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
18 itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
19 PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
20 CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
21 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
22 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
23 r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
24 ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
25 diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
26 gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
27 YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
28 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
29 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
30 aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
31 LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
32 BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
33 dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
34 bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
35 LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
36 CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
37 dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
38 Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
39 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
40 aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
41 GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
42 -----END CERTIFICATE-----
43 """
44 pem_issuer = b"""
45 -----BEGIN CERTIFICATE-----
46 MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
47 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
48 YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
49 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
50 U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
51 VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
52 SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
53 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
54 DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
55 QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
56 YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
57 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
58 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
59 JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
60 BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
61 MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
62 dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
63 rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
64 fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
65 kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
66 uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
67 ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
68 gP8L8mJMcCaY
69 -----END CERTIFICATE-----
70 """
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]71 der_ocsp_req = (
72 b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
73 b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
74 b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
75 b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
76 )
77
78OCSP (Online Certificate Status Protocol) is a method of checking the
79revocation status of certificates. It is specified in :rfc:`6960`, as well
80as other obsoleted RFCs.
81
82
83Loading Requests
84~~~~~~~~~~~~~~~~
85
86.. function:: load_der_ocsp_request(data)
87
88 .. versionadded:: 2.4
89
90 Deserialize an OCSP request from DER encoded data.
91
92 :param bytes data: The DER encoded OCSP request data.
93
94 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
95
96 .. doctest::
97
98 >>> from cryptography.x509 import ocsp
99 >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]100 >>> print(ocsp_req.serial_number)
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]101 872625873161273451176241581705670534707360122361
102
103
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]104Creating Requests
105~~~~~~~~~~~~~~~~~
106
107.. class:: OCSPRequestBuilder
108
109 .. versionadded:: 2.4
110
111 This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
112 objects.
113
114
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]115 .. method:: add_certificate(cert, issuer, algorithm)
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]116
117 Adds a request using a certificate, issuer certificate, and hash
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]118 algorithm. This can only be called once.
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]119
120 :param cert: The :class:`~cryptography.x509.Certificate` whose validity
121 is being checked.
122
123 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
124 the certificate that is being checked.
125
126 :param algorithm: A
127 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
128 instance. For OCSP only
129 :class:`~cryptography.hazmat.primitives.hashes.SHA1`,
130 :class:`~cryptography.hazmat.primitives.hashes.SHA224`,
131 :class:`~cryptography.hazmat.primitives.hashes.SHA256`,
132 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
133 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
134
135 .. method:: build()
136
137 :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
138
139 .. doctest::
140
141 >>> from cryptography.hazmat.backends import default_backend
142 >>> from cryptography.hazmat.primitives import serialization
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]143 >>> from cryptography.hazmat.primitives.hashes import SHA1
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]144 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
145 >>> cert = load_pem_x509_certificate(pem_cert, default_backend())
146 >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
147 >>> builder = ocsp.OCSPRequestBuilder()
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]148 >>> # SHA1 is in this example because RFC 5019 mandates its use.
149 >>> builder = builder.add_certificate(cert, issuer, SHA1())
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]150 >>> req = builder.build()
151 >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]152 b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]153
154
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]155Interfaces
156~~~~~~~~~~
157
158.. class:: OCSPRequest
159
160 .. versionadded:: 2.4
161
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]162 An ``OCSPRequest`` is an object containing information about a certificate
163 whose status is being checked.
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]164
165 .. attribute:: issuer_key_hash
166
167 :type: bytes
168
169 The hash of the certificate issuer's key. The hash algorithm used
170 is defined by the ``hash_algorithm`` property.
171
172 .. attribute:: issuer_name_hash
173
174 :type: bytes
175
176 The hash of the certificate issuer's name. The hash algorithm used
177 is defined by the ``hash_algorithm`` property.
178
179 .. attribute:: hash_algorithm
180
181 :type: An instance of a
182 :class:`~cryptography.hazmat.primitives.hashes.Hash`
183
184 The algorithm used to generate the ``issuer_key_hash`` and
185 ``issuer_name_hash``.
186
187 .. attribute:: serial_number
188
189 :type: int
190
191 The serial number of the certificate to check.
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]192
193 .. method:: public_bytes(encoding)
194
195 :param encoding: The encoding to use. Only
196 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
197 is supported.
198
199 :return bytes: The serialized OCSP request.
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]200
201.. class:: OCSPResponse
202
203 .. versionadded:: 2.4
204
205 An ``OCSPResponse`` is the data provided by an OCSP responder in response
206 to an ``OCSPRequest``.
207
208 .. attribute:: response_status
209
210 :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`
211
212 The status of the response.
213
214 .. attribute:: signature_algorithm_oid
215
216 :type: :class:`~cryptography.x509.ObjectIdentifier`
217
218 Returns the object identifier of the signature algorithm used
219 to sign the response. This will be one of the OIDs from
220 :class:`~cryptography.x509.oid.SignatureAlgorithmOID`.
221
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]222 :raises ValueError: If ``response_status`` is not
223 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
224
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]225 .. attribute:: signature
226
227 :type: bytes
228
229 The signature bytes.
230
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]231 :raises ValueError: If ``response_status`` is not
232 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
233
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]234 .. attribute:: tbs_response_bytes
235
236 :type: bytes
237
238 The DER encoded bytes payload that is hashed and then signed. This
239 data may be used to validate the signature on the OCSP response.
240
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]241 :raises ValueError: If ``response_status`` is not
242 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
243
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]244 .. attribute:: certificates
245
246 :type: list
247
248 A list of zero or more :class:`~cryptography.x509.Certificate` objects
249 used to help build a chain to verify the OCSP response. This situation
250 occurs when the OCSP responder uses a delegate certificate.
251
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]252 :raises ValueError: If ``response_status`` is not
253 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
254
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]255 .. attribute:: responder_key_hash
256
257 :type: bytes or None
258
259 The responder's key hash or ``None`` if the response has a
260 ``responder_name``.
261
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]262 :raises ValueError: If ``response_status`` is not
263 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
264
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]265 .. attribute:: responder_name
266
267 :type: :class:`~cryptography.x509.Name` or None
268
269 The responder's ``Name`` or ``None`` if the response has a
270 ``responder_key_hash``.
271
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]272 :raises ValueError: If ``response_status`` is not
273 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
274
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]275 .. attribute:: produced_at
276
277 :type: :class:`datetime.datetime`
278
279 A naïve datetime representing the time when the response was produced.
280
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]281 :raises ValueError: If ``response_status`` is not
282 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
283
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]284 .. attribute:: certificate_status
285
286 :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`
287
288 The status of the certificate being checked.
289
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]290 :raises ValueError: If ``response_status`` is not
291 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
292
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]293 .. attribute:: revocation_time
294
295 :type: :class:`datetime.datetime` or None
296
297 A naïve datetime representing the time when the certificate was revoked
298 or ``None`` if the certificate has not been revoked.
299
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]300 :raises ValueError: If ``response_status`` is not
301 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
302
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]303 .. attribute:: revocation_reason
304
305 :type: :class:`~cryptography.x509.ReasonFlags` or None
306
307 The reason the certificate was revoked or ``None`` if not specified or
308 not revoked.
309
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]310 :raises ValueError: If ``response_status`` is not
311 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
312
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]313 .. attribute:: this_update
314
315 :type: :class:`datetime.datetime`
316
317 A naïve datetime representing the most recent time at which the status
318 being indicated is known by the responder to have been correct.
319
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]320 :raises ValueError: If ``response_status`` is not
321 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
322
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]323 .. attribute:: next_update
324
325 :type: :class:`datetime.datetime`
326
327 A naïve datetime representing the time when newer information will
328 be available.
329
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]330 :raises ValueError: If ``response_status`` is not
331 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
332
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]333 .. attribute:: issuer_key_hash
334
335 :type: bytes
336
337 The hash of the certificate issuer's key. The hash algorithm used
338 is defined by the ``hash_algorithm`` property.
339
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]340 :raises ValueError: If ``response_status`` is not
341 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
342
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]343 .. attribute:: issuer_name_hash
344
345 :type: bytes
346
347 The hash of the certificate issuer's name. The hash algorithm used
348 is defined by the ``hash_algorithm`` property.
349
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]350 :raises ValueError: If ``response_status`` is not
351 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
352
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]353 .. attribute:: hash_algorithm
354
355 :type: An instance of a
356 :class:`~cryptography.hazmat.primitives.hashes.Hash`
357
358 The algorithm used to generate the ``issuer_key_hash`` and
359 ``issuer_name_hash``.
360
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]361 :raises ValueError: If ``response_status`` is not
362 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
363
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]364 .. attribute:: serial_number
365
366 :type: int
367
368 The serial number of the certificate that was checked.
369
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame^]370 :raises ValueError: If ``response_status`` is not
371 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
372
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]373
374.. class:: OCSPResponseStatus
375
376 .. versionadded:: 2.4
377
378 An enumeration of response statuses.
379
380 .. attribute:: SUCCESSFUL
381
382 Represents a successful OCSP response.
383
384 .. attribute:: MALFORMED_REQUEST
385
386 May be returned by an OCSP responder that is unable to parse a
387 given request.
388
389 .. attribute:: INTERNAL_ERROR
390
391 May be returned by an OCSP responder that is currently experiencing
392 operational problems.
393
394 .. attribute:: TRY_LATER
395
396 May be returned by an OCSP responder that is overloaded.
397
398 .. attribute:: SIG_REQUIRED
399
400 May be returned by an OCSP responder that requires signed OCSP
401 requests.
402
403 .. attribute:: UNAUTHORIZED
404
405 May be returned by an OCSP responder when queried for a certificate for
406 which the responder is unaware or an issuer for which the responder is
407 not authoritative.
408
409
410.. class:: OCSPCertStatus
411
412 .. versionadded:: 2.4
413
414 An enumeration of certificate statuses in an OCSP response.
415
416 .. attribute:: GOOD
417
418 The value for a certificate that is not revoked.
419
420 .. attribute:: REVOKED
421
422 The certificate being checked is revoked.
423
424 .. attribute:: UNKNOWN
425
426 The certificate being checked is not known to the OCSP responder.