Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d3601b1ab171bdcaf5cb4377e4394ebd31d49a92 / . / docs / x509 / ocsp.rst
blob: edf4f5ae3357b34f661008f06db2e9c899a1be68 [file] [log] [blame]
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]1OCSP
2====
3
4.. currentmodule:: cryptography.x509.ocsp
5
6.. testsetup::
7
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]8 import base64
9 pem_cert = b"""
10 -----BEGIN CERTIFICATE-----
11 MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
12 FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
13 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
14 BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
15 L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
16 bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
17 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
18 itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
19 PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
20 CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
21 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
22 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
23 r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
24 ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
25 diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
26 gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
27 YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
28 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
29 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
30 aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
31 LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
32 BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
33 dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
34 bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
35 LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
36 CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
37 dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
38 Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
39 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
40 aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
41 GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
42 -----END CERTIFICATE-----
43 """
44 pem_issuer = b"""
45 -----BEGIN CERTIFICATE-----
46 MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
47 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
48 YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
49 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
50 U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
51 VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
52 SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
53 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
54 DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
55 QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
56 YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
57 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
58 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
59 JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
60 BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
61 MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
62 dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
63 rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
64 fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
65 kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
66 uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
67 ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
68 gP8L8mJMcCaY
69 -----END CERTIFICATE-----
70 """
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]71 der_ocsp_req = (
72 b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
73 b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
74 b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
75 b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
76 )
77
78OCSP (Online Certificate Status Protocol) is a method of checking the
79revocation status of certificates. It is specified in :rfc:`6960`, as well
80as other obsoleted RFCs.
81
82
83Loading Requests
84~~~~~~~~~~~~~~~~
85
86.. function:: load_der_ocsp_request(data)
87
88 .. versionadded:: 2.4
89
90 Deserialize an OCSP request from DER encoded data.
91
92 :param bytes data: The DER encoded OCSP request data.
93
94 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
95
96 .. doctest::
97
98 >>> from cryptography.x509 import ocsp
99 >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]100 >>> print(ocsp_req.serial_number)
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]101 872625873161273451176241581705670534707360122361
102
103
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]104Creating Requests
105~~~~~~~~~~~~~~~~~
106
107.. class:: OCSPRequestBuilder
108
109 .. versionadded:: 2.4
110
111 This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
112 objects.
113
114
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]115 .. method:: add_certificate(cert, issuer, algorithm)
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]116
117 Adds a request using a certificate, issuer certificate, and hash
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]118 algorithm. This can only be called once.
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]119
120 :param cert: The :class:`~cryptography.x509.Certificate` whose validity
121 is being checked.
122
123 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
124 the certificate that is being checked.
125
126 :param algorithm: A
127 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
128 instance. For OCSP only
129 :class:`~cryptography.hazmat.primitives.hashes.SHA1`,
130 :class:`~cryptography.hazmat.primitives.hashes.SHA224`,
131 :class:`~cryptography.hazmat.primitives.hashes.SHA256`,
132 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
133 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
134
135 .. method:: build()
136
137 :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
138
139 .. doctest::
140
141 >>> from cryptography.hazmat.backends import default_backend
142 >>> from cryptography.hazmat.primitives import serialization
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]143 >>> from cryptography.hazmat.primitives.hashes import SHA1
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]144 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
145 >>> cert = load_pem_x509_certificate(pem_cert, default_backend())
146 >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
147 >>> builder = ocsp.OCSPRequestBuilder()
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]148 >>> # SHA1 is in this example because RFC 5019 mandates its use.
149 >>> builder = builder.add_certificate(cert, issuer, SHA1())
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]150 >>> req = builder.build()
151 >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]152 b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]153
154
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]155Interfaces
156~~~~~~~~~~
157
158.. class:: OCSPRequest
159
160 .. versionadded:: 2.4
161
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]162 An ``OCSPRequest`` is an object containing information about a certificate
163 whose status is being checked.
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]164
165 .. attribute:: issuer_key_hash
166
167 :type: bytes
168
169 The hash of the certificate issuer's key. The hash algorithm used
170 is defined by the ``hash_algorithm`` property.
171
172 .. attribute:: issuer_name_hash
173
174 :type: bytes
175
176 The hash of the certificate issuer's name. The hash algorithm used
177 is defined by the ``hash_algorithm`` property.
178
179 .. attribute:: hash_algorithm
180
181 :type: An instance of a
182 :class:`~cryptography.hazmat.primitives.hashes.Hash`
183
184 The algorithm used to generate the ``issuer_key_hash`` and
185 ``issuer_name_hash``.
186
187 .. attribute:: serial_number
188
189 :type: int
190
191 The serial number of the certificate to check.
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]192
193 .. method:: public_bytes(encoding)
194
195 :param encoding: The encoding to use. Only
196 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
197 is supported.
198
199 :return bytes: The serialized OCSP request.
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame^]200
201.. class:: OCSPResponse
202
203 .. versionadded:: 2.4
204
205 An ``OCSPResponse`` is the data provided by an OCSP responder in response
206 to an ``OCSPRequest``.
207
208 .. attribute:: response_status
209
210 :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`
211
212 The status of the response.
213
214 .. attribute:: signature_algorithm_oid
215
216 :type: :class:`~cryptography.x509.ObjectIdentifier`
217
218 Returns the object identifier of the signature algorithm used
219 to sign the response. This will be one of the OIDs from
220 :class:`~cryptography.x509.oid.SignatureAlgorithmOID`.
221
222 .. attribute:: signature
223
224 :type: bytes
225
226 The signature bytes.
227
228 .. attribute:: tbs_response_bytes
229
230 :type: bytes
231
232 The DER encoded bytes payload that is hashed and then signed. This
233 data may be used to validate the signature on the OCSP response.
234
235 .. attribute:: certificates
236
237 :type: list
238
239 A list of zero or more :class:`~cryptography.x509.Certificate` objects
240 used to help build a chain to verify the OCSP response. This situation
241 occurs when the OCSP responder uses a delegate certificate.
242
243 .. attribute:: responder_key_hash
244
245 :type: bytes or None
246
247 The responder's key hash or ``None`` if the response has a
248 ``responder_name``.
249
250 .. attribute:: responder_name
251
252 :type: :class:`~cryptography.x509.Name` or None
253
254 The responder's ``Name`` or ``None`` if the response has a
255 ``responder_key_hash``.
256
257 .. attribute:: produced_at
258
259 :type: :class:`datetime.datetime`
260
261 A naïve datetime representing the time when the response was produced.
262
263 .. attribute:: certificate_status
264
265 :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`
266
267 The status of the certificate being checked.
268
269 .. attribute:: revocation_time
270
271 :type: :class:`datetime.datetime` or None
272
273 A naïve datetime representing the time when the certificate was revoked
274 or ``None`` if the certificate has not been revoked.
275
276 .. attribute:: revocation_reason
277
278 :type: :class:`~cryptography.x509.ReasonFlags` or None
279
280 The reason the certificate was revoked or ``None`` if not specified or
281 not revoked.
282
283 .. attribute:: this_update
284
285 :type: :class:`datetime.datetime`
286
287 A naïve datetime representing the most recent time at which the status
288 being indicated is known by the responder to have been correct.
289
290 .. attribute:: next_update
291
292 :type: :class:`datetime.datetime`
293
294 A naïve datetime representing the time when newer information will
295 be available.
296
297 .. attribute:: issuer_key_hash
298
299 :type: bytes
300
301 The hash of the certificate issuer's key. The hash algorithm used
302 is defined by the ``hash_algorithm`` property.
303
304 .. attribute:: issuer_name_hash
305
306 :type: bytes
307
308 The hash of the certificate issuer's name. The hash algorithm used
309 is defined by the ``hash_algorithm`` property.
310
311 .. attribute:: hash_algorithm
312
313 :type: An instance of a
314 :class:`~cryptography.hazmat.primitives.hashes.Hash`
315
316 The algorithm used to generate the ``issuer_key_hash`` and
317 ``issuer_name_hash``.
318
319 .. attribute:: serial_number
320
321 :type: int
322
323 The serial number of the certificate that was checked.
324
325
326.. class:: OCSPResponseStatus
327
328 .. versionadded:: 2.4
329
330 An enumeration of response statuses.
331
332 .. attribute:: SUCCESSFUL
333
334 Represents a successful OCSP response.
335
336 .. attribute:: MALFORMED_REQUEST
337
338 May be returned by an OCSP responder that is unable to parse a
339 given request.
340
341 .. attribute:: INTERNAL_ERROR
342
343 May be returned by an OCSP responder that is currently experiencing
344 operational problems.
345
346 .. attribute:: TRY_LATER
347
348 May be returned by an OCSP responder that is overloaded.
349
350 .. attribute:: SIG_REQUIRED
351
352 May be returned by an OCSP responder that requires signed OCSP
353 requests.
354
355 .. attribute:: UNAUTHORIZED
356
357 May be returned by an OCSP responder when queried for a certificate for
358 which the responder is unaware or an issuer for which the responder is
359 not authoritative.
360
361
362.. class:: OCSPCertStatus
363
364 .. versionadded:: 2.4
365
366 An enumeration of certificate statuses in an OCSP response.
367
368 .. attribute:: GOOD
369
370 The value for a certificate that is not revoked.
371
372 .. attribute:: REVOKED
373
374 The certificate being checked is revoked.
375
376 .. attribute:: UNKNOWN
377
378 The certificate being checked is not known to the OCSP responder.