Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / edfedc135cbce685e96e7386654e99eb1c43362b / . / docs / x509 / ocsp.rst
blob: 14d9bb849530239f01fa64fe780be702dbcd32be [file] [log] [blame]
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]1OCSP
2====
3
4.. currentmodule:: cryptography.x509.ocsp
5
6.. testsetup::
7
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]8 import base64
9 pem_cert = b"""
10 -----BEGIN CERTIFICATE-----
11 MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx
12 FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1
13 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR
14 BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t
15 L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh
16 bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5
17 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s
18 itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR
19 PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ
20 CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu
21 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y
22 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/
23 r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW
24 ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx
25 diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi
26 gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu
27 YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74
28 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc
29 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT
30 aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi
31 LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
32 BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw
33 dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv
34 bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw
35 LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G
36 CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc
37 dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt
38 Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF
39 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH
40 aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i
41 GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP
42 -----END CERTIFICATE-----
43 """
44 pem_issuer = b"""
45 -----BEGIN CERTIFICATE-----
46 MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
47 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
48 YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG
49 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg
50 U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv
51 VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp
52 SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS
53 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ
54 DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM
55 QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp
56 YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7
57 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD
58 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
59 JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
60 BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
61 MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry
62 dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs
63 rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp
64 fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B
65 kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH
66 uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O
67 ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh
68 gP8L8mJMcCaY
69 -----END CERTIFICATE-----
70 """
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]71 der_ocsp_req = (
72 b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c"
73 b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb"
74 b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3"
75 b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9"
76 )
77
78OCSP (Online Certificate Status Protocol) is a method of checking the
79revocation status of certificates. It is specified in :rfc:`6960`, as well
80as other obsoleted RFCs.
81
82
83Loading Requests
84~~~~~~~~~~~~~~~~
85
86.. function:: load_der_ocsp_request(data)
87
88 .. versionadded:: 2.4
89
90 Deserialize an OCSP request from DER encoded data.
91
92 :param bytes data: The DER encoded OCSP request data.
93
94 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`.
95
96 .. doctest::
97
98 >>> from cryptography.x509 import ocsp
99 >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]100 >>> print(ocsp_req.serial_number)
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]101 872625873161273451176241581705670534707360122361
102
103
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]104Creating Requests
105~~~~~~~~~~~~~~~~~
106
107.. class:: OCSPRequestBuilder
108
109 .. versionadded:: 2.4
110
111 This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest`
112 objects.
113
114
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]115 .. method:: add_certificate(cert, issuer, algorithm)
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]116
117 Adds a request using a certificate, issuer certificate, and hash
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]118 algorithm. This can only be called once.
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]119
120 :param cert: The :class:`~cryptography.x509.Certificate` whose validity
121 is being checked.
122
123 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of
124 the certificate that is being checked.
125
126 :param algorithm: A
127 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
128 instance. For OCSP only
129 :class:`~cryptography.hazmat.primitives.hashes.SHA1`,
130 :class:`~cryptography.hazmat.primitives.hashes.SHA224`,
131 :class:`~cryptography.hazmat.primitives.hashes.SHA256`,
132 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and
133 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed.
134
135 .. method:: build()
136
137 :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`.
138
139 .. doctest::
140
141 >>> from cryptography.hazmat.backends import default_backend
142 >>> from cryptography.hazmat.primitives import serialization
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]143 >>> from cryptography.hazmat.primitives.hashes import SHA1
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]144 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp
145 >>> cert = load_pem_x509_certificate(pem_cert, default_backend())
146 >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
147 >>> builder = ocsp.OCSPRequestBuilder()
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]148 >>> # SHA1 is in this example because RFC 5019 mandates its use.
149 >>> builder = builder.add_certificate(cert, issuer, SHA1())
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]150 >>> req = builder.build()
151 >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]152 b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
Paul Kehrer002fa752018-08-30 10:41:32 -0400[diff] [blame]153
154
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]155Interfaces
156~~~~~~~~~~
157
158.. class:: OCSPRequest
159
160 .. versionadded:: 2.4
161
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]162 An ``OCSPRequest`` is an object containing information about a certificate
163 whose status is being checked.
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]164
165 .. attribute:: issuer_key_hash
166
167 :type: bytes
168
169 The hash of the certificate issuer's key. The hash algorithm used
170 is defined by the ``hash_algorithm`` property.
171
172 .. attribute:: issuer_name_hash
173
174 :type: bytes
175
176 The hash of the certificate issuer's name. The hash algorithm used
177 is defined by the ``hash_algorithm`` property.
178
179 .. attribute:: hash_algorithm
180
Paul Kehreredfedc12018-09-14 18:24:20 -0400[diff] [blame^]181 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer732cf642018-08-15 18:04:28 -0500[diff] [blame]182
183 The algorithm used to generate the ``issuer_key_hash`` and
184 ``issuer_name_hash``.
185
186 .. attribute:: serial_number
187
188 :type: int
189
190 The serial number of the certificate to check.
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]191
Paul Kehrer09403102018-09-09 21:57:21 -0500[diff] [blame]192 .. attribute:: extensions
193
194 :type: :class:`~cryptography.x509.Extensions`
195
196 The extensions encoded in the request.
197
Paul Kehrer0f629bb2018-08-31 10:47:56 -0400[diff] [blame]198 .. method:: public_bytes(encoding)
199
200 :param encoding: The encoding to use. Only
201 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
202 is supported.
203
204 :return bytes: The serialized OCSP request.
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]205
206.. class:: OCSPResponse
207
208 .. versionadded:: 2.4
209
210 An ``OCSPResponse`` is the data provided by an OCSP responder in response
211 to an ``OCSPRequest``.
212
213 .. attribute:: response_status
214
215 :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus`
216
217 The status of the response.
218
219 .. attribute:: signature_algorithm_oid
220
221 :type: :class:`~cryptography.x509.ObjectIdentifier`
222
223 Returns the object identifier of the signature algorithm used
224 to sign the response. This will be one of the OIDs from
225 :class:`~cryptography.x509.oid.SignatureAlgorithmOID`.
226
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]227 :raises ValueError: If ``response_status`` is not
228 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
229
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]230 .. attribute:: signature
231
232 :type: bytes
233
234 The signature bytes.
235
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]236 :raises ValueError: If ``response_status`` is not
237 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
238
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]239 .. attribute:: tbs_response_bytes
240
241 :type: bytes
242
243 The DER encoded bytes payload that is hashed and then signed. This
244 data may be used to validate the signature on the OCSP response.
245
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]246 :raises ValueError: If ``response_status`` is not
247 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
248
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]249 .. attribute:: certificates
250
251 :type: list
252
253 A list of zero or more :class:`~cryptography.x509.Certificate` objects
254 used to help build a chain to verify the OCSP response. This situation
255 occurs when the OCSP responder uses a delegate certificate.
256
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]257 :raises ValueError: If ``response_status`` is not
258 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
259
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]260 .. attribute:: responder_key_hash
261
262 :type: bytes or None
263
264 The responder's key hash or ``None`` if the response has a
265 ``responder_name``.
266
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]267 :raises ValueError: If ``response_status`` is not
268 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
269
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]270 .. attribute:: responder_name
271
272 :type: :class:`~cryptography.x509.Name` or None
273
274 The responder's ``Name`` or ``None`` if the response has a
275 ``responder_key_hash``.
276
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]277 :raises ValueError: If ``response_status`` is not
278 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
279
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]280 .. attribute:: produced_at
281
282 :type: :class:`datetime.datetime`
283
284 A naïve datetime representing the time when the response was produced.
285
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]286 :raises ValueError: If ``response_status`` is not
287 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
288
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]289 .. attribute:: certificate_status
290
291 :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus`
292
293 The status of the certificate being checked.
294
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]295 :raises ValueError: If ``response_status`` is not
296 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
297
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]298 .. attribute:: revocation_time
299
300 :type: :class:`datetime.datetime` or None
301
302 A naïve datetime representing the time when the certificate was revoked
303 or ``None`` if the certificate has not been revoked.
304
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]305 :raises ValueError: If ``response_status`` is not
306 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
307
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]308 .. attribute:: revocation_reason
309
310 :type: :class:`~cryptography.x509.ReasonFlags` or None
311
312 The reason the certificate was revoked or ``None`` if not specified or
313 not revoked.
314
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]315 :raises ValueError: If ``response_status`` is not
316 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
317
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]318 .. attribute:: this_update
319
320 :type: :class:`datetime.datetime`
321
322 A naïve datetime representing the most recent time at which the status
323 being indicated is known by the responder to have been correct.
324
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]325 :raises ValueError: If ``response_status`` is not
326 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
327
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]328 .. attribute:: next_update
329
330 :type: :class:`datetime.datetime`
331
332 A naïve datetime representing the time when newer information will
333 be available.
334
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]335 :raises ValueError: If ``response_status`` is not
336 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
337
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]338 .. attribute:: issuer_key_hash
339
340 :type: bytes
341
342 The hash of the certificate issuer's key. The hash algorithm used
343 is defined by the ``hash_algorithm`` property.
344
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]345 :raises ValueError: If ``response_status`` is not
346 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
347
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]348 .. attribute:: issuer_name_hash
349
350 :type: bytes
351
352 The hash of the certificate issuer's name. The hash algorithm used
353 is defined by the ``hash_algorithm`` property.
354
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]355 :raises ValueError: If ``response_status`` is not
356 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
357
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]358 .. attribute:: hash_algorithm
359
Paul Kehreredfedc12018-09-14 18:24:20 -0400[diff] [blame^]360 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]361
362 The algorithm used to generate the ``issuer_key_hash`` and
363 ``issuer_name_hash``.
364
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]365 :raises ValueError: If ``response_status`` is not
366 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
367
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]368 .. attribute:: serial_number
369
370 :type: int
371
372 The serial number of the certificate that was checked.
373
Paul Kehrer26c425d2018-09-01 16:58:26 -0400[diff] [blame]374 :raises ValueError: If ``response_status`` is not
375 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`.
376
Paul Kehrerd3601b12018-09-01 11:58:24 -0400[diff] [blame]377
378.. class:: OCSPResponseStatus
379
380 .. versionadded:: 2.4
381
382 An enumeration of response statuses.
383
384 .. attribute:: SUCCESSFUL
385
386 Represents a successful OCSP response.
387
388 .. attribute:: MALFORMED_REQUEST
389
390 May be returned by an OCSP responder that is unable to parse a
391 given request.
392
393 .. attribute:: INTERNAL_ERROR
394
395 May be returned by an OCSP responder that is currently experiencing
396 operational problems.
397
398 .. attribute:: TRY_LATER
399
400 May be returned by an OCSP responder that is overloaded.
401
402 .. attribute:: SIG_REQUIRED
403
404 May be returned by an OCSP responder that requires signed OCSP
405 requests.
406
407 .. attribute:: UNAUTHORIZED
408
409 May be returned by an OCSP responder when queried for a certificate for
410 which the responder is unaware or an issuer for which the responder is
411 not authoritative.
412
413
414.. class:: OCSPCertStatus
415
416 .. versionadded:: 2.4
417
418 An enumeration of certificate statuses in an OCSP response.
419
420 .. attribute:: GOOD
421
422 The value for a certificate that is not revoked.
423
424 .. attribute:: REVOKED
425
426 The certificate being checked is revoked.
427
428 .. attribute:: UNKNOWN
429
430 The certificate being checked is not known to the OCSP responder.