1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
|
# ocspbuilder API Documentation
- [`OCSPRequestBuilder()`](#ocsprequestbuilder-class)
- [`OCSPResponseBuilder()`](#ocspresponsebuilder-class)
### `OCSPRequestBuilder()` class
> ##### constructor
>
> > ```python
> > def __init__(self, certificate, issuer):
> > """
> > :param certificate:
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate
> > object to create the request for
> >
> > :param issuer:
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate
> > object for the issuer of the certificate
> > """
> > ```
>
> ##### `.certificate` attribute
>
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate object
> > of the certificate to create the request for.
>
> ##### `.issuer` attribute
>
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate object
> > of the issuer.
>
> ##### `.hash_algo` attribute
>
> > A unicode string of the hash algorithm to use when signing the
> > request - "sha1", "sha256" (default) or "sha512".
>
> ##### `.key_hash_algo` attribute
>
> > A unicode string of the hash algorithm to use when creating the
> > certificate identifier - "sha1" (default), or "sha256".
>
> ##### `.nonce` attribute
>
> > A bool - if the nonce extension should be used to prevent replay
> > attacks.
>
> ##### `.set_extension()` method
>
> > ```python
> > def set_extension(self, name, value):
> > """
> > :param name:
> > A unicode string of an extension id name from
> > asn1crypto.ocsp.TBSRequestExtensionId or
> > asn1crypto.ocsp.RequestExtensionId. If the extension is not one
> > defined in those classes, this must be an instance of one of the
> > classes instead of a unicode string.
> >
> > :param value:
> > A value object per the specs defined by
> > asn1crypto.ocsp.TBSRequestExtension or
> > asn1crypto.ocsp.RequestExtension
> > """
> > ```
> >
> > Sets the value for an extension using a fully constructed
> > asn1crypto.core.Asn1Value object. Normally this should not be needed,
> > and the convenience attributes should be sufficient.
> >
> > See the definition of asn1crypto.ocsp.TBSRequestExtension and
> > asn1crypto.ocsp.RequestExtension to determine the appropriate object
> > type for a given extension. Extensions are marked as critical when RFC
> > 6960 indicates so.
>
> ##### `.build()` method
>
> > ```python
> > def build(self, requestor_private_key=None, requestor_certificate=None, other_certificates=None):
> > """
> > :param requestor_private_key:
> > An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey
> > object for the private key to sign the request with
> >
> > :param requestor_certificate:
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate
> > object of the certificate associated with the private key
> >
> > :param other_certificates:
> > A list of asn1crypto.x509.Certificate or
> > oscrypto.asymmetric.Certificate objects that may be useful for the
> > OCSP server to verify the request signature. Intermediate
> > certificates would be specified here.
> >
> > :return:
> > An asn1crypto.ocsp.OCSPRequest object of the request
> > """
> > ```
> >
> > Validates the request information, constructs the ASN.1 structure and
> > then optionally signs it.
> >
> > The requestor_private_key, requestor_certificate and other_certificates
> > params are all optional and only necessary if the request needs to be
> > signed. Signing a request is uncommon for OCSP requests related to web
> > TLS connections.
### `OCSPResponseBuilder()` class
> ##### constructor
>
> > ```python
> > def __init__(self, response_status, certificate=None, certificate_status=None, revocation_date=None):
> > """
> > :param response_status:
> > A unicode string of OCSP response type:
> >
> > - "successful" - when the response includes information about the certificate
> > - "malformed_request" - when the request could not be understood
> > - "internal_error" - when an internal error occured with the OCSP responder
> > - "try_later" - when the OCSP responder is temporarily unavailable
> > - "sign_required" - when the OCSP request must be signed
> > - "unauthorized" - when the responder is not the correct responder for the certificate
> >
> > :param certificate:
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate
> > object of the certificate the response is about. Only required if
> > the response_status is "successful".
> >
> > :param certificate_status:
> > A unicode string of the status of the certificate. Only required if
> > the response_status is "successful".
> >
> > - "good" - when the certificate is in good standing
> > - "revoked" - when the certificate is revoked without a reason code
> > - "key_compromise" - when a private key is compromised
> > - "ca_compromise" - when the CA issuing the certificate is compromised
> > - "affiliation_changed" - when the certificate subject name changed
> > - "superseded" - when the certificate was replaced with a new one
> > - "cessation_of_operation" - when the certificate is no longer needed
> > - "certificate_hold" - when the certificate is temporarily invalid
> > - "remove_from_crl" - only delta CRLs - when temporary hold is removed
> > - "privilege_withdrawn" - one of the usages for a certificate was removed
> > - "unknown" - the responder doesn't know about the certificate being requested
> >
> > :param revocation_date:
> > A datetime.datetime object of when the certificate was revoked, if
> > the response_status is "successful" and the certificate status is
> > not "good" or "unknown".
> > """
> > ```
> >
> > Unless changed, responses will use SHA-256 for the signature,
> > and will be valid from the moment created for one week.
>
> ##### `.response_status` attribute
>
> > The overall status of the response. Only a "successful" response will
> > include information about the certificate. Other response types are for
> > signaling info about the OCSP responder. Valid values include:
> >
> > - "successful" - when the response includes information about the certificate
> > - "malformed_request" - when the request could not be understood
> > - "internal_error" - when an internal error occured with the OCSP responder
> > - "try_later" - when the OCSP responder is temporarily unavailable
> > - "sign_required" - when the OCSP request must be signed
> > - "unauthorized" - when the responder is not the correct responder for the certificate
>
> ##### `.certificate` attribute
>
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate object
> > of the certificate the response is about.
>
> ##### `.certificate_status` attribute
>
> > A unicode string of the status of the certificate. Valid values include:
> >
> > - "good" - when the certificate is in good standing
> > - "revoked" - when the certificate is revoked without a reason code
> > - "key_compromise" - when a private key is compromised
> > - "ca_compromise" - when the CA issuing the certificate is compromised
> > - "affiliation_changed" - when the certificate subject name changed
> > - "superseded" - when the certificate was replaced with a new one
> > - "cessation_of_operation" - when the certificate is no longer needed
> > - "certificate_hold" - when the certificate is temporarily invalid
> > - "remove_from_crl" - only delta CRLs - when temporary hold is removed
> > - "privilege_withdrawn" - one of the usages for a certificate was removed
> > - "unknown" - when the responder doesn't know about the certificate being requested
>
> ##### `.revocation_date` attribute
>
> > A datetime.datetime object of when the certificate was revoked, if the
> > status is not "good" or "unknown".
>
> ##### `.certificate_issuer` attribute
>
> > An asn1crypto.x509.Certificate object of the issuer of the certificate.
> > This should only be set if the OCSP responder is not the issuer of
> > the certificate, but instead a special certificate only for OCSP
> > responses.
>
> ##### `.hash_algo` attribute
>
> > A unicode string of the hash algorithm to use when signing the
> > request - "sha1", "sha256" (default) or "sha512".
>
> ##### `.key_hash_algo` attribute
>
> > A unicode string of the hash algorithm to use when creating the
> > certificate identifier - "sha1" (default), or "sha256".
>
> ##### `.nonce` attribute
>
> > The nonce that was provided during the request.
>
> ##### `.this_update` attribute
>
> > A datetime.datetime object of when the response was generated.
>
> ##### `.next_update` attribute
>
> > A datetime.datetime object of when the response may next change. This
> > should only be set if responses are cached. If responses are generated
> > fresh on every request, this should not be set.
>
> ##### `.set_extension()` method
>
> > ```python
> > def set_extension(self, name, value):
> > """
> > :param name:
> > A unicode string of an extension id name from
> > asn1crypto.ocsp.SingleResponseExtensionId or
> > asn1crypto.ocsp.ResponseDataExtensionId. If the extension is not one
> > defined in those classes, this must be an instance of one of the
> > classes instead of a unicode string.
> >
> > :param value:
> > A value object per the specs defined by
> > asn1crypto.ocsp.SingleResponseExtension or
> > asn1crypto.ocsp.ResponseDataExtension
> > """
> > ```
> >
> > Sets the value for an extension using a fully constructed
> > asn1crypto.core.Asn1Value object. Normally this should not be needed,
> > and the convenience attributes should be sufficient.
> >
> > See the definition of asn1crypto.ocsp.SingleResponseExtension and
> > asn1crypto.ocsp.ResponseDataExtension to determine the appropriate
> > object type for a given extension. Extensions are marked as critical
> > when RFC 6960 indicates so.
>
> ##### `.build()` method
>
> > ```python
> > def build(self, responder_private_key=None, responder_certificate=None):
> > """
> > :param responder_private_key:
> > An asn1crypto.keys.PrivateKeyInfo or oscrypto.asymmetric.PrivateKey
> > object for the private key to sign the response with
> >
> > :param responder_certificate:
> > An asn1crypto.x509.Certificate or oscrypto.asymmetric.Certificate
> > object of the certificate associated with the private key
> >
> > :return:
> > An asn1crypto.ocsp.OCSPResponse object of the response
> > """
> > ```
> >
> > Validates the request information, constructs the ASN.1 structure and
> > signs it.
> >
> > The responder_private_key and responder_certificate parameters are only
> > required if the response_status is "successful".
|
