1OCSP 2==== 3 4.. currentmodule:: cryptography.x509.ocsp 5 6.. testsetup:: 7 8 import base64 9 pem_cert = b""" 10 -----BEGIN CERTIFICATE----- 11 MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx 12 FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1 13 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR 14 BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t 15 L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh 16 bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5 17 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s 18 itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR 19 PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ 20 CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu 21 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y 22 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/ 23 r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW 24 ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx 25 diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi 26 gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu 27 YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74 28 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc 29 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT 30 aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi 31 LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB 32 BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw 33 dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv 34 bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw 35 LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G 36 CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc 37 dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt 38 Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF 39 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH 40 aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i 41 GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP 42 -----END CERTIFICATE----- 43 """ 44 pem_issuer = b""" 45 -----BEGIN CERTIFICATE----- 46 MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT 47 MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i 48 YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG 49 EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg 50 U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv 51 VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp 52 SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS 53 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ 54 DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM 55 QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp 56 YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7 57 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD 58 VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig 59 JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF 60 BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF 61 MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry 62 dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs 63 rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp 64 fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B 65 kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH 66 uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O 67 ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh 68 gP8L8mJMcCaY 69 -----END CERTIFICATE----- 70 """ 71 pem_responder_cert = b""" 72 -----BEGIN CERTIFICATE----- 73 MIIBPjCB5KADAgECAgQHW80VMAoGCCqGSM49BAMCMCcxCzAJBgNVBAYTAlVTMRgw 74 FgYDVQQDDA9DcnlwdG9ncmFwaHkgQ0EwHhcNMTgxMDA3MTIzNTEwWhcNMjgxMDA0 75 MTIzNTEwWjAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPQ3J5cHRvZ3JhcGh5IENB 76 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbQ2E0N/E3R0zEG+qa+yAFXBY6Fte 77 QzyvFdq7EZHDktlyUllaVJBrbX1ItV0MlayFwwQPhZmuLPpQBzuVKyrUfTAKBggq 78 hkjOPQQDAgNJADBGAiEAo0NQRmfPvhWQpSvJzV+2Ag441Zeckk+bib7swduQIjIC 79 IQCqYD9pArB2SWfmhQCSZkNEATlsPIML8lvlSkbNcrmrqQ== 80 -----END CERTIFICATE----- 81 """ 82 pem_responder_key = b""" 83 -----BEGIN PRIVATE KEY----- 84 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgO+vsRu8xDIVZE+xh 85 s8ESqJqcpJlwmj8CtF8HPHxrDSGhRANCAARtDYTQ38TdHTMQb6pr7IAVcFjoW15D 86 PK8V2rsRkcOS2XJSWVpUkGttfUi1XQyVrIXDBA+Fma4s+lAHO5UrKtR9 87 -----END PRIVATE KEY----- 88 """ 89 der_ocsp_req = ( 90 b"0V0T0R0P0N0\t\x06\x05+\x0e\x03\x02\x1a\x05\x00\x04\x148\xcaF\x8c" 91 b"\x07D\x8d\xf4\x81\x96\xc7mmLpQ\x9e`\xa7\xbd\x04\x14yu\xbb\x84:\xcb" 92 b",\xdez\t\xbe1\x1bC\xbc\x1c*MSX\x02\x15\x00\x98\xd9\xe5\xc0\xb4\xc3" 93 b"sU-\xf7|]\x0f\x1e\xb5\x12\x8eIE\xf9" 94 ) 95 der_ocsp_resp_unauth = b"0\x03\n\x01\x06" 96 97OCSP (Online Certificate Status Protocol) is a method of checking the 98revocation status of certificates. It is specified in :rfc:`6960`, as well 99as other obsoleted RFCs. 100 101 102Loading Requests 103~~~~~~~~~~~~~~~~ 104 105.. function:: load_der_ocsp_request(data) 106 107 .. versionadded:: 2.4 108 109 Deserialize an OCSP request from DER encoded data. 110 111 :param bytes data: The DER encoded OCSP request data. 112 113 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPRequest`. 114 115 .. doctest:: 116 117 >>> from cryptography.x509 import ocsp 118 >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req) 119 >>> print(ocsp_req.serial_number) 120 872625873161273451176241581705670534707360122361 121 122 123Creating Requests 124~~~~~~~~~~~~~~~~~ 125 126.. class:: OCSPRequestBuilder 127 128 .. versionadded:: 2.4 129 130 This class is used to create :class:`~cryptography.x509.ocsp.OCSPRequest` 131 objects. 132 133 134 .. method:: add_certificate(cert, issuer, algorithm) 135 136 Adds a request using a certificate, issuer certificate, and hash 137 algorithm. This can only be called once. 138 139 :param cert: The :class:`~cryptography.x509.Certificate` whose validity 140 is being checked. 141 142 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of 143 the certificate that is being checked. 144 145 :param algorithm: A 146 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 147 instance. For OCSP only 148 :class:`~cryptography.hazmat.primitives.hashes.SHA1`, 149 :class:`~cryptography.hazmat.primitives.hashes.SHA224`, 150 :class:`~cryptography.hazmat.primitives.hashes.SHA256`, 151 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and 152 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed. 153 154 .. method:: add_extension(extension, critical) 155 156 Adds an extension to the request. 157 158 :param extension: An extension conforming to the 159 :class:`~cryptography.x509.ExtensionType` interface. 160 161 :param critical: Set to ``True`` if the extension must be understood and 162 handled. 163 164 .. method:: build() 165 166 :returns: A new :class:`~cryptography.x509.ocsp.OCSPRequest`. 167 168 .. doctest:: 169 170 >>> from cryptography.hazmat.primitives import serialization 171 >>> from cryptography.hazmat.primitives.hashes import SHA1 172 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp 173 >>> cert = load_pem_x509_certificate(pem_cert) 174 >>> issuer = load_pem_x509_certificate(pem_issuer) 175 >>> builder = ocsp.OCSPRequestBuilder() 176 >>> # SHA1 is in this example because RFC 5019 mandates its use. 177 >>> builder = builder.add_certificate(cert, issuer, SHA1()) 178 >>> req = builder.build() 179 >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER)) 180 b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g' 181 182Loading Responses 183~~~~~~~~~~~~~~~~~ 184 185.. function:: load_der_ocsp_response(data) 186 187 .. versionadded:: 2.4 188 189 Deserialize an OCSP response from DER encoded data. 190 191 :param bytes data: The DER encoded OCSP response data. 192 193 :returns: An instance of :class:`~cryptography.x509.ocsp.OCSPResponse`. 194 195 .. doctest:: 196 197 >>> from cryptography.x509 import ocsp 198 >>> ocsp_resp = ocsp.load_der_ocsp_response(der_ocsp_resp_unauth) 199 >>> print(ocsp_resp.response_status) 200 OCSPResponseStatus.UNAUTHORIZED 201 202 203Creating Responses 204~~~~~~~~~~~~~~~~~~ 205 206.. class:: OCSPResponseBuilder 207 208 .. versionadded:: 2.4 209 210 This class is used to create :class:`~cryptography.x509.ocsp.OCSPResponse` 211 objects. You cannot set ``produced_at`` on OCSP responses at this time. 212 Instead the field is set to current UTC time when calling ``sign``. For 213 unsuccessful statuses call the class method 214 :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.build_unsuccessful`. 215 216 .. method:: add_response(cert, issuer, algorithm, cert_status, this_update, next_update, revocation_time, revocation_reason) 217 218 This method adds status information about the certificate that was 219 requested to the response. 220 221 :param cert: The :class:`~cryptography.x509.Certificate` whose validity 222 is being checked. 223 224 :param issuer: The issuer :class:`~cryptography.x509.Certificate` of 225 the certificate that is being checked. 226 227 :param algorithm: A 228 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 229 instance. For OCSP only 230 :class:`~cryptography.hazmat.primitives.hashes.SHA1`, 231 :class:`~cryptography.hazmat.primitives.hashes.SHA224`, 232 :class:`~cryptography.hazmat.primitives.hashes.SHA256`, 233 :class:`~cryptography.hazmat.primitives.hashes.SHA384`, and 234 :class:`~cryptography.hazmat.primitives.hashes.SHA512` are allowed. 235 236 :param cert_status: An item from the 237 :class:`~cryptography.x509.ocsp.OCSPCertStatus` enumeration. 238 239 :param this_update: A naïve :class:`datetime.datetime` object 240 representing the most recent time in UTC at which the status being 241 indicated is known by the responder to be correct. 242 243 :param next_update: A naïve :class:`datetime.datetime` object or 244 ``None``. The time in UTC at or before which newer information will 245 be available about the status of the certificate. 246 247 :param revocation_time: A naïve :class:`datetime.datetime` object or 248 ``None`` if the ``cert`` is not revoked. The time in UTC at which 249 the certificate was revoked. 250 251 :param revocation_reason: An item from the 252 :class:`~cryptography.x509.ReasonFlags` enumeration or ``None`` if 253 the ``cert`` is not revoked. 254 255 .. method:: certificates(certs) 256 257 Add additional certificates that should be used to verify the 258 signature on the response. This is typically used when the responder 259 utilizes an OCSP delegate. 260 261 :param list certs: A list of :class:`~cryptography.x509.Certificate` 262 objects. 263 264 .. method:: responder_id(encoding, responder_cert) 265 266 Set the ``responderID`` on the OCSP response. This is the data a 267 client will use to determine what certificate signed the response. 268 269 :param responder_cert: The :class:`~cryptography.x509.Certificate` 270 object for the certificate whose private key will sign the 271 OCSP response. If the certificate and key do not match an 272 error will be raised when calling ``sign``. 273 :param encoding: Either 274 :attr:`~cryptography.x509.ocsp.OCSPResponderEncoding.HASH` or 275 :attr:`~cryptography.x509.ocsp.OCSPResponderEncoding.NAME`. 276 277 .. method:: add_extension(extension, critical) 278 279 Adds an extension to the response. 280 281 :param extension: An extension conforming to the 282 :class:`~cryptography.x509.ExtensionType` interface. 283 284 :param critical: Set to ``True`` if the extension must be understood and 285 handled. 286 287 .. method:: sign(private_key, algorithm) 288 289 Creates the OCSP response that can then be serialized and sent to 290 clients. This method will create a 291 :attr:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL` response. 292 293 :param private_key: The 294 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, 295 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, 296 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`, 297 :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` or 298 :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey` 299 that will be used to sign the certificate. 300 301 :param algorithm: The 302 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` that 303 will be used to generate the signature. This must be ``None`` if 304 the ``private_key`` is an 305 :class:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey` 306 or an 307 :class:`~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey` 308 and an instance of a 309 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 310 otherwise. 311 312 :returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`. 313 314 .. doctest:: 315 316 >>> import datetime 317 >>> from cryptography.hazmat.primitives import hashes, serialization 318 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp 319 >>> cert = load_pem_x509_certificate(pem_cert) 320 >>> issuer = load_pem_x509_certificate(pem_issuer) 321 >>> responder_cert = load_pem_x509_certificate(pem_responder_cert) 322 >>> responder_key = serialization.load_pem_private_key(pem_responder_key, None) 323 >>> builder = ocsp.OCSPResponseBuilder() 324 >>> # SHA1 is in this example because RFC 5019 mandates its use. 325 >>> builder = builder.add_response( 326 ... cert=cert, issuer=issuer, algorithm=hashes.SHA1(), 327 ... cert_status=ocsp.OCSPCertStatus.GOOD, 328 ... this_update=datetime.datetime.now(), 329 ... next_update=datetime.datetime.now(), 330 ... revocation_time=None, revocation_reason=None 331 ... ).responder_id( 332 ... ocsp.OCSPResponderEncoding.HASH, responder_cert 333 ... ) 334 >>> response = builder.sign(responder_key, hashes.SHA256()) 335 >>> response.certificate_status 336 <OCSPCertStatus.GOOD: 0> 337 338 .. classmethod:: build_unsuccessful(response_status) 339 340 Creates an unsigned OCSP response which can then be serialized and 341 sent to clients. ``build_unsuccessful`` may only be called with a 342 :class:`~cryptography.x509.ocsp.OCSPResponseStatus` that is not 343 ``SUCCESSFUL``. Since this is a class method note that no other 344 methods can or should be called as unsuccessful statuses do not 345 encode additional data. 346 347 :returns: A new :class:`~cryptography.x509.ocsp.OCSPResponse`. 348 349 .. doctest:: 350 351 >>> from cryptography.hazmat.primitives import hashes, serialization 352 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp 353 >>> response = ocsp.OCSPResponseBuilder.build_unsuccessful( 354 ... ocsp.OCSPResponseStatus.UNAUTHORIZED 355 ... ) 356 >>> response.response_status 357 <OCSPResponseStatus.UNAUTHORIZED: 6> 358 359 360Interfaces 361~~~~~~~~~~ 362 363.. class:: OCSPRequest 364 365 .. versionadded:: 2.4 366 367 An ``OCSPRequest`` is an object containing information about a certificate 368 whose status is being checked. 369 370 .. attribute:: issuer_key_hash 371 372 :type: bytes 373 374 The hash of the certificate issuer's key. The hash algorithm used 375 is defined by the ``hash_algorithm`` property. 376 377 .. attribute:: issuer_name_hash 378 379 :type: bytes 380 381 The hash of the certificate issuer's name. The hash algorithm used 382 is defined by the ``hash_algorithm`` property. 383 384 .. attribute:: hash_algorithm 385 386 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 387 388 The algorithm used to generate the ``issuer_key_hash`` and 389 ``issuer_name_hash``. 390 391 .. attribute:: serial_number 392 393 :type: int 394 395 The serial number of the certificate to check. 396 397 .. attribute:: extensions 398 399 :type: :class:`~cryptography.x509.Extensions` 400 401 The extensions encoded in the request. 402 403 .. method:: public_bytes(encoding) 404 405 :param encoding: The encoding to use. Only 406 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` 407 is supported. 408 409 :return bytes: The serialized OCSP request. 410 411.. class:: OCSPResponse 412 413 .. versionadded:: 2.4 414 415 An ``OCSPResponse`` is the data provided by an OCSP responder in response 416 to an ``OCSPRequest``. 417 418 .. attribute:: response_status 419 420 :type: :class:`~cryptography.x509.ocsp.OCSPResponseStatus` 421 422 The status of the response. 423 424 .. attribute:: signature_algorithm_oid 425 426 :type: :class:`~cryptography.x509.ObjectIdentifier` 427 428 Returns the object identifier of the signature algorithm used 429 to sign the response. This will be one of the OIDs from 430 :class:`~cryptography.x509.oid.SignatureAlgorithmOID`. 431 432 :raises ValueError: If ``response_status`` is not 433 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 434 435 .. attribute:: signature_hash_algorithm 436 437 .. versionadded:: 2.5 438 439 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 440 441 Returns the 442 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` which 443 was used in signing this response. Can be ``None`` if signature 444 did not use separate hash 445 (:attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED25519`, 446 :attr:`~cryptography.x509.oid.SignatureAlgorithmOID.ED448`). 447 448 .. attribute:: signature 449 450 :type: bytes 451 452 The signature bytes. 453 454 :raises ValueError: If ``response_status`` is not 455 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 456 457 .. attribute:: tbs_response_bytes 458 459 :type: bytes 460 461 The DER encoded bytes payload that is hashed and then signed. This 462 data may be used to validate the signature on the OCSP response. 463 464 :raises ValueError: If ``response_status`` is not 465 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 466 467 .. attribute:: certificates 468 469 :type: list 470 471 A list of zero or more :class:`~cryptography.x509.Certificate` objects 472 used to help build a chain to verify the OCSP response. This situation 473 occurs when the OCSP responder uses a delegate certificate. 474 475 :raises ValueError: If ``response_status`` is not 476 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 477 478 .. attribute:: responder_key_hash 479 480 :type: bytes or None 481 482 The responder's key hash or ``None`` if the response has a 483 ``responder_name``. 484 485 :raises ValueError: If ``response_status`` is not 486 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 487 488 .. attribute:: responder_name 489 490 :type: :class:`~cryptography.x509.Name` or None 491 492 The responder's ``Name`` or ``None`` if the response has a 493 ``responder_key_hash``. 494 495 :raises ValueError: If ``response_status`` is not 496 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 497 498 .. attribute:: produced_at 499 500 :type: :class:`datetime.datetime` 501 502 A naïve datetime representing the time when the response was produced. 503 504 :raises ValueError: If ``response_status`` is not 505 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 506 507 .. attribute:: certificate_status 508 509 :type: :class:`~cryptography.x509.ocsp.OCSPCertStatus` 510 511 The status of the certificate being checked. 512 513 :raises ValueError: If ``response_status`` is not 514 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 515 516 .. attribute:: revocation_time 517 518 :type: :class:`datetime.datetime` or None 519 520 A naïve datetime representing the time when the certificate was revoked 521 or ``None`` if the certificate has not been revoked. 522 523 :raises ValueError: If ``response_status`` is not 524 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 525 526 .. attribute:: revocation_reason 527 528 :type: :class:`~cryptography.x509.ReasonFlags` or None 529 530 The reason the certificate was revoked or ``None`` if not specified or 531 not revoked. 532 533 :raises ValueError: If ``response_status`` is not 534 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 535 536 .. attribute:: this_update 537 538 :type: :class:`datetime.datetime` 539 540 A naïve datetime representing the most recent time at which the status 541 being indicated is known by the responder to have been correct. 542 543 :raises ValueError: If ``response_status`` is not 544 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 545 546 .. attribute:: next_update 547 548 :type: :class:`datetime.datetime` 549 550 A naïve datetime representing the time when newer information will 551 be available. 552 553 :raises ValueError: If ``response_status`` is not 554 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 555 556 .. attribute:: issuer_key_hash 557 558 :type: bytes 559 560 The hash of the certificate issuer's key. The hash algorithm used 561 is defined by the ``hash_algorithm`` property. 562 563 :raises ValueError: If ``response_status`` is not 564 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 565 566 .. attribute:: issuer_name_hash 567 568 :type: bytes 569 570 The hash of the certificate issuer's name. The hash algorithm used 571 is defined by the ``hash_algorithm`` property. 572 573 :raises ValueError: If ``response_status`` is not 574 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 575 576 .. attribute:: hash_algorithm 577 578 :type: :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` 579 580 The algorithm used to generate the ``issuer_key_hash`` and 581 ``issuer_name_hash``. 582 583 :raises ValueError: If ``response_status`` is not 584 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 585 586 .. attribute:: serial_number 587 588 :type: int 589 590 The serial number of the certificate that was checked. 591 592 :raises ValueError: If ``response_status`` is not 593 :class:`~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL`. 594 595 .. attribute:: extensions 596 597 :type: :class:`~cryptography.x509.Extensions` 598 599 The extensions encoded in the response. 600 601 .. attribute:: single_extensions 602 603 .. versionadded:: 2.9 604 605 :type: :class:`~cryptography.x509.Extensions` 606 607 The single extensions encoded in the response. 608 609 .. method:: public_bytes(encoding) 610 611 :param encoding: The encoding to use. Only 612 :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` 613 is supported. 614 615 :return bytes: The serialized OCSP response. 616 617.. class:: OCSPResponseStatus 618 619 .. versionadded:: 2.4 620 621 An enumeration of response statuses. 622 623 .. attribute:: SUCCESSFUL 624 625 Represents a successful OCSP response. 626 627 .. attribute:: MALFORMED_REQUEST 628 629 May be returned by an OCSP responder that is unable to parse a 630 given request. 631 632 .. attribute:: INTERNAL_ERROR 633 634 May be returned by an OCSP responder that is currently experiencing 635 operational problems. 636 637 .. attribute:: TRY_LATER 638 639 May be returned by an OCSP responder that is overloaded. 640 641 .. attribute:: SIG_REQUIRED 642 643 May be returned by an OCSP responder that requires signed OCSP 644 requests. 645 646 .. attribute:: UNAUTHORIZED 647 648 May be returned by an OCSP responder when queried for a certificate for 649 which the responder is unaware or an issuer for which the responder is 650 not authoritative. 651 652 653.. class:: OCSPCertStatus 654 655 .. versionadded:: 2.4 656 657 An enumeration of certificate statuses in an OCSP response. 658 659 .. attribute:: GOOD 660 661 The value for a certificate that is not revoked. 662 663 .. attribute:: REVOKED 664 665 The certificate being checked is revoked. 666 667 .. attribute:: UNKNOWN 668 669 The certificate being checked is not known to the OCSP responder. 670 671.. class:: OCSPResponderEncoding 672 673 .. versionadded:: 2.4 674 675 An enumeration of ``responderID`` encodings that can be passed to 676 :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.responder_id`. 677 678 .. attribute:: HASH 679 680 Encode the hash of the public key whose corresponding private key 681 signed the response. 682 683 .. attribute:: NAME 684 685 Encode the X.509 ``Name`` of the certificate whose private key signed 686 the response. 687