OCSP

OCSP (Online Certificate Status Protocol) is a method of checking the revocation status of certificates. It is specified in RFC 6960, as well as other obsoleted RFCs.

Loading Requests

cryptography.x509.ocsp.load_der_ocsp_request(data)[source]

New in version 2.4.

Deserialize an OCSP request from DER encoded data.

Parameters:data (bytes) – The DER encoded OCSP request data.
Returns:An instance of OCSPRequest.
>>> from cryptography.x509 import ocsp
>>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req)
>>> print(ocsp_req.serial_number)
872625873161273451176241581705670534707360122361

Creating Requests

class cryptography.x509.ocsp.OCSPRequestBuilder[source]

New in version 2.4.

This class is used to create OCSPRequest objects.

add_certificate(cert, issuer, algorithm)[source]

Adds a request using a certificate, issuer certificate, and hash algorithm. This can only be called once.

Parameters:
build()[source]
Returns:A new OCSPRequest.
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import serialization
>>> from cryptography.hazmat.primitives.hashes import SHA1
>>> from cryptography.x509 import load_pem_x509_certificate, ocsp
>>> cert = load_pem_x509_certificate(pem_cert, default_backend())
>>> issuer = load_pem_x509_certificate(pem_issuer, default_backend())
>>> builder = ocsp.OCSPRequestBuilder()
>>> # SHA1 is in this example because RFC 5019 mandates its use.
>>> builder = builder.add_certificate(cert, issuer, SHA1())
>>> req = builder.build()
>>> base64.b64encode(req.public_bytes(serialization.Encoding.DER))
b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'

Interfaces

class cryptography.x509.ocsp.OCSPRequest[source]

New in version 2.4.

An OCSPRequest is an object containing information about a certificate whose status is being checked.

issuer_key_hash
Type:bytes

The hash of the certificate issuer’s key. The hash algorithm used is defined by the hash_algorithm property.

issuer_name_hash
Type:bytes

The hash of the certificate issuer’s name. The hash algorithm used is defined by the hash_algorithm property.

hash_algorithm
Type:HashAlgorithm

The algorithm used to generate the issuer_key_hash and issuer_name_hash.

serial_number
Type:int

The serial number of the certificate to check.

extensions
Type:Extensions

The extensions encoded in the request.

public_bytes(encoding)[source]
Parameters:encoding – The encoding to use. Only DER is supported.
Return bytes:The serialized OCSP request.
class cryptography.x509.ocsp.OCSPResponse[source]

New in version 2.4.

An OCSPResponse is the data provided by an OCSP responder in response to an OCSPRequest.

response_status
Type:OCSPResponseStatus

The status of the response.

signature_algorithm_oid
Type:ObjectIdentifier

Returns the object identifier of the signature algorithm used to sign the response. This will be one of the OIDs from SignatureAlgorithmOID.

Raises:ValueError – If response_status is not SUCCESSFUL.
signature
Type:bytes

The signature bytes.

Raises:ValueError – If response_status is not SUCCESSFUL.
tbs_response_bytes
Type:bytes

The DER encoded bytes payload that is hashed and then signed. This data may be used to validate the signature on the OCSP response.

Raises:ValueError – If response_status is not SUCCESSFUL.
certificates
Type:list

A list of zero or more Certificate objects used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate.

Raises:ValueError – If response_status is not SUCCESSFUL.
responder_key_hash
Type:bytes or None

The responder’s key hash or None if the response has a responder_name.

Raises:ValueError – If response_status is not SUCCESSFUL.
responder_name
Type:Name or None

The responder’s Name or None if the response has a responder_key_hash.

Raises:ValueError – If response_status is not SUCCESSFUL.
produced_at
Type:datetime.datetime

A naïve datetime representing the time when the response was produced.

Raises:ValueError – If response_status is not SUCCESSFUL.
certificate_status
Type:OCSPCertStatus

The status of the certificate being checked.

Raises:ValueError – If response_status is not SUCCESSFUL.
revocation_time
Type:datetime.datetime or None

A naïve datetime representing the time when the certificate was revoked or None if the certificate has not been revoked.

Raises:ValueError – If response_status is not SUCCESSFUL.
revocation_reason
Type:ReasonFlags or None

The reason the certificate was revoked or None if not specified or not revoked.

Raises:ValueError – If response_status is not SUCCESSFUL.
this_update
Type:datetime.datetime

A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct.

Raises:ValueError – If response_status is not SUCCESSFUL.
next_update
Type:datetime.datetime

A naïve datetime representing the time when newer information will be available.

Raises:ValueError – If response_status is not SUCCESSFUL.
issuer_key_hash
Type:bytes

The hash of the certificate issuer’s key. The hash algorithm used is defined by the hash_algorithm property.

Raises:ValueError – If response_status is not SUCCESSFUL.
issuer_name_hash
Type:bytes

The hash of the certificate issuer’s name. The hash algorithm used is defined by the hash_algorithm property.

Raises:ValueError – If response_status is not SUCCESSFUL.
hash_algorithm
Type:HashAlgorithm

The algorithm used to generate the issuer_key_hash and issuer_name_hash.

Raises:ValueError – If response_status is not SUCCESSFUL.
serial_number
Type:int

The serial number of the certificate that was checked.

Raises:ValueError – If response_status is not SUCCESSFUL.
class cryptography.x509.ocsp.OCSPResponseStatus[source]

New in version 2.4.

An enumeration of response statuses.

SUCCESSFUL

Represents a successful OCSP response.

MALFORMED_REQUEST

May be returned by an OCSP responder that is unable to parse a given request.

INTERNAL_ERROR

May be returned by an OCSP responder that is currently experiencing operational problems.

TRY_LATER

May be returned by an OCSP responder that is overloaded.

SIG_REQUIRED

May be returned by an OCSP responder that requires signed OCSP requests.

UNAUTHORIZED

May be returned by an OCSP responder when queried for a certificate for which the responder is unaware or an issuer for which the responder is not authoritative.

class cryptography.x509.ocsp.OCSPCertStatus[source]

New in version 2.4.

An enumeration of certificate statuses in an OCSP response.

GOOD

The value for a certificate that is not revoked.

REVOKED

The certificate being checked is revoked.

UNKNOWN

The certificate being checked is not known to the OCSP responder.