Ocsp class

class cryptosyspki.Ocsp

Online Certificate Status Protocol (OCSP) routines.

class HashAlg

Hash algorithms.

MD5(as per RFC 1321) = 1

MD5 (as per RFC 1321)

SHA1 = 0

SHA-1 (default)

SHA224 = 6

SHA-224

SHA256 = 3

SHA-256

SHA384 = 4

SHA-384

SHA512 = 5

SHA-512

static make_request(issuercert, certfile_or_serialnumber, hashalg=0)

Create an Online Certification Status Protocol (OCSP) request as a base64 string.

Parameters:

  • issuercert (str) -- name of issuer's X.509 certificate file (or base64 representation)

  • certfile_or_serialnumber (str) --

    either the name of X.509 certificate file to be checked or its serial number in hexadecimal format preceded by #x.

    The certificate to be checked can either be specified directly as a filename or as a serialNumber in hexadecimal format preceded by "#x", e.g. "#x01deadbeef". If the latter format is used, it must be in hexadecimal format, so the serial number decimal 10 would be passed as "#x0a".

  • hashalg (Hash.Alg) -- Hash algorithm to be used [default = SHA-1]

Returns:

A base64 string suitable for an OCSP request to an Online Certificate Status Manager or an empty string on error.

Return type:

str

Note

It is an error (NO_MATCH_ERROR) if the issuer's name of the certificate to be checked does not match the subject name of the issuer's certificate.

static read_response(responsefile, issuercert='')

Read a response to an Online Certification Status Protocol (OCSP) request and outputs the main results in text form.

Parameters:

  • responsefile (str) -- name of the file containing the response data in BER format.

  • issuercert (str) --

    (optional) name of issuer's X.509 certificate file (or its base64 representation).

    If provided, it will be used to check the signature on the OCSP response and an error will result if the signature is not valid.

    CAUTION: For some CAs (e.g. VeriSign) the key used to sign the OCSP response is not the same as the key in the issuer's certificate, so specifying the issuer's certificate in this case will result in a signature error. If you can separately obtain the certificate used to sign the OCSP response, then specify this as the issuercert; otherwise leave as the empty string "".

Returns:

A text string outlining the main results in the response data or an empty string on error.

Return type:

str

Note

A revoked certificate will still result in a "Successful response", so check the CertStatus.