cryptography.x509.ocsp
import base64 pem_cert = b""" -----BEGIN CERTIFICATE-----MIIFvTCCBKWgAwIBAgICPyAwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCVVMx FjAUBgNVBAoTDUdlb1RydXN0IEluYy4xIDAeBgNVBAMTF1JhcGlkU1NMIFNIQTI1 NiBDQSAtIEczMB4XDTE0MTAxNTEyMDkzMloXDTE4MTExNjAxMTUwM1owgZcxEzAR BgNVBAsTCkdUNDg3NDI5NjUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29t L3Jlc291cmNlcy9jcHMgKGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZh bGlkYXRlZCAtIFJhcGlkU1NMKFIpMRwwGgYDVQQDExN3d3cuY3J5cHRvZ3JhcGh5 LmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAom/FebKJIot7Sp3s itG1sicpe3thCssjI+g1JDAS7I3GLVNmbms1DOdIIqwf01gZkzzXBN2+9sOnyRaR PPfCe1jTr3dk2y6rPE559vPa1nZQkhlzlhMhlPyjaT+S7g4Tio4qV2sCBZU01DZJ CaksfohN+5BNVWoJzTbOcrHOEJ+M8B484KlBCiSxqf9cyNQKru4W3bHaCVNVJ8eu 6i6KyhzLa0L7yK3LXwwXVs583C0/vwFhccGWsFODqD/9xHUzsBIshE8HKjdjDi7Y 3BFQzVUQFjBB50NSZfAA/jcdt1blxJouc7z9T8Oklh+V5DDBowgAsrT4b6Z2Fq6/ r7D1GqivLK/ypUQmxq2WXWAUBb/Q6xHgxASxI4Br+CByIUQJsm8L2jzc7k+mF4hW ltAIUkbo8fGiVnat0505YJgxWEDKOLc4Gda6d/7GVd5AvKrz242bUqeaWo6e4MTx diku2Ma3rhdcr044Qvfh9hGyjqNjvhWY/I+VRWgihU7JrYvgwFdJqsQ5eiKT4OHi gsejvWwkZzDtiQ+aQTrzM1FsY2swJBJsLSX4ofohlVRlIJCn/ME+XErj553431Lu YQ5SzMd3nXzN78Vj6qzTfMUUY72UoT1/AcFiUMobgIqrrmwuNxfrkbVE2b6Bga74 FsJX63prvrJ41kuHK/16RQBM7fcCAwEAAaOCAWAwggFcMB8GA1UdIwQYMBaAFMOc 8/zTRgg0u85Gf6B8W/PiCMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYT aHR0cDovL2d2LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNi LmNvbS9ndi5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAvBgNVHREEKDAmghN3d3cuY3J5cHRvZ3JhcGh5Lmlvgg9jcnlw dG9ncmFwaHkuaW8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2d2LnN5bWNiLmNv bS9ndi5jcmwwDAYDVR0TAQH/BAIwADBFBgNVHSAEPjA8MDoGCmCGSAGG+EUBBzYw LDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xlZ2FsMA0G CSqGSIb3DQEBCwUAA4IBAQAzIYO2jx7h17FBT74tJ2zbV9OKqGb7QF8y3wUtP4xc dH80vprI/Cfji8s86kr77aAvAqjDjaVjHn7UzebhSUivvRPmfzRgyWBacomnXTSt Xlt2dp2nDQuwGyK2vB7dMfKnQAkxwq1sYUXznB8i0IhhCAoXp01QGPKq51YoIlnF 7DRMk6iEaL1SJbkIrLsCQyZFDf0xtfW9DqXugMMLoxeCsBhZJQzNyS2ryirrv9LH aK3+6IZjrcyy9bkpz/gzJucyhU+75c4My/mnRCrtItRbCQuiI5pd5poDowm+HH9i GVI9+0lAFwxOUnOnwsoI40iOoxjLMGB+CgFLKCGUcWxP -----END CERTIFICATE-----""" pem_issuer = b""" -----BEGIN CERTIFICATE-----MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBHMQswCQYDVQQG EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UEAxMXUmFwaWRTU0wg U0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv VJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBdmJyNkA+8EGVf2prWRHzAn7Xp SowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9EX9zHFLYDn4ZLDqP/oIACg8PTH2lS 1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4KjxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQ DAP8m/0Ip4yM26eO8R5j3LMBL3+vV8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AM QriYrRmIV9cE7Ie/fodOoyH5U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkp YEj4/5G8V1jlNS67abZZAgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3Ry dXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCjWB7GQzKs rC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/CJ8cW8fuTgZCp fO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5UzCHuTcSJCs6nZb0+B kvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5ho452nFnPjJSxhJf3GrkH uLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq7A6rvz17OQV79PP7GqHQyH5O ZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWmMy66S6VdU5oNMOGNX2Esr8zvsJmh gP8L8mJMcCaY -----END CERTIFICATE-----""" pem_responder_cert = b""" -----BEGIN CERTIFICATE-----MIIBPjCB5KADAgECAgQHW80VMAoGCCqGSM49BAMCMCcxCzAJBgNVBAYTAlVTMRgw FgYDVQQDDA9DcnlwdG9ncmFwaHkgQ0EwHhcNMTgxMDA3MTIzNTEwWhcNMjgxMDA0 MTIzNTEwWjAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPQ3J5cHRvZ3JhcGh5IENB MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbQ2E0N/E3R0zEG+qa+yAFXBY6Fte QzyvFdq7EZHDktlyUllaVJBrbX1ItV0MlayFwwQPhZmuLPpQBzuVKyrUfTAKBggq hkjOPQQDAgNJADBGAiEAo0NQRmfPvhWQpSvJzV+2Ag441Zeckk+bib7swduQIjIC IQCqYD9pArB2SWfmhQCSZkNEATlsPIML8lvlSkbNcrmrqQ== -----END CERTIFICATE-----""" pem_responder_key = b""" -----BEGIN PRIVATE KEY-----MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgO+vsRu8xDIVZE+xh s8ESqJqcpJlwmj8CtF8HPHxrDSGhRANCAARtDYTQ38TdHTMQb6pr7IAVcFjoW15D PK8V2rsRkcOS2XJSWVpUkGttfUi1XQyVrIXDBA+Fma4s+lAHO5UrKtR9 -----END PRIVATE KEY-----""" der_ocsp_req = ( b"0V0T0R0P0N0tx06x05+x0ex03x02x1ax05x00x04x148xcaFx8c" b"x07Dx8dxf4x81x96xc7mmLpQx9e`xa7xbdx04x14yuxbbx84:xcb" b",xdeztxbe1x1bCxbcx1c*MSXx02x15x00x98xd9xe5xc0xb4xc3" b"sU-xf7|]x0fx1exb5x12x8eIExf9" ) der_ocsp_resp_unauth = b"0x03nx01x06"
OCSP (Online Certificate Status Protocol) is a method of checking the revocation status of certificates. It is specified in 6960
, as well as other obsoleted RFCs.
load_der_ocsp_request(data)
2.4
Deserialize an OCSP request from DER encoded data.
- param bytes data
The DER encoded OCSP request data.
- returns
An instance of
~cryptography.x509.ocsp.OCSPRequest
.
>>> from cryptography.x509 import ocsp >>> ocsp_req = ocsp.load_der_ocsp_request(der_ocsp_req) >>> print(ocsp_req.serial_number) 872625873161273451176241581705670534707360122361
2.4
This class is used to create ~cryptography.x509.ocsp.OCSPRequest
objects.
add_certificate(cert, issuer, algorithm)
Adds a request using a certificate, issuer certificate, and hash algorithm. This can only be called once.
- param cert
The
~cryptography.x509.Certificate
whose validity is being checked.- param issuer
The issuer
~cryptography.x509.Certificate
of the certificate that is being checked.- param algorithm
A
~cryptography.hazmat.primitives.hashes.HashAlgorithm
instance. For OCSP only~cryptography.hazmat.primitives.hashes.SHA1
,~cryptography.hazmat.primitives.hashes.SHA224
,~cryptography.hazmat.primitives.hashes.SHA256
,~cryptography.hazmat.primitives.hashes.SHA384
, and~cryptography.hazmat.primitives.hashes.SHA512
are allowed.
add_extension(extension, critical)
Adds an extension to the request.
- param extension
An extension conforming to the
~cryptography.x509.ExtensionType
interface.- param critical
Set to
True
if the extension must be understood and handled.
build()
- returns
A new
~cryptography.x509.ocsp.OCSPRequest
.
>>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import serialization >>> from cryptography.hazmat.primitives.hashes import SHA1 >>> from cryptography.x509 import load_pem_x509_certificate, ocsp >>> cert = load_pem_x509_certificate(pem_cert, default_backend()) >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend()) >>> builder = ocsp.OCSPRequestBuilder() >>> # SHA1 is in this example because RFC 5019 mandates its use. >>> builder = builder.add_certificate(cert, issuer, SHA1()) >>> req = builder.build() >>> base64.b64encode(req.public_bytes(serialization.Encoding.DER)) b'MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kCAj8g'
load_der_ocsp_response(data)
2.4
Deserialize an OCSP response from DER encoded data.
- param bytes data
The DER encoded OCSP response data.
- returns
An instance of
~cryptography.x509.ocsp.OCSPResponse
.
>>> from cryptography.x509 import ocsp >>> ocsp_resp = ocsp.load_der_ocsp_response(der_ocsp_resp_unauth) >>> print(ocsp_resp.response_status) OCSPResponseStatus.UNAUTHORIZED
2.4
This class is used to create ~cryptography.x509.ocsp.OCSPResponse
objects. You cannot set produced_at
on OCSP responses at this time. Instead the field is set to current UTC time when calling sign
. For unsuccessful statuses call the class method ~cryptography.x509.ocsp.OCSPResponseBuilder.build_unsuccessful
.
add_response(cert, issuer, algorithm, cert_status, this_update, next_update, revocation_time, revocation_reason)
This method adds status information about the certificate that was requested to the response.
- param cert
The
~cryptography.x509.Certificate
whose validity is being checked.- param issuer
The issuer
~cryptography.x509.Certificate
of the certificate that is being checked.- param algorithm
A
~cryptography.hazmat.primitives.hashes.HashAlgorithm
instance. For OCSP only~cryptography.hazmat.primitives.hashes.SHA1
,~cryptography.hazmat.primitives.hashes.SHA224
,~cryptography.hazmat.primitives.hashes.SHA256
,~cryptography.hazmat.primitives.hashes.SHA384
, and~cryptography.hazmat.primitives.hashes.SHA512
are allowed.- param cert_status
An item from the
~cryptography.x509.ocsp.OCSPCertStatus
enumeration.- param this_update
A naïve
datetime.datetime
object representing the most recent time in UTC at which the status being indicated is known by the responder to be correct.- param next_update
A naïve
datetime.datetime
object orNone
. The time in UTC at or before which newer information will be available about the status of the certificate.- param revocation_time
A naïve
datetime.datetime
object orNone
if thecert
is not revoked. The time in UTC at which the certificate was revoked.- param revocation_reason
An item from the
~cryptography.x509.ReasonFlags
enumeration orNone
if thecert
is not revoked.
certificates(certs)
Add additional certificates that should be used to verify the signature on the response. This is typically used when the responder utilizes an OCSP delegate.
- param list certs
A list of
~cryptography.x509.Certificate
objects.
responder_id(encoding, responder_cert)
Set the responderID
on the OCSP response. This is the data a client will use to determine what certificate signed the response.
- param responder_cert
The
~cryptography.x509.Certificate
object for the certificate whose private key will sign the OCSP response. If the certificate and key do not match an error will be raised when callingsign
.- param encoding
Either
~cryptography.x509.ocsp.OCSPResponderEncoding.HASH
or~cryptography.x509.ocsp.OCSPResponderEncoding.NAME
.
add_extension(extension, critical)
Adds an extension to the response.
- param extension
An extension conforming to the
~cryptography.x509.ExtensionType
interface.- param critical
Set to
True
if the extension must be understood and handled.
sign(private_key, algorithm)
Creates the OCSP response that can then be serialized and sent to clients. This method will create a ~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
response.
- param private_key
The
~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey
,~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey
,~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey
,~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey
or~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey
that will be used to sign the certificate.- param algorithm
The
~cryptography.hazmat.primitives.hashes.HashAlgorithm
that will be used to generate the signature. This must beNone
if theprivate_key
is an~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey
or an~cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey
and an instance of a~cryptography.hazmat.primitives.hashes.HashAlgorithm
otherwise.- returns
A new
~cryptography.x509.ocsp.OCSPResponse
.
>>> import datetime >>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import hashes, serialization >>> from cryptography.x509 import load_pem_x509_certificate, ocsp >>> cert = load_pem_x509_certificate(pem_cert, default_backend()) >>> issuer = load_pem_x509_certificate(pem_issuer, default_backend()) >>> responder_cert = load_pem_x509_certificate(pem_responder_cert, default_backend()) >>> responder_key = serialization.load_pem_private_key(pem_responder_key, None, default_backend()) >>> builder = ocsp.OCSPResponseBuilder() >>> # SHA1 is in this example because RFC 5019 mandates its use. >>> builder = builder.add_response( ... cert=cert, issuer=issuer, algorithm=hashes.SHA1(), ... cert_status=ocsp.OCSPCertStatus.GOOD, ... this_update=datetime.datetime.now(), ... next_update=datetime.datetime.now(), ... revocation_time=None, revocation_reason=None ... ).responder_id( ... ocsp.OCSPResponderEncoding.HASH, responder_cert ... ) >>> response = builder.sign(responder_key, hashes.SHA256()) >>> response.certificate_status <OCSPCertStatus.GOOD: 0>
build_unsuccessful(response_status)
Creates an unsigned OCSP response which can then be serialized and sent to clients. build_unsuccessful
may only be called with a ~cryptography.x509.ocsp.OCSPResponseStatus
that is not SUCCESSFUL
. Since this is a class method note that no other methods can or should be called as unsuccessful statuses do not encode additional data.
- returns
A new
~cryptography.x509.ocsp.OCSPResponse
.
>>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import hashes, serialization >>> from cryptography.x509 import load_pem_x509_certificate, ocsp >>> response = ocsp.OCSPResponseBuilder.build_unsuccessful( ... ocsp.OCSPResponseStatus.UNAUTHORIZED ... ) >>> response.response_status <OCSPResponseStatus.UNAUTHORIZED: 6>
2.4
An OCSPRequest
is an object containing information about a certificate whose status is being checked.
issuer_key_hash
- type
bytes
The hash of the certificate issuer's key. The hash algorithm used is defined by the hash_algorithm
property.
issuer_name_hash
- type
bytes
The hash of the certificate issuer's name. The hash algorithm used is defined by the hash_algorithm
property.
hash_algorithm
- type
~cryptography.hazmat.primitives.hashes.HashAlgorithm
The algorithm used to generate the issuer_key_hash
and issuer_name_hash
.
serial_number
- type
int
The serial number of the certificate to check.
extensions
- type
~cryptography.x509.Extensions
The extensions encoded in the request.
public_bytes(encoding)
- param encoding
The encoding to use. Only
~cryptography.hazmat.primitives.serialization.Encoding.DER
is supported.- return bytes
The serialized OCSP request.
2.4
An OCSPResponse
is the data provided by an OCSP responder in response to an OCSPRequest
.
response_status
- type
~cryptography.x509.ocsp.OCSPResponseStatus
The status of the response.
signature_algorithm_oid
- type
~cryptography.x509.ObjectIdentifier
Returns the object identifier of the signature algorithm used to sign the response. This will be one of the OIDs from ~cryptography.x509.oid.SignatureAlgorithmOID
.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
signature_hash_algorithm
2.5
- type
~cryptography.hazmat.primitives.hashes.HashAlgorithm
Returns the ~cryptography.hazmat.primitives.hashes.HashAlgorithm
which was used in signing this response. Can be None
if signature did not use separate hash (~cryptography.x509.oid.SignatureAlgorithmOID.ED25519
, ~cryptography.x509.oid.SignatureAlgorithmOID.ED448
).
signature
- type
bytes
The signature bytes.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
tbs_response_bytes
- type
bytes
The DER encoded bytes payload that is hashed and then signed. This data may be used to validate the signature on the OCSP response.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
certificates
- type
list
A list of zero or more ~cryptography.x509.Certificate
objects used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
responder_key_hash
- type
bytes or None
The responder's key hash or None
if the response has a responder_name
.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
responder_name
- type
~cryptography.x509.Name
or None
The responder's Name
or None
if the response has a responder_key_hash
.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
produced_at
- type
datetime.datetime
A naïve datetime representing the time when the response was produced.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
certificate_status
- type
~cryptography.x509.ocsp.OCSPCertStatus
The status of the certificate being checked.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
revocation_time
- type
datetime.datetime
or None
A naïve datetime representing the time when the certificate was revoked or None
if the certificate has not been revoked.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
revocation_reason
- type
~cryptography.x509.ReasonFlags
or None
The reason the certificate was revoked or None
if not specified or not revoked.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
this_update
- type
datetime.datetime
A naïve datetime representing the most recent time at which the status being indicated is known by the responder to have been correct.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
next_update
- type
datetime.datetime
A naïve datetime representing the time when newer information will be available.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
issuer_key_hash
- type
bytes
The hash of the certificate issuer's key. The hash algorithm used is defined by the hash_algorithm
property.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
issuer_name_hash
- type
bytes
The hash of the certificate issuer's name. The hash algorithm used is defined by the hash_algorithm
property.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
hash_algorithm
- type
~cryptography.hazmat.primitives.hashes.HashAlgorithm
The algorithm used to generate the issuer_key_hash
and issuer_name_hash
.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
serial_number
- type
int
The serial number of the certificate that was checked.
- raises ValueError
If
response_status
is not~cryptography.x509.ocsp.OCSPResponseStatus.SUCCESSFUL
.
extensions
- type
~cryptography.x509.Extensions
The extensions encoded in the response.
public_bytes(encoding)
- param encoding
The encoding to use. Only
~cryptography.hazmat.primitives.serialization.Encoding.DER
is supported.- return bytes
The serialized OCSP response.
2.4
An enumeration of response statuses.
SUCCESSFUL
Represents a successful OCSP response.
MALFORMED_REQUEST
May be returned by an OCSP responder that is unable to parse a given request.
INTERNAL_ERROR
May be returned by an OCSP responder that is currently experiencing operational problems.
TRY_LATER
May be returned by an OCSP responder that is overloaded.
SIG_REQUIRED
May be returned by an OCSP responder that requires signed OCSP requests.
UNAUTHORIZED
May be returned by an OCSP responder when queried for a certificate for which the responder is unaware or an issuer for which the responder is not authoritative.
2.4
An enumeration of certificate statuses in an OCSP response.
GOOD
The value for a certificate that is not revoked.
REVOKED
The certificate being checked is revoked.
UNKNOWN
The certificate being checked is not known to the OCSP responder.
2.4
An enumeration of responderID
encodings that can be passed to ~cryptography.x509.ocsp.OCSPResponseBuilder.responder_id
.
HASH
Encode the hash of the public key whose corresponding private key signed the response.
NAME
Encode the X.509 Name
of the certificate whose private key signed the response.