def test_add_invalid_extension(self):
builder = ocsp.OCSPRequestBuilder()
with pytest.raises(TypeError):
builder.add_extension(
"notanext", # type:ignore[arg-type]
False,
)
def _construct_mock_ocsp_response(certificate_status, response_status):
cert = x509.load_pem_x509_certificate(
test_util.load_vector('ocsp_certificate.pem'), default_backend())
issuer = x509.load_pem_x509_certificate(
test_util.load_vector('ocsp_issuer_certificate.pem'),
default_backend())
responder = x509.load_pem_x509_certificate(
test_util.load_vector('ocsp_responder_certificate.pem'),
default_backend())
builder = ocsp_lib.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, hashes.SHA1())
request = builder.build()
return mock.Mock(
response_status=response_status,
certificate_status=certificate_status,
serial_number=request.serial_number,
issuer_key_hash=request.issuer_key_hash,
issuer_name_hash=request.issuer_name_hash,
responder_name=responder.subject,
certificates=[responder],
hash_algorithm=hashes.SHA1(),
next_update=datetime.now() + timedelta(days=1),
this_update=datetime.now() - timedelta(days=1),
signature_algorithm_oid=x509.oid.SignatureAlgorithmOID.RSA_WITH_SHA1,
)
def validate_revocation_certificate_chain(chain, error_messages):
# a failed try to use ocsp validation
for i in range(1, len(chain)):
subject = chain[i - 1]
issuer = chain[i]
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(subject, issuer, SHA1())
req = builder.build()
data = req.public_bytes(serialization.Encoding.DER)
for e in subject.extensions:
if isinstance(e.value, AuthorityInformationAccess):
url = e.value._descriptions[0].access_location.value
print(url)
headers = {"Content-Type": "application/ocsp-request"}
r = requests.post(url, data=data, headers=headers)
ocsp_resp = ocsp.load_der_ocsp_response(r.content)
print(ocsp_resp.certificate_status)
if ocsp_resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL:
if ocsp_resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN:
status = validate_revocation_certificate_chain_crl(
[subject, issuer], error_messages)
if not status:
return False
elif ocsp_resp.certificate_status == ocsp.OCSPCertStatus.REVOKED:
error_messages.append(
"One of the certificates is revoked")
return False
else:
return False
return True
def get_oscp_request(cert, issuer_cert):
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer_cert, SHA1())
nonce = round(time.time() * 1000)
builder = builder.add_extension(
OCSPNonce(bytes(str(nonce), encoding='ascii')), True)
req = builder.build()
return req
def test_create_ocsp_request_invalid_cert(self):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
with pytest.raises(TypeError):
builder.add_certificate(b"notacert", issuer, hashes.SHA1())
with pytest.raises(TypeError):
builder.add_certificate(cert, b"notacert", hashes.SHA1())
def test_no_nonce(self) -> None:
"""Test fetching without a nonce."""
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(self.cert.pub.loaded, self.cert.ca.pub.loaded, hashes.SHA1())
data = base64.b64encode(builder.build().public_bytes(serialization.Encoding.DER))
response = self.client.get(reverse("get", kwargs={"data": data.decode("utf-8")}))
self.assertOCSP(response, requested=[self.cert], nonce=None)
def test_create_ocsp_request(self):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, hashes.SHA1())
req = builder.build()
serialized = req.public_bytes(serialization.Encoding.DER)
assert serialized == base64.b64decode(
b"MEMwQTA/MD0wOzAJBgUrDgMCGgUABBRAC0Z68eay0wmDug1gfn5ZN0gkxAQUw5zz"
b"/NNGCDS7zkZ/oHxb8+IIy1kCAj8g")
def _check_ocsp_cryptography(cert_path: str, chain_path: str, url: str,
timeout: int) -> bool:
# Retrieve OCSP response
with open(chain_path, 'rb') as file_handler:
issuer = x509.load_pem_x509_certificate(file_handler.read(),
default_backend())
with open(cert_path, 'rb') as file_handler:
cert = x509.load_pem_x509_certificate(file_handler.read(),
default_backend())
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, hashes.SHA1())
request = builder.build()
request_binary = request.public_bytes(serialization.Encoding.DER)
try:
response = requests.post(
url,
data=request_binary,
headers={'Content-Type': 'application/ocsp-request'},
timeout=timeout)
except requests.exceptions.RequestException:
logger.info("OCSP check failed for %s (are we offline?)",
cert_path,
exc_info=True)
return False
if response.status_code != 200:
logger.info("OCSP check failed for %s (HTTP status: %d)", cert_path,
response.status_code)
return False
response_ocsp = ocsp.load_der_ocsp_response(response.content)
# Check OCSP response validity
if response_ocsp.response_status != ocsp.OCSPResponseStatus.SUCCESSFUL:
logger.warning("Invalid OCSP response status for %s: %s", cert_path,
response_ocsp.response_status)
return False
# Check OCSP signature
try:
_check_ocsp_response(response_ocsp, request, issuer, cert_path)
except UnsupportedAlgorithm as e:
logger.warning(str(e))
except errors.Error as e:
logger.warning(str(e))
except InvalidSignature:
logger.warning('Invalid signature on OCSP response for %s', cert_path)
except AssertionError as error:
logger.warning('Invalid OCSP response for %s: %s.', cert_path,
str(error))
else:
# Check OCSP certificate status
logger.debug("OCSP certificate status for %s is: %s", cert_path,
response_ocsp.certificate_status)
return response_ocsp.certificate_status == ocsp.OCSPCertStatus.REVOKED
return False
def test_create_ocsp_request_with_extension(self, ext, critical):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer,
hashes.SHA1()).add_extension(
ext, critical)
req = builder.build()
assert len(req.extensions) == 1
assert req.extensions[0].value == ext
assert req.extensions[0].oid == ext.oid
assert req.extensions[0].critical is critical
def test_no_nonce(self):
"""Test fetching without a nonce."""
cert = self.certs['child-cert']
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert.x509, cert.ca.x509,
hashes.SHA1())
data = base64.b64encode(builder.build().public_bytes(
serialization.Encoding.DER))
response = self.client.get(
reverse('get', kwargs={'data': data.decode('utf-8')}))
self.assertOCSP(response, requested=[cert], nonce=None)
def build_certificate_url(self, server, cert, issuer_cert):
"""Return the complete url to the ocsp"""
orb = ocsp.OCSPRequestBuilder()
# add_certificate returns an initialized OCSPRequestBuilder
orb = orb.add_certificate(
cert, issuer_cert, cryptography.hazmat.primitives.hashes.SHA256())
request = orb.build()
path = base64.b64encode(
request.public_bytes(hazmat.primitives.serialization.Encoding.DER))
url = urljoin(server, path.decode("ascii"))
return url
def is_ocsp_valid(cert, issuer, hash_algo):
if hash_algo == 'sha1':
algorithm = hashes.SHA1
elif hash_algo == 'sha224':
algorithm = hashes.SHA224
elif hash_algo == 'sha256':
algorithm = hashes.SHA256
elif hash_algo == 'sha385':
algorithm = hashes.SHA384
elif hash_algo == 'sha512':
algorithm = hashes.SHA512
else:
log("Invalid hash algorithm '{}' used for OCSP validation. Validation ignored."
.format(hash_algo),
warning=True)
return True
if isinstance(issuer, list):
issuer = issuer[
0] # First certificate in the CA chain is the immediate issuer
try:
ocsp_urls = []
aia = cert.extensions.get_extension_for_oid(
ExtensionOID.AUTHORITY_INFORMATION_ACCESS)
for data in aia.value:
if data.access_method == x509.OID_OCSP:
ocsp_urls.append(data.access_location.value)
# This is a bit of a hack due to validation problems within cryptography (TODO: Check if this is still true)
# Correct replacement: ocsprequest = ocsp.OCSPRequestBuilder().add_certificate(cert, issuer, algorithm).build()
ocsprequest = ocsp.OCSPRequestBuilder(
(cert, issuer, algorithm)).build()
ocsprequestdata = ocsprequest.public_bytes(serialization.Encoding.DER)
for ocsp_url in ocsp_urls:
response = get_url(
ocsp_url, ocsprequestdata, {
'Accept': 'application/ocsp-response',
'Content-Type': 'application/ocsp-request',
})
ocspresponsedata = response.read()
ocspresponse = ocsp.load_der_ocsp_response(ocspresponsedata)
if ocspresponse.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL \
and ocspresponse.certificate_status == ocsp.OCSPCertStatus.REVOKED:
return False
except Exception as e:
log("An exception occurred during OCSP validation (Validation will be ignored): {}"
.format(e),
error=True)
return True
def validate_chain(cert_to_check,issuer_cert):
cert_to_check_signature=cert_to_check.signature
issuer_public_key=issuer_cert.public_key()
# TODO check if host has the same name I think
builder = ocsp.OCSPRequestBuilder()
# SHA1 is in this example because RFC 5019 mandates its use.
builder = builder.add_certificate(cert_to_check, issuer_cert, SHA1())
req = builder.build()
for j in cert_to_check.extensions.get_extension_for_class(x509.AuthorityInformationAccess).value:
if j.access_method.dotted_string == "1.3.6.1.5.5.7.48.1":
rev_list=None
#Downloading list
der=req.public_bytes(serialization.Encoding.DER)
ocsp_link=j.access_location.value
r=requests.post(ocsp_link,data=der)
ocsp_resp = ocsp.load_der_ocsp_response(r.content)
print(ocsp_resp.certificate_status)
print(cert_to_check.extensions.get_extension_for_class(x509.KeyUsage).value)
if (get_issuer_common_name(cert_to_check)!=get_common_name(issuer_cert)):
print(get_issuer_common_name(cert_to_check))
print(get_common_name(issuer_cert))
return False
try:
issuer_public_key.verify(cert_to_check_signature,cert_to_check.tbs_certificate_bytes,padding.PKCS1v15(),cert_to_check.signature_hash_algorithm)
except:
print("Failed to verify signature.")
return False
return True
def _get_sample_request_for_root(root, hash_algorithm, pebble_urlopen):
'''
Returns an OCSP sample request for this root, together with the intermediate certificate and its key.
'''
cache_key = (root, hash_algorithm.name)
if cache_key in SAMPLE_REQUEST_CACHE:
return SAMPLE_REQUEST_CACHE[cache_key]
# Get hold of intermediate certificate with key
intermediate = x509.load_pem_x509_certificate(pebble_urlopen(
"/intermediates/{0}".format(root)).read(),
backend=default_backend())
intermediate_key = serialization.load_pem_private_key(
pebble_urlopen("/intermediate-keys/{0}".format(root)).read(),
None,
backend=default_backend())
one_day = datetime.timedelta(1, 0, 0)
builder = x509.CertificateBuilder()
builder = builder.subject_name(intermediate.subject)
builder = builder.issuer_name(intermediate.subject)
builder = builder.not_valid_before(datetime.datetime.today() - one_day)
builder = builder.not_valid_after(datetime.datetime.today() + one_day)
builder = builder.serial_number(x509.random_serial_number())
builder = builder.public_key(intermediate.public_key())
certificate = builder.sign(private_key=intermediate_key,
algorithm=hashes.SHA256(),
backend=default_backend())
req = ocsp.OCSPRequestBuilder()
req = req.add_certificate(certificate, intermediate, hash_algorithm)
req = req.build()
result = req, intermediate, intermediate_key
SAMPLE_REQUEST_CACHE[cache_key] = result
return result
def build_ocsp_request(cert_chain: List[str]) -> bytes:
"""Build an OCSP request out of the leaf and issuer pem certificates
see: https://cryptography.io/en/latest/x509/ocsp/#cryptography.x509.ocsp.OCSPRequestBuilder
for more information"""
func_name: str = "build_ocsp_request"
try:
leaf_cert = x509.load_pem_x509_certificate(str.encode(cert_chain[0]),
default_backend())
issuer_cert = x509.load_pem_x509_certificate(str.encode(cert_chain[1]),
default_backend())
except ValueError:
raise Exception(
f"{func_name}: Unable to load x509 certificate.") from None
# Build OCSP request
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(leaf_cert, issuer_cert, SHA1())
ocsp_data = builder.build()
ocsp_request_data = ocsp_data.public_bytes(serialization.Encoding.DER)
return ocsp_request_data
def sign(datau,
key,
cert,
othercerts,
hashalgo,
attrs=True,
signed_value=None,
hsm=None,
pss=False,
timestampurl=None,
timestampcredentials=None,
timestamp_req_options=None,
ocspurl=None,
ocspissuer=None):
if signed_value is None:
signed_value = getattr(hashlib, hashalgo)(datau).digest()
signed_time = datetime.now(tz=util.timezone.utc)
if hsm is not None:
keyid, cert = hsm.certificate()
cert = cert2asn(cert, False)
else:
cert = cert2asn(cert)
certificates = []
certificates.append(cert)
for i in range(len(othercerts)):
certificates.append(cert2asn(othercerts[i]))
hashalgo = unicode(hashalgo) if sys.version[0] < '3' else hashalgo
signer = {
'version':
'v1',
'sid':
cms.SignerIdentifier({
'issuer_and_serial_number':
cms.IssuerAndSerialNumber({
'issuer': cert.issuer,
'serial_number': cert.serial_number,
}),
}),
'digest_algorithm':
algos.DigestAlgorithm({'algorithm': hashalgo}),
'signature':
signed_value,
}
if not pss:
signer['signature_algorithm'] = algos.SignedDigestAlgorithm(
{'algorithm': 'rsassa_pkcs1v15'})
else:
if isinstance(key, keys.PrivateKeyInfo):
salt_length = key.byte_size - hashes.SHA512.digest_size - 2
salt_length = hashes.SHA512.digest_size
else:
salt_length = padding.calculate_max_pss_salt_length(
key, hashes.SHA512)
signer['signature_algorithm'] = algos.SignedDigestAlgorithm({
'algorithm':
'rsassa_pss',
'parameters':
algos.RSASSAPSSParams({
'hash_algorithm':
algos.DigestAlgorithm({'algorithm': 'sha512'}),
'mask_gen_algorithm':
algos.MaskGenAlgorithm({
'algorithm':
algos.MaskGenAlgorithmId('mgf1'),
'parameters': {
'algorithm': algos.DigestAlgorithmId('sha512'),
}
}),
'salt_length':
algos.Integer(salt_length),
'trailer_field':
algos.TrailerField(1)
})
})
if attrs:
if attrs is True:
signer['signed_attrs'] = [
cms.CMSAttribute({
'type': cms.CMSAttributeType('content_type'),
'values': ('data', ),
}),
cms.CMSAttribute({
'type': cms.CMSAttributeType('message_digest'),
'values': (signed_value, ),
}),
cms.CMSAttribute({
'type':
cms.CMSAttributeType('signing_time'),
'values':
(cms.Time({'utc_time': core.UTCTime(signed_time)}), )
}),
]
else:
if isinstance(attrs, types.FunctionType):
attrs = attrs(signed_value)
signer['signed_attrs'] = attrs
config = {
'version':
'v1',
'digest_algorithms':
cms.DigestAlgorithms((algos.DigestAlgorithm({'algorithm':
hashalgo}), )),
'encap_content_info': {
'content_type': 'data',
},
'certificates':
certificates,
'signer_infos': [
signer,
],
}
if ocspurl and ocspissuer:
from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.x509 import ocsp as cocsp
from cryptography import x509 as cx509
ocspuser = cert.dump()
ocspuser = cx509.load_der_x509_certificate(ocspuser, backend=backend)
builder = cocsp.OCSPRequestBuilder()
builder = builder.add_certificate(ocspuser, ocspissuer, hashes.SHA1())
req = builder.build()
data = req.public_bytes(serialization.Encoding.DER)
response = requests.post(
ocspurl,
headers={'Content-Type': 'application/ocsp-request'},
data=data,
)
data = ocsp.OCSPResponse.load(response.content)
other = cms.RevocationInfoChoice({
'other':
cms.OtherRevocationInfoFormat({
'other_rev_info_format': 'ocsp_response',
'other_rev_info': data
})
})
config['crls'] = cms.RevocationInfoChoices([other])
datas = cms.ContentInfo({
'content_type': cms.ContentType('signed_data'),
'content': cms.SignedData(config),
})
if attrs:
tosign = datas['content']['signer_infos'][0]['signed_attrs'].dump()
tosign = b'\x31' + tosign[1:]
else:
tosign = datau
if hsm is not None:
signed_value_signature = hsm.sign(keyid, tosign, hashalgo)
elif isinstance(key, keys.PrivateKeyInfo):
key = asymmetric.load_private_key(key)
if pss:
signed_value_signature = asymmetric.rsa_pss_sign(
key, tosign, 'sha512')
else:
signed_value_signature = asymmetric.rsa_pkcs1v15_sign(
key, tosign, hashalgo.lower())
else:
if pss:
hasher = hashes.Hash(hashes.SHA512(),
backend=backends.default_backend())
hasher.update(tosign)
digest = hasher.finalize()
signed_value_signature = key.sign(
digest,
padding.PSS(mgf=padding.MGF1(hashes.SHA512()),
salt_length=salt_length),
utils.Prehashed(hashes.SHA512()))
else:
signed_value_signature = key.sign(
tosign, padding.PKCS1v15(),
getattr(hashes, hashalgo.upper())())
if timestampurl is not None:
datas['content']['signer_infos'][0]['unsigned_attrs'] = timestamp(
signed_value_signature,
hashalgo,
timestampurl,
timestampcredentials,
timestamp_req_options,
)
# signed_value_signature = core.OctetString(signed_value_signature)
datas['content']['signer_infos'][0]['signature'] = signed_value_signature
#open('signed-content-info', 'wb').write(datas.dump())
return datas.dump()
def validate_revocation(cert, issuer):
"""
Function used to check if a given certificate (or it's issuer) is revoked.
:return: True, if it's revoked. False, otherwise.
"""
try:
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, SHA1())
req = builder.build()
for ext in cert.extensions.get_extension_for_class(
x509.AuthorityInformationAccess
).value:
if ext.access_method.dotted_string == "1.3.6.1.5.5.7.48.1":
data = req.public_bytes(serialization.Encoding.DER)
ocsp_url = ext.access_location.value
request = requests.post(
ocsp_url,
headers={"Content-Type": "application/ocsp-request"},
data=data,
)
ocsp_resp = ocsp.load_der_ocsp_response(request.content)
logger.warning(f"OCSP CERT STATUS: {ocsp_resp.certificate_status}")
if (
ocsp_resp.certificate_status == ocsp.OCSPCertStatus.GOOD
or get_common_name(cert) == "ECRaizEstado"
):
return False
else:
return True
except:
logger.debug("OCSP is not available for this certificate!")
try:
for ext in cert.extensions.get_extension_for_class(
x509.CRLDistributionPoints
).value:
for name in ext.full_name:
file_name = wget.download(name.value)
revocation_list = load_certificate_crl(file_name)
if revocation_list is None:
return False
cert_is_revoked = cert.serial_number in [
l.serial_number for l in revocation_list
]
try:
for ext in cert.extensions.get_extension_for_class(x509.FreshestCRL).value:
for name in ext.full_name:
file_name = wget.download(name.value)
revocation_list = load_certificate_crl(file_name)
if revocation_list is None:
return False
cert_is_revoked = cert.serial_number in [
l.serial_number for l in revocation_list
]
except:
logger.debug("DELTA CRL is not available for this certificate!")
for ext in issuer.extensions.get_extension_for_class(
x509.CRLDistributionPoints
).value:
for name in ext.full_name:
file_name = wget.download(name.value)
revocation_list = load_certificate_crl(file_name)
if revocation_list is None:
return False
isser_is_revoked = issuer.serial_number in [
l.serial_number for l in revocation_list
]
try:
for ext in issuer.extensions.get_extension_for_class(
x509.FreshestCRL
).value:
for name in ext.full_name:
file_name = wget.download(name.value)
revocation_list = load_certificate_crl(file_name)
if revocation_list is None:
return False
isser_is_revoked = issuer.serial_number in [
l.serial_number for l in revocation_list
]
except:
logger.debug("DELTA CRL is not available for this certificate!")
return cert_is_revoked or isser_is_revoked
except:
logger.debug("CRL is not available for this certificate!")
return True
def test_add_extension_twice(self):
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_extension(x509.OCSPNonce(b"123"), False)
with pytest.raises(ValueError):
builder.add_extension(x509.OCSPNonce(b"123"), False)
def test_create_ocsp_request_invalid_alg(self):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
with pytest.raises(ValueError):
builder.add_certificate(cert, issuer, hashes.MD5())
def test_create_ocsp_request_no_req(self):
builder = ocsp.OCSPRequestBuilder()
with pytest.raises(ValueError):
builder.build()
def test_add_two_certs(self):
cert, issuer = _cert_and_issuer()
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, hashes.SHA1())
with pytest.raises(ValueError):
builder.add_certificate(cert, issuer, hashes.SHA1())
def validate_revocation(self, cert_to_check, issuer_cert):
try:
builder = ocsp.OCSPRequestBuilder()
builder = builder.add_certificate(cert_to_check, issuer_cert,
SHA1())
req = builder.build()
for j in cert_to_check.extensions.get_extension_for_class(
x509.AuthorityInformationAccess).value:
if j.access_method.dotted_string == "1.3.6.1.5.5.7.48.1":
rev_list = None
#Downloading list
der = req.public_bytes(serialization.Encoding.DER)
ocsp_link = j.access_location.value
r = requests.post(
ocsp_link,
headers={'Content-Type': 'application/ocsp-request'},
data=der)
ocsp_resp = ocsp.load_der_ocsp_response(r.content)
if ocsp_resp.certificate_status == ocsp.OCSPCertStatus.GOOD:
return False
else:
return True
except Exception as e:
logger.debug("OCSP not available")
try:
for i in cert_to_check.extensions.get_extension_for_class(
x509.CRLDistributionPoints).value:
for b in i.full_name:
rev_list = None
#Downloading list
file_name = wget.download(b.value)
print()
#read revocation list
try:
rev_list = self.load_cert_revocation_list(
file_name, "pem")
except Exception as e:
logger.debug(e)
try:
rev_list = self.load_cert_revocation_list(
file_name, "der")
except:
logger.debug("Not der.")
if rev_list is None:
return False
flag = cert_to_check.serial_number in [
l.serial_number for l in rev_list
]
try:
for i in cert_to_check.extensions.get_extension_for_class(
x509.FreshestCRL).value:
for b in i.full_name:
rev_list = None
#Downloading list
file_name = wget.download(b.value)
#read revocation list
try:
rev_list = self.load_cert_revocation_list(
file_name, "pem")
except Exception as e:
logger.debug(e)
try:
rev_list = self.load_cert_revocation_list(
file_name, "der")
except:
logger.debug("Not der.")
if rev_list is None:
return False
flag = cert_to_check.serial_number in [
l.serial_number for l in rev_list
]
except:
logger.debug("DELTA CRL not available.")
for i in issuer_cert.extensions.get_extension_for_class(
x509.CRLDistributionPoints).value:
for b in i.full_name:
rev_list = None
#Downloading list
file_name = wget.download(b.value)
print()
#read revocation list
try:
rev_list = self.load_cert_revocation_list(
file_name, "pem")
except Exception as e:
logger.debug(e)
try:
rev_list = self.load_cert_revocation_list(
file_name, "der")
except:
logger.debug("Not der.")
if rev_list is None:
return False
flag1 = issuer_cert.serial_number in [
l.serial_number for l in rev_list
]
return flag1 or flag
try:
for i in issuer_cert.extensions.get_extension_for_class(
x509.FreshestCRL).value:
for b in i.full_name:
rev_list = None
#Downloading list
file_name = wget.download(b.value)
#read revocation list
try:
rev_list = self.load_cert_revocation_list(
file_name, "pem")
except Exception as e:
logger.debug(e)
try:
rev_list = self.load_cert_revocation_list(
file_name, "der")
except:
logger.debug("Not der.")
if rev_list is None:
return False
flag1 = issuer_cert.serial_number in [
l.serial_number for l in rev_list
]
except:
logger.debug("DELTA CRL not available.")
return flag1 or flag
except Exception as e:
logger.debug("CRL not available")
return True
expires=data[name]["expires"],
password=pwd,
extensions=data[name]["extensions"],
)
data[name].update(
data[name].pop("extensions")) # cert_data expects this to be flat
copy_cert(cert, data[name], key_path, csr_path)
# Rebuild example OCSP requests
if args.ocsp:
from cryptography.x509 import ocsp
ocsp_base = os.path.join(args.dest, "ocsp")
if not os.path.exists(ocsp_base):
os.makedirs(ocsp_base)
ocsp_builder = ocsp.OCSPRequestBuilder()
ocsp_builder = ocsp_builder.add_certificate(
data["child-cert"]["parsed_cert"].pub.loaded,
CertificateAuthority.objects.get(
name=data["child-cert"]["ca"]).pub.loaded,
hashes.SHA1(),
)
no_nonce_req = ocsp_builder.build().public_bytes(Encoding.DER)
with open(os.path.join(ocsp_base, ocsp_data["no-nonce"]["filename"]),
"wb") as stream:
stream.write(no_nonce_req)
ocsp_builder = ocsp_builder.add_extension(x509.OCSPNonce(
hex_to_bytes(ocsp_data["nonce"]["nonce"])),
critical=False)
