Ejemplo n.º 1
0
def _request_ocsp(cert, issuer, uri):
    # https://cryptography.io/en/latest/x509/ocsp/#creating-requests
    builder = _OCSPRequestBuilder()
    # add_certificate returns a new instance
    builder = builder.add_certificate(cert, issuer, _SHA1())
    ocsp_request = builder.build()
    try:
        response = _post(uri,
                         data=ocsp_request.public_bytes(_Encoding.DER),
                         headers={'Content-Type': 'application/ocsp-request'},
                         timeout=5)
    except _RequestException:
        _LOGGER.debug("HTTP request failed")
        return None
    if response.status_code != 200:
        _LOGGER.debug("HTTP request returned %d", response.status_code)
        return None
    ocsp_response = _load_der_ocsp_response(response.content)
    _LOGGER.debug("OCSP response status: %r", ocsp_response.response_status)
    if ocsp_response.response_status != _OCSPResponseStatus.SUCCESSFUL:
        return None
    # RFC6960, Section 3.2, Number 1. Only relevant if we need to
    # talk to the responder directly.
    # Accessing response.serial_number raises if response status is not
    # SUCCESSFUL.
    if ocsp_response.serial_number != ocsp_request.serial_number:
        _LOGGER.debug("Response serial number does not match request")
        return None
    return ocsp_response
def _public_key_hash(cert):
    public_key = cert.public_key()
    # https://tools.ietf.org/html/rfc2560#section-4.2.1
    # "KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
    # (excluding the tag and length fields)"
    # https://stackoverflow.com/a/46309453/600498
    if isinstance(public_key, _RSAPublicKey):
        pbytes = public_key.public_bytes(_Encoding.DER, _PublicFormat.PKCS1)
    elif isinstance(public_key, _EllipticCurvePublicKey):
        pbytes = public_key.public_bytes(_Encoding.X962,
                                         _PublicFormat.UncompressedPoint)
    else:
        pbytes = public_key.public_bytes(_Encoding.DER,
                                         _PublicFormat.SubjectPublicKeyInfo)
    digest = _Hash(_SHA1(), backend=_default_backend())
    digest.update(pbytes)
    return digest.finalize()
def _build_ocsp_request(cert, issuer):
    # https://cryptography.io/en/latest/x509/ocsp/#creating-requests
    builder = _OCSPRequestBuilder()
    builder = builder.add_certificate(cert, issuer, _SHA1())
    return builder.build()