def _create_ocsp_request(issuer, subject):
"""
Create CertId and OCSPRequest
"""
cert_id = CertId({
'hash_algorithm':
DigestAlgorithm({
'algorithm': u'sha1',
'parameters': None
}),
'issuer_name_hash':
OctetString(subject.issuer.sha1),
'issuer_key_hash':
OctetString(issuer.public_key.sha1),
'serial_number':
subject.serial_number,
})
req = OCSPRequest({
'tbs_request':
TBSRequest({
'version':
Version(0),
'request_list':
Requests([Request({
'req_cert': cert_id,
})]),
}),
})
return cert_id, req
def create_ocsp_request(self, issuer, subject):
"""Creates CertId and OCSPRequest."""
cert_id = CertId({
"hash_algorithm":
DigestAlgorithm({
"algorithm": "sha1",
"parameters": None
}),
"issuer_name_hash":
OctetString(subject.issuer.sha1),
"issuer_key_hash":
OctetString(issuer.public_key.sha1),
"serial_number":
subject.serial_number,
})
ocsp_request = OCSPRequest({
"tbs_request":
TBSRequest({
"version":
Version(0),
"request_list":
Requests([Request({
"req_cert": cert_id,
})]),
}),
})
return cert_id, ocsp_request
def parse_ocsp_request(
request_der: bytes) -> (Optional[OCSPRequest], Optional[OCSPResponse]):
"""
Parse the request bytes, return an ``OCSPRequest`` instance.
"""
try:
return (OCSPRequest.load(request_der), None)
except Exception as e:
logger.exception('Could not load/parse OCSPRequest: %s', e)
return (None, _fail(ResponseStatus.malformed_request))
def handle_ocsp_requests(caid):
# Import section (specifically for OCSP)
from asn1crypto.util import timezone
from asn1crypto.ocsp import OCSPRequest
from oscrypto import asymmetric
from ocspbuilder import OCSPResponseBuilder
# Getting CA information
key = Key.query.filter_by(ca=caid).first()
if not key:
abort(config.http_notfound, {"message": config.error_pkey_notfound})
private, public = key.dump(config.path_keys)
with open(private, "rb") as f:
issuer_key = asymmetric.load_private_key(f.read(), "testtest")
with open(public, "rb") as f:
issuer_cert = asymmetric.load_certificate(f.read())
# Parsing the OCSP request
ocsp = OCSPRequest.load(request.get_data())
tbs_request = ocsp['tbs_request']
request_list = tbs_request['request_list']
if len(request_list) != 1:
abort(config.http_notimplemented,
{"message": config.error_multiple_requests})
single_request = request_list[0] # TODO: Support more than one request
req_cert = single_request['req_cert']
serial = hex(req_cert['serial_number'].native)[2:]
# Getting certificate
cert = Certificate.query.filter_by(serial=serial).first()
if not cert:
abort(config.http_notfound, {"message": config.error_cert_notfound})
cert_path = cert.dump(config.path_keys)
with open(cert_path, "rb") as f:
subject_cert = asymmetric.load_certificate(f.read())
# A response for a certificate in good standing
builder = OCSPResponseBuilder(u'successful', subject_cert, u'good')
ocsp_response = builder.build(issuer_key, issuer_cert)
return ocsp_response.dump()
def parse_ocsp_request(self, request_der: bytes) -> OCSPRequest:
"""
Parse the request bytes, return an ``OCSPRequest`` instance.
"""
return OCSPRequest.load(request_der)
def _parse_ocsp_request(self, request_der: bytes) -> OCSPRequest:
"""
Parse the request bytes, return an ``OCSPRequest`` instance.
"""
return OCSPRequest.load(request_der)
