def parse_ocsp_resp(ocsp_resp):
ocspResponse, _ = decoder.decode(ocsp_resp,
asn1Spec=rfc2560.OCSPResponse())
responseStatus = ocspResponse.getComponentByName('responseStatus')
assert responseStatus == rfc2560.OCSPResponseStatus(
'successful'), responseStatus.prettyPrint()
responseBytes = ocspResponse.getComponentByName('responseBytes')
responseType = responseBytes.getComponentByName('responseType')
assert responseType == rfc2560.id_pkix_ocsp_basic, responseType.prettyPrint(
)
response = responseBytes.getComponentByName('response')
basicOCSPResponse, _ = decoder.decode(response,
asn1Spec=rfc2560.BasicOCSPResponse())
tbsResponseData = basicOCSPResponse.getComponentByName('tbsResponseData')
response0 = tbsResponseData.getComponentByName(
'responses').getComponentByPosition(0)
producedAt = datetime.datetime.strptime(
str(tbsResponseData.getComponentByName('producedAt')), '%Y%m%d%H%M%SZ')
certID = response0.getComponentByName('certID')
certStatus = response0.getComponentByName('certStatus').getName()
thisUpdate = datetime.datetime.strptime(
str(response0.getComponentByName('thisUpdate')), '%Y%m%d%H%M%SZ')
# let's assume that certID in response matches the certID sent in the request
# let's assume that response signed by trusted responder
print("[+] OCSP producedAt:", producedAt)
print("[+] OCSP thisUpdate:", thisUpdate)
print("[+] OCSP status:", certStatus)
def parse_ocsp_response(ocsp_resp):
# extracts from an OCSP response certID_serial, certStatus and thisUpdate
ocspResponse, _ = decoder.decode(ocsp_resp,
asn1Spec=rfc2560.OCSPResponse())
responseStatus = ocspResponse.getComponentByName('responseStatus')
assert responseStatus == rfc2560.OCSPResponseStatus(
'successful'), responseStatus.prettyPrint()
responseBytes = ocspResponse.getComponentByName('responseBytes')
responseType = responseBytes.getComponentByName('responseType')
assert responseType == rfc2560.id_pkix_ocsp_basic, responseType.prettyPrint(
)
response = responseBytes.getComponentByName('response')
basicOCSPResponse, _ = decoder.decode(response,
asn1Spec=rfc2560.BasicOCSPResponse())
tbsResponseData = basicOCSPResponse.getComponentByName('tbsResponseData')
response0 = tbsResponseData.getComponentByName(
'responses').getComponentByPosition(0)
# let's assume that the OCSP response has been signed by a trusted OCSP responder
certID = response0.getComponentByName('certID')
# let's assume that the issuer name and key hashes in certID are correct
certID_serial = certID[3]
certStatus = response0.getComponentByName('certStatus').getName()
thisUpdate = datetime.datetime.strptime(
str(response0.getComponentByName('thisUpdate')), '%Y%m%d%H%M%SZ')
return certID_serial, certStatus, thisUpdate
#!/usr/bin/python
#
# Read ASN.1/PEM OCSP response on stdin, parse into
# plain text, then build substrate from it
#
from pyasn1.codec.der import decoder, encoder
from pyasn1_modules import rfc2560, pem
import sys
if len(sys.argv) != 1:
print("""Usage:
$ cat ocsp-response.pem | %s""" % sys.argv[0])
sys.exit(-1)
ocspReq = rfc2560.OCSPResponse()
substrate = pem.readBase64FromFile(sys.stdin)
if not substrate:
sys.exit(0)
cr, rest = decoder.decode(substrate, asn1Spec=ocspReq)
print(cr.prettyPrint())
assert encoder.encode(cr, defMode=False) == substrate or \
encoder.encode(cr, defMode=True) == substrate, \
'OCSP request recode fails'
userCert, _ = decoder.decode(
pem.readPemBlocksFromFile(
sys.stdin, ('-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----')
)[1],
asn1Spec=rfc2459.Certificate()
)
# Build OCSP request
ocspReq = mkOcspRequest(issuerCert, userCert)
# Use HTTP POST to get response (see Appendix A of RFC 2560)
# In case you need proxies, set the http_proxy env variable
httpReq = urllib2.Request(
ocspUrl,
encoder.encode(ocspReq),
{'Content-Type': 'application/ocsp-request'}
)
httpRsp = urllib2.urlopen(httpReq).read()
# Process OCSP response
# noinspection PyRedeclaration
ocspRsp, _ = decoder.decode(httpRsp, asn1Spec=rfc2560.OCSPResponse())
producedAt, certId, certStatus, thisUpdate = parseOcspResponse(ocspRsp)
print('Certificate ID %s is %s at %s till %s\n' % (certId.getComponentByName('serialNumber'),
certStatus, producedAt, thisUpdate))
def setUp(self):
self.asn1Spec = rfc2560.OCSPResponse()
def Create(signer=None,
response_status=0,
response_type='1.3.6.1.5.5.7.48.1.1',
signature=None,
version=1,
responder=None,
responses=None,
extensions=None,
certs=None,
sigAlg='sha1'):
ocsp = rfc2560.OCSPResponse()
ocsp.setComponentByName('responseStatus', response_status)
if response_status != 0:
return ocsp
tbs = rfc2560.ResponseData()
if version != 1:
tbs.setComponentByName('version', version)
if not signer:
signer = CA
if not responder:
responder = GetName(signer)
tbs.setComponentByName('responderID', responder)
tbs.setComponentByName(
'producedAt',
useful.GeneralizedTime(PRODUCED_DATE.strftime('%Y%m%d%H%M%SZ')))
rlist = tbs.setComponentByName('responses').getComponentByName('responses')
if responses == None:
responses = [CreateSingleResponse(CERT, 0)]
if responses:
for i in range(len(responses)):
rlist.setComponentByPosition(i, responses[i])
if extensions:
elist = tbs.setComponentByName(
'responseExtensions').getComponentByName('responseExtensions')
for i in range(len(extensions)):
elist.setComponentByPosition(i, extensions[i])
sa = rfc2459.AlgorithmIdentifier()
sa.setComponentByName('algorithm', SigAlgOid(sigAlg))
# TODO(mattm): If pyasn1 gives an error
# "Component value is tag-incompatible: Null() vs Any()", try hacking
# pyasn1_modules/rfc2459.py's AlgorithmIdentifier to specify univ.Null as the
# type for 'parameters'. (Which is an ugly hack, but lets the script work.)
sa.setComponentByName('parameters', univ.Null())
basic = rfc2560.BasicOCSPResponse()
basic.setComponentByName('tbsResponseData', tbs)
basic.setComponentByName('signatureAlgorithm', sa)
if not signature:
signature = crypto.sign(signer[2], encoder.encode(tbs), sigAlg)
basic.setComponentByName(
'signature', univ.BitString("'%s'H" % (signature.encode('hex'))))
if certs:
cs = basic.setComponentByName('certs').getComponentByName('certs')
for i in range(len(certs)):
cs.setComponentByPosition(i, certs[i][0])
rbytes = ocsp.componentType.getTypeByPosition(1)
rbytes.setComponentByName('responseType',
univ.ObjectIdentifier(response_type))
rbytes.setComponentByName('response', encoder.encode(basic))
ocsp.setComponentByName('responseBytes', rbytes)
return ocsp
