def validate_revocation_certificate_chain(chain, error_messages): # a failed try to use ocsp validation for i in range(1, len(chain)): subject = chain[i - 1] issuer = chain[i] builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(subject, issuer, SHA1()) req = builder.build() data = req.public_bytes(serialization.Encoding.DER) for e in subject.extensions: if isinstance(e.value, AuthorityInformationAccess): url = e.value._descriptions[0].access_location.value print(url) headers = {"Content-Type": "application/ocsp-request"} r = requests.post(url, data=data, headers=headers) ocsp_resp = ocsp.load_der_ocsp_response(r.content) print(ocsp_resp.certificate_status) if ocsp_resp.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL: if ocsp_resp.certificate_status == ocsp.OCSPCertStatus.UNKNOWN: status = validate_revocation_certificate_chain_crl( [subject, issuer], error_messages) if not status: return False elif ocsp_resp.certificate_status == ocsp.OCSPCertStatus.REVOKED: error_messages.append( "One of the certificates is revoked") return False else: return False return True
def extract_ocsp_result(ocsp_response): """Extract the OCSP result from the provided ocsp_response""" func_name: str = "extract_ocsp_result" try: ocsp_response = ocsp.load_der_ocsp_response(ocsp_response.content) # OCSP Response Status here: # https://cryptography.io/en/latest/_modules/cryptography/x509/ocsp/#OCSPResponseStatus # A status of 0 == OCSPResponseStatus.SUCCESSFUL if str(ocsp_response.response_status.value) != "0": # This will return one of five errors, which means connecting # to the OCSP Responder failed for one of the below reasons: # MALFORMED_REQUEST = 1 # INTERNAL_ERROR = 2 # TRY_LATER = 3 # SIG_REQUIRED = 5 # UNAUTHORIZED = 6 ocsp_response = str(ocsp_response.response_status) ocsp_response = ocsp_response.split(".") raise Exception( f"{func_name}: OCSP Request Error: {ocsp_response[1]}") certificate_status = str(ocsp_response.certificate_status) certificate_status = certificate_status.split(".") return f"OCSP Status: {certificate_status[1]}" except ValueError as err: return f"{func_name}: {str(err)}"
def check_certificate(self, server, cert, issuer_url): """Checks the validitity of an ocsp server for an issuer""" r = requests.get(issuer_url) if not r.ok: raise ConnectionError("failed to fetch issuer certificate") der = r.content issuer_cert = self._bin2ascii(der) ocsp_url = self.build_certificate_url(server, cert, issuer_cert) # HTTP 1.1 mandates the addition of the Host header in ocsp responses header = { "Host": urlparse(ocsp_url).netloc, "Content-Type": "application/ocsp-request", } r = requests.get(ocsp_url, headers=header) if not r.ok: raise ConnectionError("failed to fetch ocsp certificate") ocsp_response = ocsp.load_der_ocsp_response(r.content) if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED: raise AuthorizationError( "you are not authorized to view this ocsp certificate") if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL: if ocsp_response.certificate_status == ocsp.OCSPCertStatus.REVOKED: return False else: return True else: return False
def test_serialize_reponse(self): resp_bytes = load_vectors_from_file(filename=os.path.join( "x509", "ocsp", "resp-revoked.der"), loader=lambda data: data.read(), mode="rb") resp = ocsp.load_der_ocsp_response(resp_bytes) assert resp.public_bytes(serialization.Encoding.DER) == resp_bytes
def test_serialize_reponse(self): resp_bytes = load_vectors_from_file( filename=os.path.join("x509", "ocsp", "resp-revoked.der"), loader=lambda data: data.read(), mode="rb" ) resp = ocsp.load_der_ocsp_response(resp_bytes) assert resp.public_bytes(serialization.Encoding.DER) == resp_bytes
def _check_ocsp_cryptography(cert_path: str, chain_path: str, url: str, timeout: int) -> bool: # Retrieve OCSP response with open(chain_path, 'rb') as file_handler: issuer = x509.load_pem_x509_certificate(file_handler.read(), default_backend()) with open(cert_path, 'rb') as file_handler: cert = x509.load_pem_x509_certificate(file_handler.read(), default_backend()) builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(cert, issuer, hashes.SHA1()) request = builder.build() request_binary = request.public_bytes(serialization.Encoding.DER) try: response = requests.post( url, data=request_binary, headers={'Content-Type': 'application/ocsp-request'}, timeout=timeout) except requests.exceptions.RequestException: logger.info("OCSP check failed for %s (are we offline?)", cert_path, exc_info=True) return False if response.status_code != 200: logger.info("OCSP check failed for %s (HTTP status: %d)", cert_path, response.status_code) return False response_ocsp = ocsp.load_der_ocsp_response(response.content) # Check OCSP response validity if response_ocsp.response_status != ocsp.OCSPResponseStatus.SUCCESSFUL: logger.warning("Invalid OCSP response status for %s: %s", cert_path, response_ocsp.response_status) return False # Check OCSP signature try: _check_ocsp_response(response_ocsp, request, issuer, cert_path) except UnsupportedAlgorithm as e: logger.warning(str(e)) except errors.Error as e: logger.warning(str(e)) except InvalidSignature: logger.warning('Invalid signature on OCSP response for %s', cert_path) except AssertionError as error: logger.warning('Invalid OCSP response for %s: %s.', cert_path, str(error)) else: # Check OCSP certificate status logger.debug("OCSP certificate status for %s is: %s", cert_path, response_ocsp.certificate_status) return response_ocsp.certificate_status == ocsp.OCSPCertStatus.REVOKED return False
def _check_certificate(issuer_cert, ocsp_bytes, validate=True): """A wrapper the return the validity of a known ocsp certificate""" ocsp_response = ocsp.load_der_ocsp_response(ocsp_bytes) if ocsp_response.response_status == ocsp.OCSPResponseStatus.UNAUTHORIZED: raise AuthorizationError( "you are not authorized to view this ocsp certificate") if ocsp_response.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL: if ocsp_response.certificate_status != ocsp.OCSPCertStatus.GOOD: raise ConnectionError( f'Received an {str(ocsp_response.certificate_status).split(".")[1]} ' "ocsp certificate status") else: raise ConnectionError( "failed to retrieve a sucessful response from the ocsp responder") if ocsp_response.this_update >= datetime.datetime.now(): raise ConnectionError("ocsp certificate was issued in the future") if (ocsp_response.next_update and ocsp_response.next_update < datetime.datetime.now()): raise ConnectionError( "ocsp certificate has invalid update - in the past") responder_name = ocsp_response.responder_name issuer_hash = ocsp_response.issuer_key_hash responder_hash = ocsp_response.responder_key_hash cert_to_validate = issuer_cert if (responder_name is not None and responder_name == issuer_cert.subject or responder_hash == issuer_hash): cert_to_validate = issuer_cert else: certs = ocsp_response.certificates responder_certs = _get_certificates(certs, issuer_cert, responder_name, responder_hash) try: responder_cert = responder_certs[0] except IndexError: raise ConnectionError("no certificates found for the responder") ext = responder_cert.extensions.get_extension_for_class( x509.ExtendedKeyUsage) if ext is None or x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING not in ext.value: raise ConnectionError("delegate not autorized for ocsp signing") cert_to_validate = responder_cert if validate: _verify_response(cert_to_validate, ocsp_response) return True
def is_ocsp_valid(cert, issuer, hash_algo): if hash_algo == 'sha1': algorithm = hashes.SHA1 elif hash_algo == 'sha224': algorithm = hashes.SHA224 elif hash_algo == 'sha256': algorithm = hashes.SHA256 elif hash_algo == 'sha385': algorithm = hashes.SHA384 elif hash_algo == 'sha512': algorithm = hashes.SHA512 else: log("Invalid hash algorithm '{}' used for OCSP validation. Validation ignored." .format(hash_algo), warning=True) return True if isinstance(issuer, list): issuer = issuer[ 0] # First certificate in the CA chain is the immediate issuer try: ocsp_urls = [] aia = cert.extensions.get_extension_for_oid( ExtensionOID.AUTHORITY_INFORMATION_ACCESS) for data in aia.value: if data.access_method == x509.OID_OCSP: ocsp_urls.append(data.access_location.value) # This is a bit of a hack due to validation problems within cryptography (TODO: Check if this is still true) # Correct replacement: ocsprequest = ocsp.OCSPRequestBuilder().add_certificate(cert, issuer, algorithm).build() ocsprequest = ocsp.OCSPRequestBuilder( (cert, issuer, algorithm)).build() ocsprequestdata = ocsprequest.public_bytes(serialization.Encoding.DER) for ocsp_url in ocsp_urls: response = get_url( ocsp_url, ocsprequestdata, { 'Accept': 'application/ocsp-response', 'Content-Type': 'application/ocsp-request', }) ocspresponsedata = response.read() ocspresponse = ocsp.load_der_ocsp_response(ocspresponsedata) if ocspresponse.response_status == ocsp.OCSPResponseStatus.SUCCESSFUL \ and ocspresponse.certificate_status == ocsp.OCSPCertStatus.REVOKED: return False except Exception as e: log("An exception occurred during OCSP validation (Validation will be ignored): {}" .format(e), error=True) return True
def validate_revogation_status(cert): # check certificate revogation list # TODO: add more types of dist points print(cert.extensions) try: for j in cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess).value: if j.access_method.dotted_string == "1.3.6.1.5.5.7.48.1": rev_list=None #Downloading list print(j.access_location.value) file_name=wget.download(j.access_location.value) #Load ocsp response with open(file_name, "rb") as pem_file: pem_data = pem_file.read() ocsp_resp = ocsp.load_der_ocsp_response(pem_data) print(ocsp_resp.response_status) except: print("OCSP not available.") try: for i in cert.extensions.get_extension_for_class(x509.CRLDistributionPoints).value: for b in i.full_name: file_name=b.value.split('/')[-1] rev_list=None #Downloading list print(wget.download(b.value)) #read revocation list try: rev_list=load_cert_revocation_list(file_name,"pem") except: print("Not pem.") try: rev_list=load_cert_revocation_list(file_name,"der") except: print("Not der.") print(rev_list) if rev_list is None: return False return cert.serial_number in [l.serial_number for l in rev_list] except: print("CRL not available.") return False
def validate_chain(cert_to_check,issuer_cert): cert_to_check_signature=cert_to_check.signature issuer_public_key=issuer_cert.public_key() # TODO check if host has the same name I think builder = ocsp.OCSPRequestBuilder() # SHA1 is in this example because RFC 5019 mandates its use. builder = builder.add_certificate(cert_to_check, issuer_cert, SHA1()) req = builder.build() for j in cert_to_check.extensions.get_extension_for_class(x509.AuthorityInformationAccess).value: if j.access_method.dotted_string == "1.3.6.1.5.5.7.48.1": rev_list=None #Downloading list der=req.public_bytes(serialization.Encoding.DER) ocsp_link=j.access_location.value r=requests.post(ocsp_link,data=der) ocsp_resp = ocsp.load_der_ocsp_response(r.content) print(ocsp_resp.certificate_status) print(cert_to_check.extensions.get_extension_for_class(x509.KeyUsage).value) if (get_issuer_common_name(cert_to_check)!=get_common_name(issuer_cert)): print(get_issuer_common_name(cert_to_check)) print(get_common_name(issuer_cert)) return False try: issuer_public_key.verify(cert_to_check_signature,cert_to_check.tbs_certificate_bytes,padding.PKCS1v15(),cert_to_check.signature_hash_algorithm) except: print("Failed to verify signature.") return False return True
def get_ocsp_cert_status(ocsp_responder, cert, issuer_cert): encoded_req = get_oscp_request(cert, issuer_cert).public_bytes( serialization.Encoding.DER) ocsp_resp = requests.post(ocsp_responder, data=encoded_req) if ocsp_resp.ok: ocsp_decoded = ocsp.load_der_ocsp_response(ocsp_resp.content) if ocsp_decoded.response_status == OCSPResponseStatus.SUCCESSFUL: return ocsp_decoded.certificate_status else: raise Exception( f'Decoding ocsp response failed: {ocsp_decoded.response_status}' ) raise Exception( f'Fetching ocsp cert status failed with response status: {ocsp_resp.status_code}' )
def _check_ocsp_cryptography(cert_path, chain_path, url): # type: (str, str, str) -> bool # Retrieve OCSP response with open(chain_path, 'rb') as file_handler: issuer = x509.load_pem_x509_certificate(file_handler.read(), default_backend()) with open(cert_path, 'rb') as file_handler: cert = x509.load_pem_x509_certificate(file_handler.read(), default_backend()) builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(cert, issuer, hashes.SHA1()) request = builder.build() request_binary = request.public_bytes(serialization.Encoding.DER) try: response = requests.post(url, data=request_binary, headers={'Content-Type': 'application/ocsp-request'}) except requests.exceptions.RequestException: logger.info("OCSP check failed for %s (are we offline?)", cert_path, exc_info=True) return False if response.status_code != 200: logger.info("OCSP check failed for %s (HTTP status: %d)", cert_path, response.status_code) return False response_ocsp = ocsp.load_der_ocsp_response(response.content) # Check OCSP response validity if response_ocsp.response_status != ocsp.OCSPResponseStatus.SUCCESSFUL: logger.error("Invalid OCSP response status for %s: %s", cert_path, response_ocsp.response_status) return False # Check OCSP signature try: _check_ocsp_response(response_ocsp, request, issuer) except UnsupportedAlgorithm as e: logger.error(str(e)) except errors.Error as e: logger.error(str(e)) except InvalidSignature: logger.error('Invalid signature on OCSP response for %s', cert_path) except AssertionError as error: logger.error('Invalid OCSP response for %s: %s.', cert_path, str(error)) else: # Check OCSP certificate status logger.debug("OCSP certificate status for %s is: %s", cert_path, response_ocsp.certificate_status) return response_ocsp.certificate_status == ocsp.OCSPCertStatus.REVOKED return False
def callback(conn, encoded_ocsp, data): ocsp_resp = load_der_ocsp_response(encoded_ocsp) return ocsp_resp.response_status == OCSPResponseStatus.SUCCESSFUL and ocsp_resp.certificate_status == OCSPCertStatus.GOOD
def validate_revocation(cert, issuer): """ Function used to check if a given certificate (or it's issuer) is revoked. :return: True, if it's revoked. False, otherwise. """ try: builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(cert, issuer, SHA1()) req = builder.build() for ext in cert.extensions.get_extension_for_class( x509.AuthorityInformationAccess ).value: if ext.access_method.dotted_string == "1.3.6.1.5.5.7.48.1": data = req.public_bytes(serialization.Encoding.DER) ocsp_url = ext.access_location.value request = requests.post( ocsp_url, headers={"Content-Type": "application/ocsp-request"}, data=data, ) ocsp_resp = ocsp.load_der_ocsp_response(request.content) logger.warning(f"OCSP CERT STATUS: {ocsp_resp.certificate_status}") if ( ocsp_resp.certificate_status == ocsp.OCSPCertStatus.GOOD or get_common_name(cert) == "ECRaizEstado" ): return False else: return True except: logger.debug("OCSP is not available for this certificate!") try: for ext in cert.extensions.get_extension_for_class( x509.CRLDistributionPoints ).value: for name in ext.full_name: file_name = wget.download(name.value) revocation_list = load_certificate_crl(file_name) if revocation_list is None: return False cert_is_revoked = cert.serial_number in [ l.serial_number for l in revocation_list ] try: for ext in cert.extensions.get_extension_for_class(x509.FreshestCRL).value: for name in ext.full_name: file_name = wget.download(name.value) revocation_list = load_certificate_crl(file_name) if revocation_list is None: return False cert_is_revoked = cert.serial_number in [ l.serial_number for l in revocation_list ] except: logger.debug("DELTA CRL is not available for this certificate!") for ext in issuer.extensions.get_extension_for_class( x509.CRLDistributionPoints ).value: for name in ext.full_name: file_name = wget.download(name.value) revocation_list = load_certificate_crl(file_name) if revocation_list is None: return False isser_is_revoked = issuer.serial_number in [ l.serial_number for l in revocation_list ] try: for ext in issuer.extensions.get_extension_for_class( x509.FreshestCRL ).value: for name in ext.full_name: file_name = wget.download(name.value) revocation_list = load_certificate_crl(file_name) if revocation_list is None: return False isser_is_revoked = issuer.serial_number in [ l.serial_number for l in revocation_list ] except: logger.debug("DELTA CRL is not available for this certificate!") return cert_is_revoked or isser_is_revoked except: logger.debug("CRL is not available for this certificate!") return True
#!/bin/python3 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.hashes import SHA1 from cryptography.x509 import load_pem_x509_certificate, ocsp import base64 #OCSP cert1 = open("pubkey.crt", "r") authority1 = open("pubkey.crt", "r") cert = cert1.read().encode() authority = authority1.read().encode() certloader = load_pem_x509_certificate(cert, default_backend()) authorityloader = load_pem_x509_certificate(authority, default_backend()) builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(certloader, authorityloader, SHA1()) prereq = builder.build() request = base64.b64encode(prereq.public_bytes(serialization.Encoding.DER)) #Load the request: ocsp_req = ocsp.load_der_ocsp_request(request) #E.g. show serial print(ocsp_req.serial_number) #Response ocsp_resp = ocsp.load_der_ocsp_response(request)
def test_bad_response(self): with pytest.raises(ValueError): ocsp.load_der_ocsp_response(b"invalid")
def perform(self) -> CertificateDeploymentAnalysisResult: received_certificate_chain = [ load_pem_x509_certificate(pem_cert.encode("ascii"), backend=default_backend()) for pem_cert in self.server_certificate_chain_as_pem ] leaf_cert = received_certificate_chain[0] # OCSP Must-Staple has_ocsp_must_staple = False try: tls_feature_ext = cast( cryptography.x509.TLSFeature, leaf_cert.extensions.get_extension_for_oid( ExtensionOID.TLS_FEATURE)) for feature_type in tls_feature_ext.value: if feature_type == cryptography.x509.TLSFeatureType.status_request: has_ocsp_must_staple = True break except ExtensionNotFound: pass # Received chain order is_chain_order_valid = True previous_issuer = None for index, cert in enumerate(received_certificate_chain): current_subject = cert.subject if index > 0: # Compare the current subject with the previous issuer in the chain if current_subject != previous_issuer: is_chain_order_valid = False break try: previous_issuer = cert.issuer except KeyError: # Missing issuer; this is okay if this is the last cert previous_issuer = None # Check if the leaf certificate is Extended Validation is_leaf_certificate_ev = False for trust_store in self.trust_stores_for_validation: if trust_store.ev_oids is None: # We only have the EV OIDs for Mozilla - skip other stores continue is_leaf_certificate_ev = trust_store.is_certificate_extended_validation( leaf_cert) # Check for Signed Timestamps number_of_scts: Optional[int] = 0 try: # Look for the x509 extension sct_ext = leaf_cert.extensions.get_extension_for_oid( ExtensionOID.PRECERT_SIGNED_CERTIFICATE_TIMESTAMPS) if isinstance(sct_ext.value, cryptography.x509.UnrecognizedExtension): # The version of OpenSSL on the system is too old and can't parse the SCT extension number_of_scts = None # Count the number of entries in the extension sct_ext_value = cast( cryptography.x509.PrecertificateSignedCertificateTimestamps, sct_ext.value) number_of_scts = len(sct_ext_value) except ExtensionNotFound: pass # Try to generate the verified certificate chain using each trust store all_path_validation_results = [] for trust_store in self.trust_stores_for_validation: path_validation_result = _verify_certificate_chain( self.server_certificate_chain_as_pem, trust_store) all_path_validation_results.append(path_validation_result) # Keep one trust store that was able to build the verified chain to then run additional checks trust_store_that_can_build_verified_chain = None verified_certificate_chain = None # But first tort the path validation results so the same trust_store always get picked for a given server def sort_function(path_validation: PathValidationResult) -> str: return path_validation.trust_store.name.lower() all_path_validation_results.sort(key=sort_function) # Then keep a trust store with a verified chain for path_validation_result in all_path_validation_results: if path_validation_result.was_validation_successful: trust_store_that_can_build_verified_chain = path_validation_result.trust_store verified_certificate_chain = path_validation_result.verified_certificate_chain break # Check if the anchor was sent by the server has_anchor_in_certificate_chain = None if verified_certificate_chain: has_anchor_in_certificate_chain = verified_certificate_chain[ -1] in received_certificate_chain # Check if a SHA1-signed certificate is in the chain # Root certificates can still be signed with SHA1 so we only check leaf and intermediate certificates has_sha1_in_certificate_chain = None if verified_certificate_chain: has_sha1_in_certificate_chain = False for cert in verified_certificate_chain[:-1]: if isinstance(cert.signature_hash_algorithm, hashes.SHA1): has_sha1_in_certificate_chain = True break # Check if this is a distrusted Symantec-issued chain verified_chain_has_legacy_symantec_anchor = None if verified_certificate_chain: symantec_distrust_timeline = SymantecDistructTester.get_distrust_timeline( verified_certificate_chain) verified_chain_has_legacy_symantec_anchor = True if symantec_distrust_timeline else False # Check the OCSP response if there is one is_ocsp_response_trusted = None final_ocsp_response = None if self.server_ocsp_response: # Parse the OCSP response returned by nassl final_ocsp_response = load_der_ocsp_response( self.server_ocsp_response.as_der_bytes()) # Check if the OCSP response is trusted if (trust_store_that_can_build_verified_chain and final_ocsp_response.response_status == OCSPResponseStatus.SUCCESSFUL): try: nassl.ocsp_response.verify_ocsp_response( self.server_ocsp_response, trust_store_that_can_build_verified_chain.path) is_ocsp_response_trusted = True except nassl.ocsp_response.OcspResponseNotTrustedError: is_ocsp_response_trusted = False # All done return CertificateDeploymentAnalysisResult( received_certificate_chain=received_certificate_chain, leaf_certificate_subject_matches_hostname= _certificate_matches_hostname(leaf_cert, self.server_hostname), leaf_certificate_has_must_staple_extension=has_ocsp_must_staple, leaf_certificate_is_ev=is_leaf_certificate_ev, leaf_certificate_signed_certificate_timestamps_count=number_of_scts, received_chain_contains_anchor_certificate= has_anchor_in_certificate_chain, received_chain_has_valid_order=is_chain_order_valid, verified_chain_has_sha1_signature=has_sha1_in_certificate_chain, verified_chain_has_legacy_symantec_anchor= verified_chain_has_legacy_symantec_anchor, path_validation_results=all_path_validation_results, ocsp_response=final_ocsp_response, ocsp_response_is_trusted=is_ocsp_response_trusted, )
def _deepcopy_method_for_ocsp_response(inner_self: _OCSPResponse, memo: str) -> _OCSPResponse: return load_der_ocsp_response(inner_self.public_bytes(Encoding.DER))
def test_bad_response(self): with pytest.raises(ValueError): ocsp.load_der_ocsp_response(b"invalid")
def validate_revocation(self, cert_to_check, issuer_cert): try: builder = ocsp.OCSPRequestBuilder() builder = builder.add_certificate(cert_to_check, issuer_cert, SHA1()) req = builder.build() for j in cert_to_check.extensions.get_extension_for_class( x509.AuthorityInformationAccess).value: if j.access_method.dotted_string == "1.3.6.1.5.5.7.48.1": rev_list = None #Downloading list der = req.public_bytes(serialization.Encoding.DER) ocsp_link = j.access_location.value r = requests.post( ocsp_link, headers={'Content-Type': 'application/ocsp-request'}, data=der) ocsp_resp = ocsp.load_der_ocsp_response(r.content) if ocsp_resp.certificate_status == ocsp.OCSPCertStatus.GOOD: return False else: return True except Exception as e: logger.debug("OCSP not available") try: for i in cert_to_check.extensions.get_extension_for_class( x509.CRLDistributionPoints).value: for b in i.full_name: rev_list = None #Downloading list file_name = wget.download(b.value) print() #read revocation list try: rev_list = self.load_cert_revocation_list( file_name, "pem") except Exception as e: logger.debug(e) try: rev_list = self.load_cert_revocation_list( file_name, "der") except: logger.debug("Not der.") if rev_list is None: return False flag = cert_to_check.serial_number in [ l.serial_number for l in rev_list ] try: for i in cert_to_check.extensions.get_extension_for_class( x509.FreshestCRL).value: for b in i.full_name: rev_list = None #Downloading list file_name = wget.download(b.value) #read revocation list try: rev_list = self.load_cert_revocation_list( file_name, "pem") except Exception as e: logger.debug(e) try: rev_list = self.load_cert_revocation_list( file_name, "der") except: logger.debug("Not der.") if rev_list is None: return False flag = cert_to_check.serial_number in [ l.serial_number for l in rev_list ] except: logger.debug("DELTA CRL not available.") for i in issuer_cert.extensions.get_extension_for_class( x509.CRLDistributionPoints).value: for b in i.full_name: rev_list = None #Downloading list file_name = wget.download(b.value) print() #read revocation list try: rev_list = self.load_cert_revocation_list( file_name, "pem") except Exception as e: logger.debug(e) try: rev_list = self.load_cert_revocation_list( file_name, "der") except: logger.debug("Not der.") if rev_list is None: return False flag1 = issuer_cert.serial_number in [ l.serial_number for l in rev_list ] return flag1 or flag try: for i in issuer_cert.extensions.get_extension_for_class( x509.FreshestCRL).value: for b in i.full_name: rev_list = None #Downloading list file_name = wget.download(b.value) #read revocation list try: rev_list = self.load_cert_revocation_list( file_name, "pem") except Exception as e: logger.debug(e) try: rev_list = self.load_cert_revocation_list( file_name, "der") except: logger.debug("Not der.") if rev_list is None: return False flag1 = issuer_cert.serial_number in [ l.serial_number for l in rev_list ] except: logger.debug("DELTA CRL not available.") return flag1 or flag except Exception as e: logger.debug("CRL not available") return True