def _request_ocsp(cert, issuer, uri):
# https://cryptography.io/en/latest/x509/ocsp/#creating-requests
builder = _OCSPRequestBuilder()
# add_certificate returns a new instance
builder = builder.add_certificate(cert, issuer, _SHA1())
ocsp_request = builder.build()
try:
response = _post(uri,
data=ocsp_request.public_bytes(_Encoding.DER),
headers={'Content-Type': 'application/ocsp-request'},
timeout=5)
except _RequestException:
_LOGGER.debug("HTTP request failed")
return None
if response.status_code != 200:
_LOGGER.debug("HTTP request returned %d", response.status_code)
return None
ocsp_response = _load_der_ocsp_response(response.content)
_LOGGER.debug("OCSP response status: %r", ocsp_response.response_status)
if ocsp_response.response_status != _OCSPResponseStatus.SUCCESSFUL:
return None
# RFC6960, Section 3.2, Number 1. Only relevant if we need to
# talk to the responder directly.
# Accessing response.serial_number raises if response status is not
# SUCCESSFUL.
if ocsp_response.serial_number != ocsp_request.serial_number:
_LOGGER.debug("Response serial number does not match request")
return None
return ocsp_response
def _public_key_hash(cert):
public_key = cert.public_key()
# https://tools.ietf.org/html/rfc2560#section-4.2.1
# "KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
# (excluding the tag and length fields)"
# https://stackoverflow.com/a/46309453/600498
if isinstance(public_key, _RSAPublicKey):
pbytes = public_key.public_bytes(_Encoding.DER, _PublicFormat.PKCS1)
elif isinstance(public_key, _EllipticCurvePublicKey):
pbytes = public_key.public_bytes(_Encoding.X962,
_PublicFormat.UncompressedPoint)
else:
pbytes = public_key.public_bytes(_Encoding.DER,
_PublicFormat.SubjectPublicKeyInfo)
digest = _Hash(_SHA1(), backend=_default_backend())
digest.update(pbytes)
return digest.finalize()
def _build_ocsp_request(cert, issuer):
# https://cryptography.io/en/latest/x509/ocsp/#creating-requests
builder = _OCSPRequestBuilder()
builder = builder.add_certificate(cert, issuer, _SHA1())
return builder.build()
