diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2018-08-30 10:41:32 -0400 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2018-08-30 10:41:32 -0400 |
commit | 002fa75d6c57420ed1805e088e1d6ecbce880938 (patch) | |
tree | da85fb85fd2e9ba73b180611270948c47d5696c4 /src | |
parent | 2284eea98847bd42d3ddf7dead504baf3d544d98 (diff) | |
download | cryptography-002fa75d6c57420ed1805e088e1d6ecbce880938.tar.gz cryptography-002fa75d6c57420ed1805e088e1d6ecbce880938.tar.bz2 cryptography-002fa75d6c57420ed1805e088e1d6ecbce880938.zip |
make an ocsp request (#4402)
* make an ocsp request
* update test, add docs
* make it an OCSPRequestBuilder
* review feedback and more tests
* make it a class
* empty commit to retrigger
* type check
Diffstat (limited to 'src')
-rw-r--r-- | src/_cffi_src/openssl/ocsp.py | 2 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 16 | ||||
-rw-r--r-- | src/cryptography/x509/ocsp.py | 30 |
3 files changed, 48 insertions, 0 deletions
diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py index 1701f41c..61546027 100644 --- a/src/_cffi_src/openssl/ocsp.py +++ b/src/_cffi_src/openssl/ocsp.py @@ -35,6 +35,8 @@ OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *, int); int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *); X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *, int); OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *); +OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *, OCSP_CERTID *); +OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *, const X509 *, const X509 *); OCSP_BASICRESP *OCSP_BASICRESP_new(void); diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 6a0446bc..bdf8f370 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1430,6 +1430,22 @@ class Backend(object): request = self._ffi.gc(request, self._lib.OCSP_REQUEST_free) return _OCSPRequest(self, request) + def create_ocsp_request(self, builder): + ocsp_req = self._lib.OCSP_REQUEST_new() + self.openssl_assert(ocsp_req != self._ffi.NULL) + ocsp_req = self._ffi.gc(ocsp_req, self._lib.OCSP_REQUEST_free) + for cert, issuer, algorithm in builder._requests: + evp_md = self._lib.EVP_get_digestbyname( + algorithm.name.encode("ascii")) + self.openssl_assert(evp_md != self._ffi.NULL) + certid = self._lib.OCSP_cert_to_id( + evp_md, cert._x509, issuer._x509 + ) + self.openssl_assert(certid != self._ffi.NULL) + onereq = self._lib.OCSP_request_add0_id(ocsp_req, certid) + self.openssl_assert(onereq != self._ffi.NULL) + return _OCSPRequest(self, ocsp_req) + def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve): return ( self.elliptic_curve_supported(curve) and diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py index 22894dde..0567197d 100644 --- a/src/cryptography/x509/ocsp.py +++ b/src/cryptography/x509/ocsp.py @@ -9,6 +9,7 @@ import abc import six from cryptography.hazmat.primitives import hashes +from cryptography.x509 import Certificate _OIDS_TO_HASH = { @@ -25,6 +26,35 @@ def load_der_ocsp_request(data): return backend.load_der_ocsp_request(data) +class OCSPRequestBuilder(object): + def __init__(self, requests=[]): + self._requests = requests + + def add_request(self, cert, issuer, algorithm): + allowed_hashes = ( + hashes.SHA1, hashes.SHA224, hashes.SHA256, + hashes.SHA384, hashes.SHA512 + ) + if not isinstance(algorithm, allowed_hashes): + raise ValueError( + "Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512" + ) + if ( + not isinstance(cert, Certificate) or + not isinstance(issuer, Certificate) + ): + raise TypeError("cert and issuer must be a Certificate") + + return OCSPRequestBuilder(self._requests + [(cert, issuer, algorithm)]) + + def build(self): + from cryptography.hazmat.backends.openssl.backend import backend + if len(self._requests) == 0: + raise ValueError("You must add a request before building") + + return backend.create_ocsp_request(self) + + @six.add_metaclass(abc.ABCMeta) class OCSPRequest(object): @abc.abstractmethod |