Skip to main content

RFC 6960 compliant OCSP Responder framework written in Python 3.5+.

Project description

Build status PyPI Version PyPI Downloads License Python Versions Stability Status

RFC 6960 compliant OCSP Responder framework written in Python 3.5+.

It is based on the ocspbuilder and asn1crypto libraries. The HTTP server is implemented using Bottle.

Current status: Alpha. Don’t use for production yet.

Features

Goals

  • Simple: Don’t overwhelm the user with a gazillion options.

  • Flexible: Configurable using Python code.

Supported extensions

  • Nonce (RFC 6960 Section 4.4.1)

Not (yet) implemented

  • Multiple certificates per request / response

Usage

Right now, ocspresponder assumes the usage of a custom keypair just for signing OCSP responses.

To be able to instantiate the OCSPResponder server, you need to provide this keypair as well as the certificate of the issueing CA.

ISSUER_CERT = 'path/to/issuer_cert.pem'
OCSP_CERT = 'path/to/responder_cert.pem'
OCSP_KEY = 'path/to/responder_key.pem'

Furthermore you need to provide two custom functions:

  • A function that – given a certificate serial – will return the appropriate CertificateStatus and - depending on the status - a revocation datetime.

  • A function that – given a certificate serial – will return the corresponding certificate as a string.

You’re expected to implement these functions yourself. In the future, drop-in libraries for typical use cases could be provided.

Example implementations:

from ocspresponder import OCSPResponder, CertificateStatus

def validate(serial: int) -> (CertificateStatus, Optional[datetime]):
    if certificate_is_valid(serial):
        return (CertificateStatus.good, None)
    elif certificate_is_expired(serial):
        expired_at = get_expiration_date(serial)
        return (CertificateStatus.revoked, expired_at)
    elif certificate_is_revoked(serial):
        revoked_at = get_revocation_date(serial)
        return (CertificateStatus.revoked, revoked_at)
    else:
        return (CertificateStatus.unknown, None)

def get_cert(serial: int) -> str:
    """
    Assume the certificates are stored in the ``certs`` directory with the
    serial as base filename.
    """
    with open('certs/%s.cert.pem' % serial, 'r') as f:
        return f.read().strip()

If an exception occurs in either of the two functions, an OCSP response with the response_status set to internal_error will be returned.

Now you can instantiate the OCSPResponder and launch the development server:

print('Initializing OCSP responder')
app = OCSPResponder(
    ISSUER_CERT, OCSP_CERT, OCSP_KEY,
    validate_func=validate,
    cert_retrieve_func=get_cert,
)
print('Starting OCSP responder')
app.serve(port=8080, debug=True)

Type hints

This library uses the optional type hints as defined in PEP484. The typing module is only provided in Python 3.5+, but older versions of Python could run the code as well if the typing module is installed from PyPI.

Testing

To run the test, install requirements-dev.txt using pip and run pytest:

py.test -v

Release process

Update version number in setup.py and CHANGELOG.md:

vim -p setup.py CHANGELOG.md

Do a commit and signed tag of the release:

export VERSION={VERSION}
git add setup.py CHANGELOG.md
git commit -m "Release v${VERSION}"
git tag -u C75D77C8 -m "Release v${VERSION}" v${VERSION}

Build source and binary distributions:

python3 setup.py sdist
python3 setup.py bdist_wheel

Sign files:

gpg --detach-sign -u C75D77C8 -a dist/ocspresponder-${VERSION}.tar.gz
gpg --detach-sign -u C75D77C8 -a dist/ocspresponder-${VERSION}-py3-none-any.whl

Register package on PyPI:

twine3 register -r pypi-threema dist/ocspresponder-${VERSION}.tar.gz

Upload package:

twine3 upload -r pypi-threema dist/ocspresponder-${VERSION}*
git push
git push --tags

License

Copyright 2016 Threema GmbH

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ocspresponder-0.5.0.tar.gz (5.8 kB view details)

Uploaded Source

Built Distribution

ocspresponder-0.5.0-py3-none-any.whl (9.3 kB view details)

Uploaded Python 3

File details

Details for the file ocspresponder-0.5.0.tar.gz.

File metadata

  • Download URL: ocspresponder-0.5.0.tar.gz
  • Upload date:
  • Size: 5.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for ocspresponder-0.5.0.tar.gz
Algorithm Hash digest
SHA256 b913e0a832368c26c3c5f292d673b9bca798f247a0a8ecbfe4dc8cfb78c492da
MD5 7caf9ce92a8eb249fb167ed3ed537a1a
BLAKE2b-256 6547208f5e94a36a15400b39728636b38e9296868e89b25e30758e3c19f30adc

See more details on using hashes here.

File details

Details for the file ocspresponder-0.5.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ocspresponder-0.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 689950b51b771af968f9e9bab7301eab93227d01f43c6284643363980cebc8c0
MD5 edd085f37b0b4d8ca6f88f83d621693c
BLAKE2b-256 d1e85b029b94d7e9674e102d7b526ab1ea0d36e10fd1308af4091431bc4e65b0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page