Import OCSP code from the historical cert_manager branch

(This is pde committing jdkasten's code)
2026-05-28 04:34:11 -04:00 · 2016-12-21 14:36:51 -08:00 · 2016-12-21 14:36:51 -08:00 · 15d2a0ffde
commit 15d2a0ffde
parent acc501d3a1
1 changed files with 59 additions and 0 deletions
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@ -0,0 +1,59 @@
+import logging
+
+from letsencrypt import errors
+from letsencrypt import le_util
+
+
+logger = logging.getLogger(__name__)
+
+
+REV_LABEL = "**Revoked**"
+EXP_LABEL = "**Expired**"
+
+def revoked_status(cert_path, chain_path):
+    """Get revoked status for a particular cert version.
+
+    .. todo:: Make this a non-blocking call
+
+    :param str cert_path: Path to certificate
+    :param str chain_path: Path to chain certificate
+
+    """
+    url, _ = le_util.run_script(
+        ["openssl", "x509", "-in", cert_path, "-noout", "-ocsp_uri"])
+
+    url = url.rstrip()
+    host = url.partition("://")[2].rstrip("/")
+    if not host:
+        raise errors.Error(
+            "Unable to get OCSP host from cert, url - %s", url)
+
+    # This was a PITA...
+    # Thanks to "Bulletproof SSL and TLS - Ivan Ristic" for helping me out
+    try:
+        output, _ = le_util.run_script(
+            ["openssl", "ocsp",
+            "-no_nonce", "-header", "Host", host,
+            "-issuer", chain_path,
+            "-cert", cert_path,
+            "-url", url,
+            "-CAfile", chain_path])
+    except errors.SubprocessError:
+        return "(OCSP Failure)"
+
+    return _translate_ocsp_query(cert_path, output)
+
+
+def _translate_ocsp_query(cert_path, ocsp_output):
+    """Returns a label string out of the query."""
+    if not "Response verify OK":
+        return "Revocation Unknown"
+    if cert_path + ": good" in ocsp_output:
+        return ""
+    elif cert_path + ": revoked" in ocsp_output:
+        return REV_LABEL
+    else:
+        raise errors.Error(
+            "Unable to properly parse OCSP output: %s", ocsp_output)
+
+