From 15d2a0ffde27f9563ca272d78629b7d23e99d685 Mon Sep 17 00:00:00 2001 From: James Kasten Date: Wed, 21 Dec 2016 14:36:51 -0800 Subject: [PATCH] Import OCSP code from the historical cert_manager branch (This is pde committing jdkasten's code) --- certbot/ocsp.py | 59 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 certbot/ocsp.py diff --git a/certbot/ocsp.py b/certbot/ocsp.py new file mode 100644 index 000000000..d7fc06e0d --- /dev/null +++ b/certbot/ocsp.py @@ -0,0 +1,59 @@ +import logging + +from letsencrypt import errors +from letsencrypt import le_util + + +logger = logging.getLogger(__name__) + + +REV_LABEL = "**Revoked**" +EXP_LABEL = "**Expired**" + +def revoked_status(cert_path, chain_path): + """Get revoked status for a particular cert version. + + .. todo:: Make this a non-blocking call + + :param str cert_path: Path to certificate + :param str chain_path: Path to chain certificate + + """ + url, _ = le_util.run_script( + ["openssl", "x509", "-in", cert_path, "-noout", "-ocsp_uri"]) + + url = url.rstrip() + host = url.partition("://")[2].rstrip("/") + if not host: + raise errors.Error( + "Unable to get OCSP host from cert, url - %s", url) + + # This was a PITA... + # Thanks to "Bulletproof SSL and TLS - Ivan Ristic" for helping me out + try: + output, _ = le_util.run_script( + ["openssl", "ocsp", + "-no_nonce", "-header", "Host", host, + "-issuer", chain_path, + "-cert", cert_path, + "-url", url, + "-CAfile", chain_path]) + except errors.SubprocessError: + return "(OCSP Failure)" + + return _translate_ocsp_query(cert_path, output) + + +def _translate_ocsp_query(cert_path, ocsp_output): + """Returns a label string out of the query.""" + if not "Response verify OK": + return "Revocation Unknown" + if cert_path + ": good" in ocsp_output: + return "" + elif cert_path + ": revoked" in ocsp_output: + return REV_LABEL + else: + raise errors.Error( + "Unable to properly parse OCSP output: %s", ocsp_output) + +