def ocsp_verify()

in lemur/certificates/verify.py [0:0]

• 52 lines of code
• 10 McCabe index (conditional complexity)

def ocsp_verify(cert, cert_path, issuer_chain_path):
    """
    Attempts to verify a certificate via OCSP. OCSP is a more modern version
    of CRL in that it will query the OCSP URI in order to determine if the
    certificate has been revoked

    :param cert:
    :param cert_path:
    :param issuer_chain_path:
    :return bool: True if certificate is valid, False otherwise
    """
    command = ["openssl", "x509", "-noout", "-ocsp_uri", "-in", cert_path]
    p1 = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    url, err = p1.communicate()

    if not url:
        current_app.logger.debug(
            f"No OCSP URL in certificate {cert.serial_number}"
        )
        return None

    p2 = subprocess.Popen(
        [
            "openssl",
            "ocsp",
            "-issuer",
            issuer_chain_path,
            "-cert",
            cert_path,
            "-url",
            url.strip(),
        ],
        stdout=subprocess.PIPE,
        stderr=subprocess.PIPE,
    )
    if not isinstance(url, str):
        url = url.decode("utf-8")
    try:
        message, err = p2.communicate(timeout=6)
    except TimeoutExpired:
        try:
            p2.kill()
        except OSError:
            # Ignore 'no such process' error
            pass
        raise Exception(f"OCSP lookup timed out: {url}, certificate serial number {cert.serial_number:02X}")

    p_message = message.decode("utf-8")

    if "unauthorized" in p_message:
        # indicates the OCSP server does not know this certificate. this is a retriable error.
        metrics.send("check_revocation_ocsp_verify", "counter", 1, metric_tags={"status": "unauthorized", "url": url})
        current_app.logger.warning(f"OCSP unauthorized error: {url}, "
                                   f"certificate serial number {cert.serial_number:02X}. Response: {p_message}")
        return None

    elif "error" in p_message or "Error" in p_message:
        metrics.send("check_revocation_ocsp_verify", "counter", 1, metric_tags={"status": "error", "url": url})
        raise Exception(f"Got error when parsing response from OCSP url: {url}, certificate serial number "
                        f"{cert.serial_number:02X}. Response: {p_message}")

    elif "revoked" in p_message:
        current_app.logger.debug(
            f"OCSP reports certificate revoked, serial number: {cert.serial_number:02X}"
        )
        return False

    elif "good" not in p_message:
        raise Exception(f"Did not receive a valid OCSP response from url: {url}, "
                        f"certificate serial number {cert.serial_number:02X}")

    return True