(issuer: Certificate, response: OCSPResponse)
| 254 | |
| 255 | |
| 256 | def _verify_response(issuer: Certificate, response: OCSPResponse) -> int: |
| 257 | _LOGGER.debug("Verifying response") |
| 258 | # RFC6960, Section 3.2, Number 2, 3 and 4 happen here. |
| 259 | res = _verify_response_signature(issuer, response) |
| 260 | if not res: |
| 261 | return 0 |
| 262 | |
| 263 | # Note that we are not using a "tolerance period" as discussed in |
| 264 | # https://tools.ietf.org/rfc/rfc5019.txt? |
| 265 | this_update = _this_update(response) |
| 266 | now = _datetime.now(tz=timezone.utc) |
| 267 | if this_update and this_update.tzinfo is None: |
| 268 | # Make naive to match cryptography. |
| 269 | now = now.replace(tzinfo=None) |
| 270 | # RFC6960, Section 3.2, Number 5 |
| 271 | if this_update and this_update > now: |
| 272 | _LOGGER.debug("thisUpdate is in the future") |
| 273 | return 0 |
| 274 | # RFC6960, Section 3.2, Number 6 |
| 275 | next_update = _next_update(response) |
| 276 | if next_update and next_update < now: |
| 277 | _LOGGER.debug("nextUpdate is in the past") |
| 278 | return 0 |
| 279 | return 1 |
| 280 | |
| 281 | |
| 282 | def _get_ocsp_response( |
no test coverage detected