{"id":4659,"library":"ocspbuilder","title":"OCSP Builder (ocspbuilder)","description":"ocspbuilder is a Python library designed to simplify the creation and signing of Online Certificate Status Protocol (OCSP) requests and responses for X.509 certificates. It acts as a higher-level abstraction over the `cryptography` library, focusing on the builder pattern for OCSP structures. The current stable version is 0.10.2. While not updated frequently, it provides stable functionality for OCSP operations.","status":"active","version":"0.10.2","language":"en","source_language":"en","source_url":"https://github.com/wbond/ocspbuilder","tags":["security","cryptography","x509","ocsp","certificate","pki"],"install":[{"cmd":"pip install ocspbuilder","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Core cryptographic operations for X.509 certificates, keys, and OCSP structures.","package":"cryptography"}],"imports":[{"symbol":"OCSPRequestBuilder","correct":"from ocspbuilder import OCSPRequestBuilder"},{"symbol":"OCSPResponseBuilder","correct":"from ocspbuilder import OCSPResponseBuilder"},{"note":"Common OCSP extensions are available in the `ocspbuilder.extension` module.","symbol":"Nonce","correct":"from ocspbuilder.extension import Nonce"}],"quickstart":{"code":"import datetime\nfrom cryptography import x509\nfrom cryptography.hazmat.backends import default_backend\nfrom cryptography.hazmat.primitives import hashes, serialization\nfrom cryptography.hazmat.primitives.asymmetric import rsa\n\nfrom ocspbuilder import OCSPRequestBuilder, OCSPResponseBuilder\nfrom ocspbuilder.extension import Nonce\n\n# --- 1. Generate dummy certificates for a runnable example ---\n# In a real scenario, you would load these from files/database.\n\n# CA Key and Cert\nca_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())\nca_subject = x509.Name([x509.NameAttribute(x509.NameOID.COMMON_NAME, u\"OCSP Test CA\")])\nca_cert = (\n    x509.CertificateBuilder()\n    .subject_name(ca_subject)\n    .issuer_name(ca_subject)\n    .public_key(ca_key.public_key())\n    .serial_number(x509.random_serial_number())\n    .not_valid_before(datetime.datetime.utcnow())\n    .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))\n    .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)\n    .sign(ca_key, hashes.SHA256(), default_backend())\n)\n\n# Issued Cert Key and Cert (signed by CA)\nissued_key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())\nissued_subject = x509.Name([x509.NameAttribute(x509.NameOID.COMMON_NAME, u\"OCSP Test Cert\")])\nissued_cert = (\n    x509.CertificateBuilder()\n    .subject_name(issued_subject)\n    .issuer_name(ca_subject) # Signed by CA\n    .public_key(issued_key.public_key())\n    .serial_number(x509.random_serial_number())\n    .not_valid_before(datetime.datetime.utcnow())\n    .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365))\n    .add_extension(x509.BasicConstraints(ca=False, path_length=None), critical=True)\n    .sign(ca_key, hashes.SHA256(), default_backend())\n)\n\n# --- 2. Build an OCSP Request ---\nrequest_builder = OCSPRequestBuilder()\nrequest_builder = request_builder.add_cert(issued_cert, ca_cert) # Cert to check, and its issuer\nrequest_builder = request_builder.add_extension(Nonce.build()) # Add a common extension\n\nocsp_request = request_builder.build()\n\nprint(\"OCSP Request built successfully.\")\nprint(f\"Request bytes length: {len(ocsp_request.public_bytes(encoding=serialization.Encoding.DER))}\")\n\n# --- 3. Build an OCSP Response (e.g., 'good' status) ---\n# The OCSP responder needs its own certificate and private key to sign the response.\n# For this example, we'll reuse the CA's key/cert as the responder.\n# In a production environment, this would be a dedicated responder cert.\n\nocsp_responder_key = ca_key\nocsp_responder_cert = ca_cert\n\nresponse_builder = OCSPResponseBuilder(ocsp_request) # Initialize with the received request\nresponse_builder = response_builder.add_response(\n    cert=issued_cert,\n    issuer=ca_cert,\n    cert_status=x509.ocsp.OCSPCertStatus.GOOD, # Example status\n    this_update=datetime.datetime.utcnow(),\n    next_update=datetime.datetime.utcnow() + datetime.timedelta(hours=1),\n)\n\nocsp_response = response_builder.build(\n    signer_certificate=ocsp_responder_cert,\n    signer_private_key=ocsp_responder_key,\n    hash_algorithm=hashes.SHA256() # Algorithm used to sign the response\n)\n\nprint(\"OCSP Response built successfully.\")\nprint(f\"Response bytes length: {len(ocsp_response.public_bytes(encoding=serialization.Encoding.DER))}\")\n\n# Optional: Verify the response using cryptography directly\n# This demonstrates that ocspbuilder outputs standard cryptography objects\nparsed_response = x509.ocsp.load_der_ocsp_response(ocsp_response.public_bytes(encoding=serialization.Encoding.DER))\nprint(f\"Number of responses in parsed OCSP response: {len(parsed_response.responses)}\")\nprint(f\"Status for first cert in response: {parsed_response.responses[0].certificate_status}\")\n","lang":"python","description":"This quickstart demonstrates how to create both an OCSP request and then build a corresponding 'good' status OCSP response. It includes necessary certificate generation steps (using `cryptography`) to make the example runnable from scratch. Key steps involve using `OCSPRequestBuilder` to add certificates to be checked and extensions, and `OCSPResponseBuilder` to specify the status and sign the response with an appropriate responder certificate and key."},"warnings":[{"fix":"Ensure all certificate and key inputs are instances of `cryptography.x509.Certificate`, `cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, etc., before passing them to `ocspbuilder` methods.","message":"`ocspbuilder` primarily operates on `cryptography.x509.Certificate` and related objects for inputs (e.g., keys, certificates), not raw PEM/DER encoded bytes or strings. Users must first parse their certificate data into `cryptography` objects.","severity":"gotcha","affected_versions":"All"},{"fix":"Carefully manage your certificate infrastructure and ensure the correct issuer and responder certificates/keys are used for `OCSPRequestBuilder.add_cert()` and `OCSPResponseBuilder.build()` respectively to ensure valid OCSP messages.","message":"The library simplifies OCSP message construction but does not manage the entire certificate chain validation or selection of the correct OCSP responder certificate. Users are responsible for providing the correct issuer certificate for requests and the correct OCSP responder certificate/key pair for signing responses.","severity":"gotcha","affected_versions":"All"},{"fix":"Monitor `cryptography` release notes for breaking changes. If issues arise after a `cryptography` upgrade, check for a newer `ocspbuilder` version or adjust `cryptography`-related code if the `ocspbuilder` abstraction is insufficient.","message":"While `ocspbuilder` provides a stable API, its core functionality is deeply integrated with the `cryptography` library. Significant breaking changes or API shifts within `cryptography` (especially in `x509.ocsp` modules) could indirectly require updates to `ocspbuilder` or user code, even if `ocspbuilder` itself doesn't change.","severity":"gotcha","affected_versions":"All"},{"fix":"Test `ocspbuilder` in your target Python environment, especially if using Python versions newer than 3.10. Ensure your installed `cryptography` version supports your Python version.","message":"The PyPI metadata for `ocspbuilder` states `requires_python: None`, which can lead to ambiguity. GitHub CI/CD tests indicate compatibility with Python 3.7 through 3.10. Users on newer Python versions (e.g., 3.11+) should verify compatibility, as it largely depends on the `cryptography` dependency's support for those versions.","severity":"gotcha","affected_versions":"Potentially Python 3.11+"}],"env_vars":null,"last_verified":"2026-04-12T00:00:00.000Z","next_check":"2026-07-11T00:00:00.000Z"}