CRL and OCSP Response Builders
CertificateListBuilder and OCSPResponseBuilder are top-level synta exports for
constructing DER-encoded X.509 CRL and OCSP response structures. Both follow the same
pattern: build the unsigned TBS blob, sign it externally, then call assemble to wrap the
signature into the final structure.
CertificateListBuilder
Fluent builder for RFC 5280 §5 TBSCertList.
class CertificateListBuilder:
def __init__(self) -> None: ...
def issuer(self, name_der: bytes) -> CertificateListBuilder: ...
# Set the issuer Name from pre-encoded DER bytes.
def this_update(self, time: str) -> CertificateListBuilder: ...
# Set thisUpdate ("YYYYMMDDHHmmssZ" or "YYMMDDHHmmssZ").
def next_update(self, time: str) -> CertificateListBuilder: ...
# Set optional nextUpdate (same format as this_update).
def revoke(
self,
serial: bytes,
revocation_date: str,
reason: int | None = None,
) -> CertificateListBuilder: ...
# Add a revoked certificate entry.
# serial is the big-endian DER INTEGER value bytes.
# reason is an optional CRL reason code (0–10).
def signature_algorithm(self, alg_der: bytes) -> CertificateListBuilder: ...
# Set the AlgorithmIdentifier DER for TBSCertList.signature.
def build(self) -> bytes: ...
# Build the DER-encoded TBSCertList SEQUENCE.
# Raises ValueError if any required field is absent or encoding fails.
@staticmethod
def assemble(tbs_der: bytes, sig_alg_der: bytes, signature: bytes) -> bytes: ...
# Assemble a complete DER-encoded CertificateList.
# tbs_der: TBSCertList bytes from build().
# sig_alg_der: outer AlgorithmIdentifier SEQUENCE TLV.
# signature: raw signature bytes (BIT STRING value).
# Raises ValueError if DER encoding fails.
Example
import synta
name_der = synta.NameBuilder().common_name("Test CA").build()
alg_der = bytes.fromhex("300d06092a864886f70d01010b0500") # sha256WithRSAEncryption
tbs = (
synta.CertificateListBuilder()
.issuer(name_der)
.signature_algorithm(alg_der)
.this_update("20240101120000Z")
.revoke(bytes([1]), "20231201000000Z", 1) # reason 1 = keyCompromise
.build()
)
# Sign tbs externally, then assemble:
# crl_der = synta.CertificateListBuilder.assemble(tbs, alg_der, sig_bytes)
OCSPResponseBuilder
Fluent builder for RFC 6960 §4.2.1 ResponseData. Set exactly one of responder_name or
responder_key_hash before calling build_tbs.
class OCSPResponseBuilder:
def __init__(self) -> None: ...
def responder_name(self, name_der: bytes) -> OCSPResponseBuilder: ...
# Set responderID byName from a pre-encoded DER Name SEQUENCE TLV.
def responder_key_hash(self, key_hash: bytes) -> OCSPResponseBuilder: ...
# Set responderID byKey from raw key-hash bytes (OCTET STRING value).
def produced_at(self, time: str) -> OCSPResponseBuilder: ...
# Set producedAt time ("YYYYMMDDHHmmssZ").
def add_response(
self,
hash_algorithm_der: bytes,
issuer_name_hash: bytes,
issuer_key_hash: bytes,
serial: bytes,
status: int,
this_update: str,
next_update: str | None = None,
) -> OCSPResponseBuilder: ...
# Add a SingleResponse entry.
# hash_algorithm_der: pre-encoded AlgorithmIdentifier DER TLV.
# issuer_name_hash / issuer_key_hash: raw hash bytes.
# serial: big-endian DER INTEGER value bytes.
# status: 0 = good, 1 = revoked, 2 = unknown.
# this_update / next_update: "YYYYMMDDHHmmssZ" format.
def build_tbs(self) -> bytes: ...
# Build the DER-encoded ResponseData SEQUENCE.
# Raises ValueError if any required field is absent or encoding fails.
@staticmethod
def assemble(tbs_der: bytes, sig_alg_der: bytes, signature: bytes) -> bytes: ...
# Assemble a complete DER-encoded OCSPResponse.
# tbs_der: ResponseData bytes from build_tbs().
# sig_alg_der: outer AlgorithmIdentifier SEQUENCE TLV.
# signature: raw signature bytes (BIT STRING value).
# Raises ValueError if DER encoding fails.
See also X.509 Extension Value Builders and OCSP.