Does asn1crypto or ocspbuilder support multiple certs OCSP status requests?
up vote
0
down vote
favorite
Making in Python a OCSP service that supports for instance such requests:
openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify
I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:
response_data = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
'produced_at': produced_at,
'responses': [
{
'cert_id': {
'hash_algorithm': {
'algorithm': self._key_hash_algo
},
'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
'serial_number': self._certificate.serial_number,
},
'cert_status': cert_status,
'this_update': self._this_update,
'next_update': self._next_update,
'single_extensions': single_response_extensions
}
],
'response_extensions': response_data_extensions
})
The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?
python-3.x ssl openssl ocsp asn1crypto
asked Nov 10 at 21:49
andrea-f
708617
add a comment |
up vote
0
down vote
favorite
Making in Python a OCSP service that supports for instance such requests:
openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify
I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:
response_data = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
'produced_at': produced_at,
'responses': [
{
'cert_id': {
'hash_algorithm': {
'algorithm': self._key_hash_algo
},
'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
'serial_number': self._certificate.serial_number,
},
'cert_status': cert_status,
'this_update': self._this_update,
'next_update': self._next_update,
'single_extensions': single_response_extensions
}
],
'response_extensions': response_data_extensions
})
The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?
python-3.x ssl openssl ocsp asn1crypto
asked Nov 10 at 21:49
andrea-f
708617
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Making in Python a OCSP service that supports for instance such requests:
openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify
I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:
response_data = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
'produced_at': produced_at,
'responses': [
{
'cert_id': {
'hash_algorithm': {
'algorithm': self._key_hash_algo
},
'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
'serial_number': self._certificate.serial_number,
},
'cert_status': cert_status,
'this_update': self._this_update,
'next_update': self._next_update,
'single_extensions': single_response_extensions
}
],
'response_extensions': response_data_extensions
})
The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?
python-3.x ssl openssl ocsp asn1crypto
asked Nov 10 at 21:49
andrea-f
708617
Making in Python a OCSP service that supports for instance such requests:
openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify
I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:
response_data = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
'produced_at': produced_at,
'responses': [
{
'cert_id': {
'hash_algorithm': {
'algorithm': self._key_hash_algo
},
'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
'serial_number': self._certificate.serial_number,
},
'cert_status': cert_status,
'this_update': self._this_update,
'next_update': self._next_update,
'single_extensions': single_response_extensions
}
],
'response_extensions': response_data_extensions
})
The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?
python-3.x ssl openssl ocsp asn1crypto
python-3.x ssl openssl ocsp asn1crypto
asked Nov 10 at 21:49
andrea-f
708617
asked Nov 10 at 21:49
andrea-f
708617
asked Nov 10 at 21:49
andrea-f
708617
asked Nov 10 at 21:49
andrea-f
708617
asked Nov 10 at 21:49
andrea-f
708617
708617
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
So to answer my own question for the benefit of others:
asn1cryptodoes support multiple certs
ocspbuilderdidn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder
answered Nov 13 at 0:49
andrea-f
708617
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
So to answer my own question for the benefit of others:
asn1cryptodoes support multiple certs
ocspbuilderdidn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder
answered Nov 13 at 0:49
andrea-f
708617
add a comment |
up vote
0
down vote
accepted
So to answer my own question for the benefit of others:
asn1cryptodoes support multiple certs
ocspbuilderdidn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder
answered Nov 13 at 0:49
andrea-f
708617
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
So to answer my own question for the benefit of others:
asn1cryptodoes support multiple certs
ocspbuilderdidn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder
answered Nov 13 at 0:49
andrea-f
708617
So to answer my own question for the benefit of others:
asn1cryptodoes support multiple certs
ocspbuilderdidn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder
answered Nov 13 at 0:49
andrea-f
708617
answered Nov 13 at 0:49
andrea-f
708617
answered Nov 13 at 0:49
andrea-f
708617
answered Nov 13 at 0:49
andrea-f
708617
708617
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243747%2fdoes-asn1crypto-or-ocspbuilder-support-multiple-certs-ocsp-status-requests%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
