Does asn1crypto or ocspbuilder support multiple certs OCSP status requests?











up vote
0
down vote

favorite












Making in Python a OCSP service that supports for instance such requests:

openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify

I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:



response_data = ocsp.ResponseData({
'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
'produced_at': produced_at,
'responses': [
{
'cert_id': {
'hash_algorithm': {
'algorithm': self._key_hash_algo
},
'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
'serial_number': self._certificate.serial_number,
},
'cert_status': cert_status,
'this_update': self._this_update,
'next_update': self._next_update,
'single_extensions': single_response_extensions
}
],
'response_extensions': response_data_extensions
})


The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?










share|improve this question


























    up vote
    0
    down vote

    favorite












    Making in Python a OCSP service that supports for instance such requests:

    openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify

    I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:



    response_data = ocsp.ResponseData({
    'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
    'produced_at': produced_at,
    'responses': [
    {
    'cert_id': {
    'hash_algorithm': {
    'algorithm': self._key_hash_algo
    },
    'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
    'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
    'serial_number': self._certificate.serial_number,
    },
    'cert_status': cert_status,
    'this_update': self._this_update,
    'next_update': self._next_update,
    'single_extensions': single_response_extensions
    }
    ],
    'response_extensions': response_data_extensions
    })


    The response list seems to be already populated with only a single element.
    Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      Making in Python a OCSP service that supports for instance such requests:

      openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify

      I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:



      response_data = ocsp.ResponseData({
      'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
      'produced_at': produced_at,
      'responses': [
      {
      'cert_id': {
      'hash_algorithm': {
      'algorithm': self._key_hash_algo
      },
      'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
      'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
      'serial_number': self._certificate.serial_number,
      },
      'cert_status': cert_status,
      'this_update': self._this_update,
      'next_update': self._next_update,
      'single_extensions': single_response_extensions
      }
      ],
      'response_extensions': response_data_extensions
      })


      The response list seems to be already populated with only a single element.
      Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?










      share|improve this question













      Making in Python a OCSP service that supports for instance such requests:

      openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify

      I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:



      response_data = ocsp.ResponseData({
      'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
      'produced_at': produced_at,
      'responses': [
      {
      'cert_id': {
      'hash_algorithm': {
      'algorithm': self._key_hash_algo
      },
      'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
      'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
      'serial_number': self._certificate.serial_number,
      },
      'cert_status': cert_status,
      'this_update': self._this_update,
      'next_update': self._next_update,
      'single_extensions': single_response_extensions
      }
      ],
      'response_extensions': response_data_extensions
      })


      The response list seems to be already populated with only a single element.
      Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?







      python-3.x ssl openssl ocsp asn1crypto






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 10 at 21:49









      andrea-f

      708617




      708617
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote



          accepted










          So to answer my own question for the benefit of others:





          • asn1crypto does support multiple certs


          • ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243747%2fdoes-asn1crypto-or-ocspbuilder-support-multiple-certs-ocsp-status-requests%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote



            accepted










            So to answer my own question for the benefit of others:





            • asn1crypto does support multiple certs


            • ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder






            share|improve this answer

























              up vote
              0
              down vote



              accepted










              So to answer my own question for the benefit of others:





              • asn1crypto does support multiple certs


              • ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder






              share|improve this answer























                up vote
                0
                down vote



                accepted







                up vote
                0
                down vote



                accepted






                So to answer my own question for the benefit of others:





                • asn1crypto does support multiple certs


                • ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder






                share|improve this answer












                So to answer my own question for the benefit of others:





                • asn1crypto does support multiple certs


                • ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 13 at 0:49









                andrea-f

                708617




                708617






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53243747%2fdoes-asn1crypto-or-ocspbuilder-support-multiple-certs-ocsp-status-requests%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Florida Star v. B. J. F.

                    Danny Elfman

                    Lugert, Oklahoma