Ndtyjky

Making in Python a OCSP service that supports for instance such requests:

openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify

I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:

response_data = ocsp.ResponseData({

        'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),

        'produced_at': produced_at,

        'responses': [

            {

                'cert_id': {

                    'hash_algorithm': {

                        'algorithm': self._key_hash_algo

                    },

                    'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),

                    'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),

                    'serial_number': self._certificate.serial_number,

                },

                'cert_status': cert_status,

                'this_update': self._this_update,

                'next_update': self._next_update,

                'single_extensions': single_response_extensions

            }

        ],

        'response_extensions': response_data_extensions

    })

The response list seems to be already populated with only a single element.
Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?

So to answer my own question for the benefit of others:

• 
  asn1crypto does support multiple certs


• 
  ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder