pyopenssl icon indicating copy to clipboard operation
pyopenssl copied to clipboard

Published 20 hours ago verified publisher icon pyca

Feature Request: OCSP Query API

Open bmw opened this issue 10 years ago • 7 comments

Let's Encrypt has something new on its pyca wishlist. We'd like an OCSP query API with the ability to inspect the HTTP headers from the OCSP response. This isn't an immediate need for us, but since we are currently planning on using subprocess to call out to OpenSSL for this, it would be nice to have in the future.

cc @pde

bmw avatar Aug 28 '15 19:08 bmw

Could you sketch out what APIs you'd need? We'll probably need a cryptography release cycle before we can start working on it, so if you need it the work should start early.

hynek avatar Aug 30 '15 06:08 hynek

Hi @hynek,

The core OCSP query feature would be just making an OCSP query on the basis of a given X509 object (automatically extracting the responder URI and sending the query about that certificate to that URI), and returning an object representing the OCSP response.

The other thing that @bmw is referring to is that when OCSP queries are sent over HTTP, the server can return a reply that contains HTTP-layer information other than the OCSP response. In our case we are hoping to extend the OCSP responder with some advisory metadata in the HTTP headers. (In some cases, the OCSP responder can give advance warning that a certificate is about to be revoked, causing our client to attempt to renew it before that happens. The OCSP protocol itself has no provision for this, so we need to extend it this way.)

So, I guess depending on the memory-management and layering issues, we would either want to have a way to get an object representing the HTTP conversation itself (from which we could extract information about the response), or just an object representing the HTTP headers that were sent by the server in the course of the OCSP transaction.

I realize that's kind of specific and probably not many other projects will have a use for that particular part. :-(

schoen avatar Sep 08 '15 16:09 schoen

(The HTTP headers could just be a dict and they could just be returned in a tuple with the OCSP response object. Ideally the OCSP response would already be parsed for us, not an ASN.1 string.)

schoen avatar Sep 08 '15 16:09 schoen

Hi, I am also interested in this feature :)

laurivosandi avatar Nov 06 '15 18:11 laurivosandi

Hi, is this feature implemented as of date?

KrishVikram avatar Jun 06 '18 10:06 KrishVikram

At least for Certbot's needs right now, we don't need the ability to inspect the HTTP headers anymore. We'd just like to be able to fetch the OCSP response so we can stop shelling out to openssl.

bmw avatar Aug 07 '18 02:08 bmw

Hi,

I've implemented OCSP in my CA software in pure Python, perhaps this would be useful to some of you folks: https://github.com/laurivosandi/certidude/blob/master/certidude/api/ocsp.py

laurivosandi avatar Aug 07 '18 05:08 laurivosandi