certificate should not be required to issue 'good' response

Question

certificate should not be required to issue 'good' response

wxe opened this issue 8 years ago · 2 comments

I'd like to be able to build OCSPResponses based only on an index file (which stores revocation, expiration and serial), and not have to supply the actual certificate file.

It looks like the only two values you actually extract from self._certificate (init.py: lines 1015 - 1017) are the serial number and the issuer.... because the issuer and serial number are supplied, you should be able to generate a 'good' response based on an OCSPRequest, and not need to actually supply the certificate.

Please let me know if I'm missing something security relevant.... if not, happy to send a pull request if you need one.

Answer 1 · 2017-05-09T09:37:47.000Z

Something like this should be fine. What I am thinking is that ocspbuilder should provide a base class that has an API such as:

class CertificateInfo(object):
    def issuer_name_hash(self, hash_name):
        """
        :param hash_name:
            A unicode string of a hash name: "sha1", "sha256", "sha512"

        :return:
            A byte string of the hash of the issuer's DER-encoded name
        """

        raise NotImplementedError()

    def issuer_key_hash(self, hash_name):
        """
        :param hash_name:
            A unicode string of a hash name: "sha1", "sha256", "sha512"

        :return:
            A byte string of the hash of the issuer's DER-encoded public key
        """

        raise NotImplementedError()

    def serial_number(self):
        """
        :return:
            An integer of the certificate's serial number
        """

        raise NotImplementedError()

Then a user can extend the class and pass that in instead of the certificate and issuer. That way you could cache the hashed info and serial in your DB and never need anything but the responder key/cert.

Answer 2 · 2017-05-11T14:47:04.000Z

That would work great for me.