Feature Request: OCSP Query API

[bmw]

Let's Encrypt has something new on its pyca wishlist. We'd like an OCSP query API with the ability to inspect the HTTP headers from the OCSP response. This isn't an immediate need for us, but since we are currently planning on using subprocess to call out to OpenSSL for this, it would be nice to have in the future.

cc @pde

[hynek]

Could you sketch out what APIs you'd need? We'll probably need a cryptography release cycle before we can start working on it, so if you need it the work should start early.

[schoen]

Hi @hynek,

The core OCSP query feature would be just making an OCSP query on the basis of a given X509 object (automatically extracting the responder URI and sending the query about that certificate to that URI), and returning an object representing the OCSP response.

The other thing that @bmw is referring to is that when OCSP queries are sent over HTTP, the server can return a reply that contains HTTP-layer information other than the OCSP response. In our case we are hoping to extend the OCSP responder with some advisory metadata in the HTTP headers. (In some cases, the OCSP responder can give advance warning that a certificate is about to be revoked, causing our client to attempt to renew it before that happens. The OCSP protocol itself has no provision for this, so we need to extend it this way.)

So, I guess depending on the memory-management and layering issues, we would either want to have a way to get an object representing the HTTP conversation itself (from which we could extract information about the response), or just an object representing the HTTP headers that were sent by the server in the course of the OCSP transaction.

I realize that's kind of specific and probably not many other projects will have a use for that particular part. :-(

[schoen]

(The HTTP headers could just be a dict and they could just be returned in a tuple with the OCSP response object. Ideally the OCSP response would already be parsed for us, not an ASN.1 string.)

[laurivosandi]

Hi, I am also interested in this feature :)

[KrishVikram]

Hi, is this feature implemented as of date?

[bmw]

At least for Certbot's needs right now, we don't need the ability to inspect the HTTP headers anymore. We'd just like to be able to fetch the OCSP response so we can stop shelling out to openssl.

[laurivosandi]

Hi,

I've implemented OCSP in my CA software in pure Python, perhaps this would be useful to some of you folks: https://github.com/laurivosandi/certidude/blob/master/certidude/api/ocsp.py

[alex]

This has been superceded by pyca/cryptography's OCSP APIs. If there's feature requests, they shuld be sent there.