[gnutls-devel] GnuTLS | OCSP response manipulation & signing support (#859)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue Nov 5 10:53:26 CET 2019

Mario Biberhofer created an issue: https://gitlab.com/gnutls/gnutls/issues/859


I just sent an e-mail to gnutls-devel and realized it was a r/o list,
so I kind of tried to C&P the content into the form of the feature
template. :-)


## Description of the feature:
Support for manipulating OCSP response data and signing OCSP responses
using gnutls.

#### Background:

About 2 months ago I started implementing a OCSP responder using gnutls
as its backend. During development I realized:

1. gnutls_x509_crl_verify(): verify parameter/return value returns the
   CRL verification status as gnutls_certificate_status_t (which felt
   strange but is fine I guess)
2. However, gnutls_certificate_verification_status_print() does not
   handle this well: It prints certificate-related messages.
3. Various missing functions to manipulate OCSP responses, starting at
   setting basic fields like the version, adding single responses,
   signing responses and more. gnutls seems to only support the
   client-side of OCSP.

I already implemented most of this in a proof-of-concept (read: ugly)
fashion during development of my responder:

- Ad (1), (2): I added a new enum member to gnutls_certificate_type_t
  called GNUTLS_CRT_CRL and used it to produce more meaningful messages
  using gnutls_certificate_verification_status_print()
- Ad (3): I implemented most of the missing functions: setting fields
  like the version, producedAt, appending single response data, signing
  responses, setting certs and the nonce extension.

## Applications that this feature may be relevant to:
OCSP responder(s) :-)

## Is this feature implemented in other libraries (and which)
IIRC, OpenSSL supports manipulating OCSP responses.


Question is: Is there any interest in adding support for manipulating
and signing OCSP responses (and its extensions) to gnutls? (i.e.
adopting these changes?)
If so, I'll start by cleaning up my mess and publish my repository.
Afterwards I'd take care of finishing implementation(including tests),
stabilization and extending it.
This would also include maintenance (by maintaining my ocsp responder,
and only within scope of my spare time :( )

P.S.: Forgot to mention that the OCSP responder is/ will be
GPLv3-or-later licensed, but is, like my gnutls repository, unreleased
to the general public at this point in time.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/859
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191105/8b72f965/attachment.html>

More information about the Gnutls-devel mailing list