OCSP response manipulation & signing support
I just sent an e-mail to gnutls-devel and realized it was a r/o list, so I kind of tried to C&P the content into the form of the feature template. :-)
Description of the feature:
Support for manipulating OCSP response data and signing OCSP responses using gnutls.
About 2 months ago I started implementing a OCSP responder using gnutls as its backend. During development I realized:
- gnutls_x509_crl_verify(): verify parameter/return value returns the CRL verification status as gnutls_certificate_status_t (which felt strange but is fine I guess)
- However, gnutls_certificate_verification_status_print() does not handle this well: It prints certificate-related messages.
- Various missing functions to manipulate OCSP responses, starting at setting basic fields like the version, adding single responses, signing responses and more. gnutls seems to only support the client-side of OCSP.
I already implemented most of this in a proof-of-concept (read: ugly) fashion during development of my responder:
- Ad (1), (2): I added a new enum member to gnutls_certificate_type_t called GNUTLS_CRT_CRL and used it to produce more meaningful messages using gnutls_certificate_verification_status_print()
- Ad (3): I implemented most of the missing functions: setting fields like the version, producedAt, appending single response data, signing responses, setting certs and the nonce extension.
Applications that this feature may be relevant to:
OCSP responder(s) :-)
Is this feature implemented in other libraries (and which)
IIRC, OpenSSL supports manipulating OCSP responses.
Question is: Is there any interest in adding support for manipulating and signing OCSP responses (and its extensions) to gnutls? (i.e. adopting these changes?) If so, I'll start by cleaning up my mess and publish my repository. Afterwards I'd take care of finishing implementation(including tests), stabilization and extending it. This would also include maintenance (by maintaining my ocsp responder, and only within scope of my spare time :( )
P.S.: Forgot to mention that the OCSP responder is/ will be GPLv3-or-later licensed, but is, like my gnutls repository, unreleased to the general public at this point in time.