Closed AssemblyJohn closed 2 months ago
lgtm except for the OCSP update and retrieval.
My idea would be: In
update_ocsp_cache
we can simply choose a random file name for the OCSP response and store it in some directory that is dedicated for OCSP responses.For
retrieve_ocsp_cache
we should not search for the ocsp response by filename, but rather iterate over the files in the OCSP directory, parse the OCSP data and check if the certificate hash data matches.What do you think?
I would require some hint in extracting the certificate hash data from the OCSP response. How is that possible? Also it will incur a certain performance cost, since it will imply parsing of all the data all the time, however it seems more stable than the current version.
lgtm except for the OCSP update and retrieval. My idea would be: In
update_ocsp_cache
we can simply choose a random file name for the OCSP response and store it in some directory that is dedicated for OCSP responses. Forretrieve_ocsp_cache
we should not search for the ocsp response by filename, but rather iterate over the files in the OCSP directory, parse the OCSP data and check if the certificate hash data matches. What do you think?I would require some hint in extracting the certificate hash data from the OCSP response. How is that possible? Also it will incur a certain performance cost, since it will imply parsing of all the data all the time, however it seems more stable than the current version.
I was hoping openssl provides functionality to decode and parse the certificate hash data from the DER encoded ocsp response, but I dont know if that is the case.
It would be interesting to know how the OCSP response is loaded during the TLS handshake, because this is our targeted use case. Maybe @james-ctc already has some insights about this?
Implemented header/interface refactor, request feedback before proceeding.
There's also a requirement to integrate this with the garbage collection:
Comments have been implemented, OCSP relevant test has been implemented.
One more test update is required, for garbage collection related to deleted certificates.
Relevant issues and comments have been solved.
Describe your changes
Issue ticket number and link
https://github.com/EVerest/libocpp/pull/596
Checklist before requesting a review