pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
https://cryptography.io
Other
6.71k stars 1.54k forks source link

OCSP request build based on the hashed data #7549

Closed tropxy closed 2 years ago

tropxy commented 2 years ago

Hi everyone,

First, let me thank you for your fantastic work, this lib is a gem.

I have an application that needs to build the OCSP request for a given certificate, but here is the challenge: we dont have the certificate itself or the issuer... instead we already have the hashed data.

For example:

data =   [
    {'issuerNameHash': '9u2wY2IygZo19o11oJ0CShGqbK0=',
    'issuerKeyHash': 'd8K4UJpndnaxLcKG0IOgfqZ+uks=',
    'serialNumber': '6175535D87BF94B6'},

   {'issuerNameHash': '3DA7FD6CD4DF80C3F0BFC0D9F57FC514B9796D9B',
   'issuerKeyHash': '01706FEA2B50A8FE008C8FFA49EBFEEEE8D16FA0',
   'serialNumber': '46DC8B6CD49CEC96460AE850E3A8075F'}
]

The problem is that cryptography expects that we instantiate the builder with the certificates itself (the issuer and the one to be verified) and does not allow to create a request based already in the data above. Is there a possibility to add that feature or to point me to a tool/lib that allows me to generate the OCSP request as expected?

Thank you!

alex commented 2 years ago

Can you share a bit about your use case? How does it come to be that you only hvae hashes for these things?

I think it'd be straightforward to extend OCSPRequestBuilder to take hashes for these values, but I'd like to understand why before I say we'd definitely take a PR for this.

tropxy commented 2 years ago

Hi @alex,

sure, let me try to summarize it. I work for the e-mobility industry, more specifically I develop software for charging stations communication systems. A charging station is still nowadays a device with constrained resources in terms of RAM and CPU and also is not always connected directly to the internet. It is common that several charging stations are connected to a central node, sometimes called a central management system, which has internet access, through which a supervisor can perform remote actions like get station logs or reboot it. This central system can perform without a sweat any OCSP request, however the certificates linked to those requests are certificates used between the communication between the electric vehicle and the charging station and are not directly accessible to the central system. In order to reduce the amount of data exchanged between the charging station and the central system, it was decided to transmit the bare minimal of data to perform a OCSP request in another system directly connected to the internet. And that is how we arrive to the challenge I presented here. I researched how to create the OCSP request based on the data given, but seems that is not a very straightforward process, thus if cryptography could support it would be a great help. I hope my explanation shed some light on the issue, but let me know if you have any questions.

if you are interested a bit more on what we do, I invite you to check our website: www.switch-ev.com as well as our open source project: https://github.com/SwitchEV/josev

alex commented 2 years ago

Thanks, that's helpful.

It should be possible to extend pyca/cryptography to support this by adding some new methods on OCSPRequestBuilder -- something like add_certificate_by_hash. I don't think it'd be terribly difficult. We are unlikely to implement this ourselves, but if you were interested in sending a PR we'd be happy to review it for inclusion. If you are interested in sending a PR, feel free to ask any questions you come across in developing it.

reaperhulk commented 2 years ago

@tropxy is this still something you're interested in?

tropxy commented 2 years ago

Hi @reaperhulk yes, this is something I am still interested. I am evaluating with the team if we can provide a PR for this use case soonish.

tropxy commented 2 years ago

Hey @reaperhulk thanks for that! cheers!

reaperhulk commented 2 years ago

@tropxy Hopefully this covers your requirements!