OCSP request build based on the hashed data

[tropxy]

Hi everyone,

First, let me thank you for your fantastic work, this lib is a gem.

I have an application that needs to build the OCSP request for a given certificate, but here is the challenge: we dont have the certificate itself or the issuer... instead we already have the hashed data.

For example:

data =   [
    {'issuerNameHash': '9u2wY2IygZo19o11oJ0CShGqbK0=',
    'issuerKeyHash': 'd8K4UJpndnaxLcKG0IOgfqZ+uks=',
    'serialNumber': '6175535D87BF94B6'},

   {'issuerNameHash': '3DA7FD6CD4DF80C3F0BFC0D9F57FC514B9796D9B',
   'issuerKeyHash': '01706FEA2B50A8FE008C8FFA49EBFEEEE8D16FA0',
   'serialNumber': '46DC8B6CD49CEC96460AE850E3A8075F'}
]

The problem is that cryptography expects that we instantiate the builder with the certificates itself (the issuer and the one to be verified) and does not allow to create a request based already in the data above. Is there a possibility to add that feature or to point me to a tool/lib that allows me to generate the OCSP request as expected?

Thank you!

[alex]

Can you share a bit about your use case? How does it come to be that you only hvae hashes for these things?

I think it'd be straightforward to extend OCSPRequestBuilder to take hashes for these values, but I'd like to understand why before I say we'd definitely take a PR for this.

[tropxy]

Hi @alex,

sure, let me try to summarize it. I work for the e-mobility industry, more specifically I develop software for charging stations communication systems. A charging station is still nowadays a device with constrained resources in terms of RAM and CPU and also is not always connected directly to the internet. It is common that several charging stations are connected to a central node, sometimes called a central management system, which has internet access, through which a supervisor can perform remote actions like get station logs or reboot it. This central system can perform without a sweat any OCSP request, however the certificates linked to those requests are certificates used between the communication between the electric vehicle and the charging station and are not directly accessible to the central system. In order to reduce the amount of data exchanged between the charging station and the central system, it was decided to transmit the bare minimal of data to perform a OCSP request in another system directly connected to the internet. And that is how we arrive to the challenge I presented here. I researched how to create the OCSP request based on the data given, but seems that is not a very straightforward process, thus if cryptography could support it would be a great help. I hope my explanation shed some light on the issue, but let me know if you have any questions.

if you are interested a bit more on what we do, I invite you to check our website: www.switch-ev.com as well as our open source project: https://github.com/SwitchEV/josev

[alex]

Thanks, that's helpful.

It should be possible to extend pyca/cryptography to support this by adding some new methods on OCSPRequestBuilder -- something like add_certificate_by_hash. I don't think it'd be terribly difficult. We are unlikely to implement this ourselves, but if you were interested in sending a PR we'd be happy to review it for inclusion. If you are interested in sending a PR, feel free to ask any questions you come across in developing it.

[reaperhulk]

@tropxy is this still something you're interested in?

[tropxy]

Hi @reaperhulk yes, this is something I am still interested. I am evaluating with the team if we can provide a PR for this use case soonish.

[tropxy]

Hey @reaperhulk thanks for that! cheers!

[reaperhulk]

@tropxy Hopefully this covers your requirements!