<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>


<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<p class="details" style="font-style: italic; color: #777;">
<a href="https://gitlab.com/mbiberhofer">Mario Biberhofer</a> created an issue:
</p>
<div></div>
<p dir="auto">Greetings,</p>
<p dir="auto">I just sent an e-mail to gnutls-devel and realized it was a r/o list,
so I kind of tried to C&P the content into the form of the feature
template. :-)</p>
<hr>
<h2 dir="auto">
<a id="user-content-description-of-the-feature" class="anchor" href="#description-of-the-feature" aria-hidden="true"></a>Description of the feature:</h2>
<p dir="auto">Support for manipulating OCSP response data and signing OCSP responses
using gnutls.</p>
<h4 dir="auto">
<a id="user-content-background" class="anchor" href="#background" aria-hidden="true"></a>Background:</h4>
<p dir="auto">About 2 months ago I started implementing a OCSP responder using gnutls
as its backend. During development I realized:</p>
<ol dir="auto">
<li>gnutls_x509_crl_verify(): verify parameter/return value returns the
CRL verification status as gnutls_certificate_status_t (which felt
strange but is fine I guess)</li>
<li>However, gnutls_certificate_verification_status_print() does not
handle this well: It prints certificate-related messages.</li>
<li>Various missing functions to manipulate OCSP responses, starting at
setting basic fields like the version, adding single responses,
signing responses and more. gnutls seems to only support the
client-side of OCSP.</li>
</ol>
<p dir="auto">I already implemented most of this in a proof-of-concept (read: ugly)
fashion during development of my responder:</p>
<ul dir="auto">
<li>Ad (1), (2): I added a new enum member to gnutls_certificate_type_t
called GNUTLS_CRT_CRL and used it to produce more meaningful messages
using gnutls_certificate_verification_status_print()</li>
<li>Ad (3): I implemented most of the missing functions: setting fields
like the version, producedAt, appending single response data, signing
responses, setting certs and the nonce extension.</li>
</ul>
<h2 dir="auto">
<a id="user-content-applications-that-this-feature-may-be-relevant-to" class="anchor" href="#applications-that-this-feature-may-be-relevant-to" aria-hidden="true"></a>Applications that this feature may be relevant to:</h2>
<p dir="auto">OCSP responder(s) :-)</p>
<h2 dir="auto">
<a id="user-content-is-this-feature-implemented-in-other-libraries-and-which" class="anchor" href="#is-this-feature-implemented-in-other-libraries-and-which" aria-hidden="true"></a>Is this feature implemented in other libraries (and which)</h2>
<p dir="auto">IIRC, OpenSSL supports manipulating OCSP responses.</p>
<hr>
<p dir="auto">Question is: Is there any interest in adding support for manipulating
and signing OCSP responses (and its extensions) to gnutls? (i.e.
adopting these changes?)
If so, I'll start by cleaning up my mess and publish my repository.
Afterwards I'd take care of finishing implementation(including tests),
stabilization and extending it.
This would also include maintenance (by maintaining my ocsp responder,
and only within scope of my spare time :( )</p>
<p dir="auto">P.S.: Forgot to mention that the OCSP responder is/ will be
GPLv3-or-later licensed, but is, like my gnutls repository, unreleased
to the general public at this point in time.</p>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/859">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/fa836df26bef4e29a2b08531fa0246d1/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/859"}}</script>


</p>
</div>
</body>
</html>