On Tue, 2016-03-01 at 17:19 -0800, Robert Relyea wrote: > IIRC the API to fetch the ocsp response is mostly application code. NSS > has a simple http request function that can fetch the request if the > application doesn't supply one (which doesn't know about proxies, etc.). > You could override the http fetch function, then validate your cert > change and squirrel way the OCSP response before you pass it off to NSS. > That's probably the simplest way of getting it. > > I think You just need the blob, not the parsed blob.
Adding a few more details: We don't have a helper function to do everything in a simple way, you'll have to call a series of functions. We could consider to implement a new API for that, but for now, you'll have to do it manually. Start with CERT_GetOCSPAuthorityInfoAccessLocation() to get the OCSP AIA URL embedded in the cert. If you aren't required to use a proxy for the outgoing connection to the CA's OCSP responder, you can rely on NSS' internal minimal HTTP client. (If you do need a proxy, you'll have to link a smarter HTTP client into your server, and use the NSS callback API to override which HTTP client NSS will use, see SEC_RegisterDefaultHttpClient.) Then use CERT_GetEncodedOCSPResponseByMethod, probably you should prefer to use the "GET" method, see the comment in the ocsp.c file for how to use it. This will give you the encoded OCSP response. I believe you can use the whole result as input for SSL_SetStapledOCSPResponses(). If your server uses multiple certs (e.g. RSA and ECC), you should do that twice, once for each cert. Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
