| Support for OCSP Verification in Serf |
| ===================================== |
| |
| Serf trunk currently supports OCSP stapling for verifying server |
| certificates. The purpose of this branch is to add minimal support |
| for issuing OCSP requests to responders from the client application. |
| |
| The idea is that the application decides when and where to send OCSP |
| requests and how to verify responses, and Serf provides some basic |
| utility functions for constructing the requests and parsing the |
| responses. |
| |
| These are the proposed changes: |
| |
| 1. serf_ssl_cert_certificate() |
| |
| Extract the OCSP responder locations from the certificate's x509v3 |
| extension field authorityInfoAccess:OCSP;URI and, if it is present, |
| insert the array into the returned hash table with key "OCSP". |
| |
| 2. serf_ssl_cert_import() |
| |
| Add new function that is the inverse of serf_ssl_cert_export(): |
| |
| serf_ssl_certificate_t *serf_ssl_cert_import( |
| const char *encoded_cert, |
| apr_pool_t *pool); |
| |
| Imports certificate from a base64-encoded, zero-terminated |
| string. The returned certificate is allocated in @a pool. |
| Returns NULL on failure. |
| |
| 3. serf_ocsp_request_setup() |
| |
| Add a new function that can be used from within a request setup |
| handler to create an OCSP request bucket: |
| |
| apr_status_t serf_ocsp_request_setup( |
| serf_request_t *request, |
| const serf_ssl_certificate_t *server_cert, |
| const serf_ssl_certificate_t *issuer_cert, |
| serf_bucket_t **req_bkt, |
| apr_pool_t *pool); |
| |
| Constructs an OCSP verification request for @a server_cert |
| with issuer certificate @a issuer_cert and sets the required |
| headers on @a request, returning the request bucket @a req_bkt. |
| |
| 4. serf_ocsp_response_parse() |
| |
| TBD: Parse an OCSP response. |