OCSP response serialization (#4482)

* support OCSP response serialization * empty commit, good times
pyca · Oct 7, 2018 · 788b859 · 788b859
1 parent 0c07580
commit 788b859
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/docs/x509/ocsp.rst b/docs/x509/ocsp.rst
@@ -411,6 +411,14 @@ Interfaces
 
         The extensions encoded in the response.
 
+    .. method:: public_bytes(encoding)
+
+        :param encoding: The encoding to use. Only
+            :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
+            is supported.
+
+        :return bytes: The serialized OCSP response.
+
 .. class:: OCSPResponseStatus
 
     .. versionadded:: 2.4

diff --git a/src/cryptography/hazmat/backends/openssl/ocsp.py b/src/cryptography/hazmat/backends/openssl/ocsp.py
@@ -306,6 +306,19 @@ def serial_number(self):
     def extensions(self):
         return _OCSP_BASICRESP_EXT_PARSER.parse(self._backend, self._basic)
 
+    def public_bytes(self, encoding):
+        if encoding is not serialization.Encoding.DER:
+            raise ValueError(
+                "The only allowed encoding value is Encoding.DER"
+            )
+
+        bio = self._backend._create_mem_bio_gc()
+        res = self._backend._lib.i2d_OCSP_RESPONSE_bio(
+            bio, self._ocsp_response
+        )
+        self._backend.openssl_assert(res > 0)
+        return self._backend._read_mem_bio(bio)
+
 
 @utils.register_interface(OCSPRequest)
 class _OCSPRequest(object):

diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py
@@ -330,3 +330,22 @@ def test_response_extensions(self):
         assert ext.value == x509.OCSPNonce(
             b'\x04\x105\x957\x9fa\x03\x83\x87\x89rW\x8f\xae\x99\xf7"'
         )
+
+    def test_serialize_reponse(self):
+        resp_bytes = load_vectors_from_file(
+            filename=os.path.join("x509", "ocsp", "resp-revoked.der"),
+            loader=lambda data: data.read(),
+            mode="rb"
+        )
+        resp = ocsp.load_der_ocsp_response(resp_bytes)
+        assert resp.public_bytes(serialization.Encoding.DER) == resp_bytes
+
+    def test_invalid_serialize_encoding(self):
+        resp = _load_data(
+            os.path.join("x509", "ocsp", "resp-revoked.der"),
+            ocsp.load_der_ocsp_response,
+        )
+        with pytest.raises(ValueError):
+            resp.public_bytes("invalid")
+        with pytest.raises(ValueError):
+            resp.public_bytes(serialization.Encoding.PEM)