Does asn1crypto or ocspbuilder support multiple certs OCSP status requests?

Question

Making in Python a OCSP service that supports for instance such requests: openssl ocsp -issuer ca-cert.pem -cert 1.pem -cert 2.pem -cert 3.pem -no_nonce -url http://localhost/ocsp -noverify I can see that the OCSP Request list is populated with 3 certs, but can't get the reply to be for 3 certs. Looking at the source code for asyn1crypto and ocspbuilder(below) it seems that only a single cert request is supported:

response_data = ocsp.ResponseData({
        'responder_id': ocsp.ResponderId(name='by_key', value=responder_key_hash),
        'produced_at': produced_at,
        'responses': [
            {
                'cert_id': {
                    'hash_algorithm': {
                        'algorithm': self._key_hash_algo
                    },
                    'issuer_name_hash': getattr(self._certificate.issuer, self._key_hash_algo),
                    'issuer_key_hash': getattr(issuer.public_key, self._key_hash_algo),
                    'serial_number': self._certificate.serial_number,
                },
                'cert_status': cert_status,
                'this_update': self._this_update,
                'next_update': self._next_update,
                'single_extensions': single_response_extensions
            }
        ],
        'response_extensions': response_data_extensions
    })

The response list seems to be already populated with only a single element. Any ideas or pointers to practical implementations of a Python OCSP responder that supports multiple requested certs?

Answer 1

So to answer my own question for the benefit of others:

• asn1crypto does support multiple certs
• ocspbuilder didn't, so modified to support multiple certificates and to comply with RFC6960 in the OCSP response, code is here: https://github.com/andrea-f/ocspbuilder