Golang proposal: x/crypto/ocsp: Export certID and the code that populates it

I am implementing ACME Renewal Information (ARI) for TLS servers to be able to automatically renew their certificates within a CA-designated timeframe.

It turns out that ARI is actually an OCSP request, but with slightly different ceremony: the GET request URI is literally suffixed with an encoded RFC 6960 OCSP request CertID structure.

Unfortunately, ocsp.CreateRequest() returns an opaque byte slice. The data we need is that exact same data but without the following (essentially empty) wrapping:

ocspRequest{
    tbsRequest{
        Version: 0,
        RequestList: []request{
            {
                Cert: 

I'd like to propose that we export the bulk of this function:

https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.7.0:ocsp/ocsp.go;l=628-666

and update this comment:

    // OCSP seems to be the only place where these raw hash identifiers are
    // used.

since now, in 2023, there is one other place that the raw hash identifier is used: ARI. :sweat_smile:

The exported function should return an exported CertID struct. From there, marshaling as ASN.1 is easy (with asn1.Marshal()).

Of course, CreateRequest() would reuse the same code, now exported for the benefit of ARI clients. :blush:

Hope this makes sense. Thanks for considering!

Comment From: seankhliao

cc @golang/security

Comment From: sigmavirus24

I'd be interested in implementing this if it were accepted. This shouldn't be terribly disruptive either if I'm understanding Matt's proposal correctly