Discuss this help topic in SecureBlackbox Forum

Check certificate status with OCSP components

When using SecureBlackbox, normally there's no need to directly check certificate status against an OCSP endpoint. All work of this kind is delegated to TElX509CertificateValidator component which encapsulates all talks with CRL and OCSP services. However, if you need more granulated access to the certificate validation, it is possible to perform OCSP check by yourself.

To make a successful status request you need both the certificate that needs to be checked and its CA certificate. Presence of the CA certificate is mandatory because any OCSP request has to include specific parameters of the CA certificate. You also need to know the address of the OCSP responder (ocspAddress). This address can be retrieved from the Authority Information Access extension of the checked certificate (access method: OCSP, 1.3.6.1.5.5.7.48.1).

Typically you would use TElHTTPOCSPClient class to perform the check, because vast majority of OCSP responders are bound to HTTP endpoints.

  1. Create a TElHTTPOCSPClient object: TElHTTPOCSPClient ocspClient = new TElHTTPOCSPClient();
  2. Create a HTTP(S) transport and attach it to the OCSP client:
    
    TElHTTPSClient httpClient = new TElHTTPSClient();
    ocspClient.HTTPClient = httpClient;
    
    Note: you will need to handle the TElHTTPSClient.OnCertificateValidate event if your OCSP endpoint is an HTTPS one.
  3. Set the server's URL: ocspClient.URL = ocspAddress;
  4. Load the certificates to be checked to TElMemoryCertStorage and assign it to the CertStorage property of the client. Private keys are not needed.
    
    TElMemoryCertStorage checkedCerts = new TElMemoryCertStorage();
    checkedCerts.Add(cert, false);
    
    ocspClient.CertStorage = checkedCerts;
    
    Note: in general, the OCSP standard allows you to check multiple certificates in one request. However, some servers only support single certificate requests.
  5. Load the issuing certificate(s) of the checked certificate(s) to another TElMemoryCertStorage object and assign it to IssuerCertStorage:
    
    TElMemoryCertStorage caCerts = new TElMemoryCertStorage();
    caCerts.Add(cacert, false);
    
    ocspClient.IssuerCertStorage = caCerts;
    
    Note, there should be exactly one CA entry per one checked certificate.
  6. Call the OCSP client's PerformRequest() method:
    
    TElOCSPServerError serverResult = SBOCSPCommon.Unit.oseInternalError;
    byte[] reply = null;
    
    int res = ocspClient.PerformRequest(ref serverResult, ref reply);
    
  7. If the request succeeds the returned value (res) is zero. The serverResult parameter contains the status as returned by the OCSP server. The reply will contain the OCSP response in a binary form.
    You can load the response into TElOCSPResponse object for further handling, or add it to a higher-level object (e.g., a signature).
    TElOCSPResponse object is automatically created by the OCSP client upon successful execution of the request and can be accessed via OCSP client's Response property.
    Further details about the response (such as production time or nonce) are contained in the corresponding OCSP client's properties.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum