Discuss this help topic in SecureBlackbox Forum

Create and send the OCSP request

To create and send the request you need to use TElFileOCSPClient or TElHTTPOCSPClient components (they are descendants of TElOCSPClient component, which defines most properties and methods).

Create an instance of the OCSPClient class of your choice. TElFileOCSPClient creates a request and lets you transfer the request and the reply to/from the OCSP server. TElHTTPOCSPClient automatically transfers the request and the reply to/from the server using HTTP or HTTPS protocol.

Specify one or more certificates, which you want to check, using CertStorage property of TElOCSPClient class. Set this property to reference the instance of a descendant of TElCustomCertStorage class.

Each certificate, which you want to check, must have a corresponding issuer certificate. Specify the issuer certificates using IssuerCertStorage property of TElOCSPClient class. Set this property to reference the instance of a descendant of TElCustomCertStorage class. If the issuer certificate for any certificates, whose status is checked, is not found, the requestion will not be created.

Some OCSP servers require, that the OCSP request is signed. To sign the OCSP request you need to specify the certificates, which will be used for signing. To do this, set the SigningCertStorage property of TElOCSPClient class to reference the instance of TElMemoryCertStorage, which contains one or more certificates. One certificate in the storage must have a private key.

It is advised, that the client includes the whole certificate chain in order to let the server validate the signature better.

It is an option to send or not send the client certificates with the request. With TElOCSPClient, this is controlled by IncludeCertificates property.

If the request is signed, the name of the requestor should be specified. This is done using RequestorName property of TElOCSPClient class. The standard doesn't specify, what this name should contain, but obviously this is the name, contained in the certificate, which was used for signing.

To prevent so-called "replay attacks" you can specify a so-called Nonce. Nonce is an arbitrary data, whose sole purpose is to add a random part to the data being signed. Nonce is specified by Nonce property of TElOCSPClient class.

If you use TElFileOCSPClient , be sure to define an event handler for OnOCSPValidationNeeded event of TElFileOCSPClient class. The event will be used to pass the request to the application and pick the reply.

If you use TElHTTPOCSPClient, you need to set the HTTPClient property of TElHTTPOCSPClient class to the instance of TElHTTPSClient component. Note, that TElHTTPOCSPClient is provided together with TElHTTPSClient in SSLBlackbox package (i.e. not in PKIBlackbox, as TElOCSPClient one). Also, you need to specify the address of the OCSP server in URL property of TElHTTPOCSPClient class.

The final step is to create a request. If you use TElOCSPClient class itself, the only option is to use CreateRequest() method of TElOCSPClient. With TElFileOCSPClient or TElHTTPOCSPClient class you call PerformRequest() method, which creates a request, in some way transfers it to the server, then retrieves and processes the reply and returns the result.

Wth TElOCSPClient you get the request, which you need to send to the server, in Request parameter of CreateRequest() method. With TElFileOCSPClient you get the request, which you need to send to the server, in RequestStream parameter of OnOCSPValidationNeeded event hander. TElHTTPOCSPClient sends the request automatically.

See more about how to handle the reply, in the corresponding how-to article.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum