Discuss this help topic in SecureBlackbox Forum

Handle OCSP request

In SecureBlackbox, OCSP requests are mainly handled via the OnCertificateCheck event of the TElOCSPServer component. Prior to actually performing the cartificate check, the server needs to be appropriately configured.

Assume you have created and configured your TElOCSPServer object. Now you need to implement the event handler declared as, e.g.:


void handleCertificateCheck(object sender, byte[] hashAlgOID, byte[] issuerNameHash, byte[] issuerKeyHash, byte[] certificateSerial,
     ref TElOCSPCertificateStatus certStatus, ref TSBCRLReasonFlag reasonFlag, ref DateTime revocationTime, ref DateTime thisUpdate,
     ref DateTime nextUpdate);
First thing to check is that the request directed to your server is legitimate and correct. Your server can only verify requests concerning certificates issued by certain CAs. You need to ensure that the client's enquiry covers one of those certificates. To do this, verify that the CA name and key hashes contained in the request match those of the actual CA certificate.

To obtain the name and key hashes for the CA certificate, load the CA certificate into a TElX509Certificate object. Now can get the hashes with built-in GetOCSPCertID() method: SBOCSPClient.Unit.GetOCSPCertID(null, caCert, SBUtils.Unit.GetAlgorithmByOID(hashAlgOID), ref nameHash, ref keyHash); Note, that you should load the CA certificate even if the OCSP responder has its own dedicated certificate.

Compare the CA certificate hashes to the ones you have received in the request. If either hash doesn't match, assign the following values to your handler's parameters:


certStatus = TElOCSPCertificateStatus.csUnknown;
thisUpdate = DateTime.UtcNow;
nextUpdate = DateTime.UtcNow.AddMonths(1); // some reasonably far moment in future, e.g., a month.

If the hashes match, the request is legitimate. Get the latest certificate status from your local database using the provided serial number. If the certificate is still valid, set the following values:


certStatus = TElOCSPCertificateStatus.csGood;
thisUpdate = lastUpdateMoment; // the moment when the certificate information in the database was last updated.
nextUpdate = DateTime.UtcNow.AddHours(24);
If the certificate was revoked:

certStatus = TElOCSPCertificateStatus.csRevoked;
reasonFlag = ...; // certificate revocation reason.
revocationTime = ...; // moment of revocation.
thisUpdate = ...; // moment when the certificate information in the database was last updated.
nextUpdate = DateTime.UtcNow.AddMonths(1); // some reasonably far moment in future, e.g., a month.

If a certificate with the required serial number is not present in the database:


certStatus = TElOCSPCertificateStatus.csUnknown;
thisUpdate = DateTime.UtcNow;
nextUpdate = DateTime.UtcNow.AddMonths(1); // some reasonably far moment in future, e.g., a month.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum