Discuss this help topic in SecureBlackbox Forum

Process OCSP reply

To process the OCSP reply, you need to pass the reply to the TElOCSPClient component. With TElFileOCSPClient component, you pass the reply in the OnOCSPValidationNeeded event handler. TElHTTPOCSPClient component retrieves the reply automatically.

During reply processing, TElOCSPClient extracts the certificates, used by the server to sign the response. If the certificates are not included into the reply, the OnCertificateNeeded event is fired, and your application must be ready to handle this event. If you don't provide the necessary certificate, the response signature validation will fail.

To find out, what certificate was used to sign the data, use ServerName and ServerCertKeyHash properties of TElOCSPClient class. If ServerCertKeyHash is empty, then ServerName is set by the server and must be used. If ServerCertKeyHash is not empty, it must be used.

After the reply is processed, you can check the results of the request. First of all, you need to validate the certificates, sent by the server. The certificates are located in TElMemoryCertStorage object, referenced by ReplyCertificates property of TElOCSPClient class.

When validating the certificates, check the time, when the reply was produced. Time can be read from ReplyProducedAt property of TElOCSPClient class. Note, that the time is not authenticated by a third-party.

If the certificates are accepted, you can read the responses.

First of all, check certificate status using CertStatus[] property of TElOCSPClient class. This indexed property provides status for each certificate, whose status was queried. The index corresponds to the index of the certificate in CertStorage property of TElOCSPClient class.

RevocationTime[] and RevocationReason[] properties of TElOCSPClient class provide information about details of certificate revocation.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum