CryptoSys PKI  23.0.0
Public Types | Static Public Member Functions | List of all members
dipki::Ocsp Class Reference

Online Certificate Status Protocol (OCSP) More...

Public Types

enum class  HashAlg
 Hash algorithm. More...
 

Static Public Member Functions

static std::string MakeRequest (const std::string &issuerCert, const std::string &certFileOrSerialNumber, HashAlg hashAlg=HashAlg::Sha1)
 Create an Online Certification Status Protocol (OCSP) request as a base64 string. More...
 
static std::string ReadResponse (const std::string &responseFile, const std::string &issuerCert="")
 Read a response to an Online Certification Status Protocol (OCSP) request and outputs the main results in text form. More...
 

Detailed Description

Online Certificate Status Protocol (OCSP)

Member Enumeration Documentation

◆ HashAlg

enum dipki::Ocsp::HashAlg
strong

Hash algorithm.

Enumerator
Sha1 

SHA-1 [default].

Sha224 

SHA-224.

Sha256 

SHA-256.

Sha384 

SHA-384.

Sha512 

SHA-512.

Member Function Documentation

◆ MakeRequest()

static std::string dipki::Ocsp::MakeRequest ( const std::string &  issuerCert,
const std::string &  certFileOrSerialNumber,
HashAlg  hashAlg = HashAlg::Sha1 
)
static

Create an Online Certification Status Protocol (OCSP) request as a base64 string.

Parameters
issuerCertname of issuer's X.509 certificate file (or base64 representation)
certFileOrSerialNumbereither the name of X.509 certificate file to be checked or its serial number in hexadecimal format preceded by #x.
hashAlgHash algorithm to be used [default = SHA-1]
Returns
A base64 string suitable for an OCSP request to an Online Certificate Status Manager or an empty string on error.
Remarks
The issuer's X.509 certficate must be specified. The certificate to be checked can either be specified directly as a filename or as a serialNumber in hexadecimal format preceded by "#x", e.g. "#x01deadbeef". If the latter format is used, it must be in hexadecimal format, so the serial number 10 would be passed as "#x0a". It is an error (NO_MATCH_ERROR) if the issuer's name of the certificate to be checked does not match the subject name of the issuer's certificate.

◆ ReadResponse()

static std::string dipki::Ocsp::ReadResponse ( const std::string &  responseFile,
const std::string &  issuerCert = "" 
)
static

Read a response to an Online Certification Status Protocol (OCSP) request and outputs the main results in text form.

Parameters
responseFilename of the file containing the response data in BER format.
issuerCert(optional) name of issuer's X.509 certificate file (or base64 representation)
Returns
A text string outlining the main results in the response data or an empty string on error.
Remarks
Note that a revoked certificate will still result in a "Successful response", so check the CertStatus. The issuer's X.509 certficate issuerCert is optional. If provided, it will be used to check the signature on the OCSP reponse and and an error will result if the signature is not valid.
CAUTION: For some CAs (e.g. VeriSign) the key used to sign the OCSP response is not the same as the key in the issuer's certificate, so specifying the issuer's certificate in this case will result in a signature error. If you can separately obtain the certificate used to sign the OCSP response, then specify this as the issuerCert; otherwise leave as the empty string "".
Copyright © 2004-24 D.I. Management Services Pty Limited t/a CryptoSys ABN 78 083 210 584 Australia. All rights reserved. <www.di-mgt.com.au> <www.cryptosys.net>. Generated on Mon Sep 23 2024 15:37:33 by Doxygen 1.9.1.