Discuss this help topic in SecureBlackbox Forum



Filter: C#  VB.NET  Pascal  C++  PHP  Java  

The event is triggered when the signer certificate of the OCSP response is neither a CA certificate itself nor issued (signed) by this certificate.


    event TSBOCSPResponseSignerValidEvent OnOCSPResponseSignerValid;
    delegate void TSBOCSPResponseSignerValidEvent(Object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, TElOCSPResponse Response, TElX509Certificate SignerCertificate, ref bool SignerValid);

    Event OnOCSPResponseSignerValid As TSBOCSPResponseSignerValidEvent
    Delegate Sub TSBOCSPResponseSignerValidEvent(ByVal Sender As Object, ByVal Certificate As TElX509Certificate, ByVal CACertificate As TElX509Certificate, ByVal Response As TElOCSPResponse, ByVal SignerCertificate As TElX509Certificate, ByRef SignerValid As Boolean)

    property OnOCSPResponseSignerValid : TSBOCSPResponseSignerValidEvent;
    TSBOCSPResponseSignerValidEvent = procedure (Sender : TObject; Certificate, CACertificate : TElX509Certificate; Response : TElOCSPResponse; SignerCertificate : TElX509Certificate; var SignerValid : boolean) of object;

    void get_OnOCSPResponseSignerValid(TSBOCSPResponseSignerValidEvent &pMethodOutResult, void * &pDataOutResult);
    void set_OnOCSPResponseSignerValid(TSBOCSPResponseSignerValidEvent pMethodValue, void * pDataValue);
    typedef void (SB_CALLBACK *TSBOCSPResponseSignerValidEvent)(void * _ObjectData, TObjectHandle Sender, TElX509CertificateHandle Certificate, TElX509CertificateHandle CACertificate, TElOCSPResponseHandle Response, TElX509CertificateHandle SignerCertificate, int8_t &SignerValid);

    TSBOCSPResponseSignerValidEvent|callable|NULL get_OnOCSPResponseSignerValid()
    void set_OnOCSPResponseSignerValid(TSBOCSPResponseSignerValidEvent|callable|NULL $Value)
    callable TSBOCSPResponseSignerValidEvent(TObject $Sender, TElX509Certificate $Certificate, TElX509Certificate $CACertificate, TElOCSPResponse $Response, TElX509Certificate $SignerCertificate, bool &$SignerValid)

    TSBOCSPResponseSignerValidEvent getOnOCSPResponseSignerValid();
    void setOnOCSPResponseSignerValid(TSBOCSPResponseSignerValidEvent Value);
    TSBOCSPResponseSignerValidEvent.Callback OnOCSPResponseSignerValid = new TSBOCSPResponseSignerValidEvent.Callback() {
        public void TSBOCSPResponseSignerValidEventCallback(TObject Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, TElOCSPResponse Response, TElX509Certificate SignerCertificate, TSBBoolean SignerValid) {


  • Certificate - the certificate for which validation is performed.
  • CACertificate - the CA certificate.
  • Response - contains the OCSP received response.
  • SignerCertificate - specifies the certificate that signs the OCSP response.
  • SignerValid - set this parameter to True if the signer certificate should be trusted, and to False otherwise.


    According to RFC 6960 the OCSP response must be signed by either the CA certificate (the one used to sign the certificate being checked) or by dedicated certificate, which in turn was signed with the CA certificate. However, the RFC declares the exclusion which makes all other conditions void: the certificate can be used for signing when it ‘Matches a local configuration of OCSP signing authority for the certificate in question’. Of course, there's no way for the client to verify, using regular means, that the used certificate matches some mythical configuration. So it's up to the application to decide whether such signature may be accepted.

Discuss this help topic in SecureBlackbox Forum