EldoS | Feel safer!

Software components for data protection, secure storage and transfer

OCSP client RFC

Posted: 06/29/2006 04:03:47
by Luis Fraile (Basic support level)
Joined: 06/13/2006
Posts: 9

I'm having problems communicating with your OCSP client with a partner OCSP server, and he tells me, looking what I send, I do not comply with RFC http://rfc.net/rfc2560.html, we are evaluating if buying secureblackbox or not, as we need it for this, so please, can you tell me whic RFC uses your client?
I can send you our code if you need.
Posted: 06/29/2006 09:26:28
by Eugene Mayevski (Team)

Please update SecureBlackbox to version 4.4.90, we've re-implemented OCSP from scratch in this build. If there's a problem with this build, we'll investigate it further. We tested new implementation with Ascertia's OCSP service and it worked fine.

Sincerely yours
Eugene Mayevski
Posted: 06/29/2006 12:02:43
by Luis Fraile (Basic support level)
Joined: 06/13/2006
Posts: 9

I have just downloaded new version and try, I get the same response from the OCSP server, so I will talk to our provider again to check if the request meets the RFC.

Posted: 06/29/2006 12:58:35
by Eugene Mayevski (Team)

Please ask your provider about what software they use for OCSP server.

Sincerely yours
Eugene Mayevski
Posted: 06/30/2006 03:28:26
by Luis Fraile (Basic support level)
Joined: 06/13/2006
Posts: 9

We are trying but the only infromation they provide us, is they are using IAIK libraries :(
Posted: 06/30/2006 03:43:15
by Eugene Mayevski (Team)

...well-known for their bugginess... I've tested our implementation with Thawte and Verisign OCSP servers, and we had no problems.

Sincerely yours
Eugene Mayevski
Posted: 06/30/2006 03:53:34
by Eugene Mayevski (Team)

Just an idea ... Please create a small sample which illustrates how you create the request, and includes the certificate to be validated and the issuer certificate, and send this sample to support@eldos.com

If your OCSP server is publicly accessible, then you can give us the address too. We'll try to play with it.

Sincerely yours
Eugene Mayevski
Posted: 06/30/2006 07:04:01
by Luis Fraile (Basic support level)
Joined: 06/13/2006
Posts: 9

Ok, I will try to prepare small sample (apart from all the other code we have) and sent it to you, unfortunatly the OCSP server we are using is not public :( but maybe we have something wrong in code, thanks a lot
Posted: 06/30/2006 10:59:43
by Eugene Mayevski (Team)

Not necessarily in your code, but in any case the sample works best when you need to reproduce the issue.

Sincerely yours
Eugene Mayevski
Posted: 07/04/2006 01:13:28
by Luis Fraile (Basic support level)
Joined: 06/13/2006
Posts: 9

Here I post the code, and after it few more details our provider told us:

string certificadoFichero = "cert_file.cer";
X509Certificate cert = new X509Certificate(certificadoFichero);

byte[] certificadoByte = cert.GetRawCertData();

TElX509Certificate certificadoSBX = new SBX509.TElX509Certificate();

TElMemoryCertStorage memoryStoreCert = new TElMemoryCertStorage();
memoryStoreCert.Add(certificadoSBX, false);

TElOCSPClient cliente = new TElOCSPClient();
cliente.CertStorage = memoryStoreCert;

byte[] peticion = null;

cliente.CreateRequest(ref peticion);
peticion[1] = 1;

Uri uriAfirma = new Uri("http://our.ocsp.server");

WebRequest request = WebRequest.Create(uriAfirma);

((HttpWebRequest)request).UserAgent = ".NET Framework Example Client";
request.Method = "POST";

// Set the ContentType property of the WebRequest.
request.ContentType = "application/ocsp-request";
// Set the ContentLength property of the WebRequest.
request.ContentLength = peticion.Length;
// Get the request stream.
Stream dataStream = request.GetRequestStream();
// Write the data to the request stream.
dataStream.Write(peticion, 0, peticion.Length);
// Close the Stream object.

// Get the response.
WebResponse response = request.GetResponse();
Stream respuestaStream = response.GetResponseStream();

// Allocate the buffer
byte[] respuestaBytes = new byte[response.ContentLength];
// read the data
respuestaStream.Read(respuestaBytes, 0, (int)response.ContentLength);

short serverResult = new short();
cliente.ProcessReply(respuestaBytes, ref serverResult);

MessageBox.Show("Server request state: " + serverResult); //always 0, so it seems Ok
MessageBox.Show("Cert state: " + cliente.get_CertStatus(0).ToString()); //Always 2 :(


Well as I put in comment, it always return 2, we are testing the same certificate with a Java OCSP client, and it returns certificate state "good", so we know the certificate is ok.

We told our provider to take trace of our request to check what was wrong, and they say, the problem is with the CertId structure we are sending, it must include the OID of the hash algorithm used (SHA-1, SHA-2, etc), but they say, we are sending an OID belonging to a signature type (Sha1WithRSAEncryption), so it is not valid, and that's all, so maybe it's something wrong on the way we prepare the request with your library? thanks a lot.



Topic viewed 16740 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!