Discuss this help topic in SecureBlackbox Forum
Handle the OCSP request on the server
Handling OCSP requests You might consider getting yourself familiar with our other article dedicated to general OCSP server configuration before reading this one. As you can understand from the article referenced above, OCSP requests are primarily handled in the OnCertificateCheck event handler. This article gives some more information about how to handle this event correctly. So, you've got the handler: void handleCertificateCheck(object sender, byte[] hashAlgOID, byte[] issuerNameHash, byte[] issuerKeyHash, byte[] certificateSerial, ref TElOCSPCertificateStatus certStatus, ref TSBCRLReasonFlag reasonFlag, ref DateTime revocationTime, ref DateTime thisUpdate, ref DateTime nextUpdate) { ... } The first thing you should do is check that the request directed to your server is legitimate and correct. Your server can only serve requests concerning certificates issued by certain CA (or CAs). You need to ensure that the client is inquiring about one of those certificates. This is done by checking that the CA name and key hashes in the request match those parameters of the actual CA certificate. So what you need to do is get those hashes for the real CA certificate. First, load the CA certificate into a TElX509Certificate object. Note that you should load the CA certificate, even if the OCSP responder has its own dedicated certificate. You can get the hashes with built-in GetOCSPCertID() method: SBOCSPClient.Unit.GetOCSPCertID(null, caCert, SBUtils.Unit.GetAlgorithmByOID(hashAlgOID), ref nameHash, ref keyHash); Then you should compare the hashes to the ones you received and parameters. If either of the hashes doesn't match, set certStatus to TElOCSPCertificateStatus.csUnknown, thisUpdate to DateTime.UtcNow and nextUpdate to some reasonably far moment in future (e.g. a month). If the hashes match, the request is legitimate. Get the latest certificate status from your local database. Use the serial number provided. If the certificate is still valid, set certStatus to TElOCSPCertificateStatus.csGood, thisUpdate to the moment when the certificate information in the database was last updated, and nextUpdate to the moment you expect it to be updated next time (in an hour, day, week etc.). If the certificate was revoked, set certStatus to TElOCSPCertificateStatus.csRevoked and specify revocation reason via the reasonFlag parameter. Set revocationTime to the moment of revocation, this update to the moment when the certificate information in the database was last updated, and nextUpdate to a reasonably far moment in future. If certificate with the provided serial number is not present in the database, set certStatus to TElOCSPCertificateStatus.csUnknown, thisUpdate to DateTime.UtcNow and nextUpdate to some reasonably far moment in future (e.g. a month). To handle the OCSP request on the server use TElOCSPServer component.
Before the server can be used, you need to setup certain properties.
The response, generated by OCSP server, must be signed. So you need to specify the certificates, which will be used for signing. To do this, set the SigningCertStorage property of TElOCSPServer class to reference the instance of TElMemoryCertStorage, which contains one or more certificates. One certificate in the storage must have a private key. It is an option to send or not send the client certificates with the request. With TElOCSPServer, this is controlled by IncludeCertificates property.
If you want to force the clients sign the request, set SignatureRequired property of TElOCSPServer component to true.
There are several events in the server, for which you must define the event handlers.
First event is OnSignatureValidate. It is fired after the certificates have been read from the signed client request, and the application must validate the certificates. The certificates can be read from RequestCertificates property, which contains a reference to TElMemoryCertStorage, filled with request certificates.
If the signed request doesn't include certificates, the OnCertificateNeeded event is fired, so your application must be ready to handle this event too. If you don't provide the necessary certificate, the signature validation will fail.
The main event is OnCertificateCheck. This event is fired for each certificate in the request, whose status is to be validated.
To process the request, you need to call ProcessRequest() method of TElOCSPServer. This method parses the request, calls the necessary event handlers, and then composes the reply (or returns error in case when something goes wrong).