DataFlex
DataFlex
Validate Certificate using OCSP Protocol
See more Certificates Examples
Demonstrates how to validate a certificate (check the revoked status) using the OCSP protocol.Chilkat DataFlex Downloads
Use ChilkatAx-win32.pkg
Procedure Test
Boolean iSuccess
Handle hoCert
String sOcspUrl
String sHashAlg
Handle hoPrng
Variant vJson
Handle hoJson
Variant vOcspRequest
Handle hoOcspRequest
Handle hoHttp
Variant vResp
Handle hoResp
Variant vOcspReply
Handle hoOcspReply
Variant vJsonReply
Handle hoJsonReply
Integer iOcspStatus
Integer iCertStatus
String sTemp1
Boolean bTemp1
Move False To iSuccess
// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// This example will check the revoked status of a certificate loaded from a file.
Get Create (RefClass(cComChilkatCert)) To hoCert
If (Not(IsComObjectCreated(hoCert))) Begin
Send CreateComObject of hoCert
End
Get ComLoadFromFile Of hoCert "qa_data/certs/google.crt" To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoCert To sTemp1
Showln sTemp1
Procedure_Return
End
// Get the cert's OCSP URL.
Get ComOcspUrl Of hoCert To sOcspUrl
// Build the JSON that will be the OCSP request.
// Possible hash algorithms are sha1, sha256, sha384, sha512.
Move "sha256" To sHashAlg
Get Create (RefClass(cComChilkatPrng)) To hoPrng
If (Not(IsComObjectCreated(hoPrng))) Begin
Send CreateComObject of hoPrng
End
Get Create (RefClass(cComChilkatJsonObject)) To hoJson
If (Not(IsComObjectCreated(hoJson))) Begin
Send CreateComObject of hoJson
End
Set ComEmitCompact Of hoJson To False
// Read more about OCSP nonce lengths
Get ComGenRandom Of hoPrng 16 "base64" To sTemp1
Get ComUpdateString Of hoJson "extensions.ocspNonce" sTemp1 To iSuccess
Set ComI Of hoJson To 0
Get ComUpdateString Of hoJson "request[i].cert.hashAlg" sHashAlg To iSuccess
Get ComHashOf Of hoCert "IssuerDN" sHashAlg "base64" To sTemp1
Get ComUpdateString Of hoJson "request[i].cert.issuerNameHash" sTemp1 To iSuccess
Get ComHashOf Of hoCert "IssuerPublicKey" sHashAlg "base64" To sTemp1
Get ComUpdateString Of hoJson "request[i].cert.issuerKeyHash" sTemp1 To iSuccess
Get ComSerialNumber Of hoCert To sTemp1
Get ComUpdateString Of hoJson "request[i].cert.serialNumber" sTemp1 To iSuccess
Get ComEmit Of hoJson To sTemp1
Showln sTemp1
// Our OCSP request looks something like this:
// {
// "extensions": {
// "ocspNonce": "qZDfbpO+nUxRzz6c/SPjE5QCAsPfpkQlRDxTnGl0gnxt7iXO"
// },
// "request": [
// {
// "cert": {
// "hashAlg": "sha1",
// "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
// "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
// "serialNumber": "6175535D87BF94B6"
// }
// }
// ]
// }
Get Create (RefClass(cComChilkatBinData)) To hoOcspRequest
If (Not(IsComObjectCreated(hoOcspRequest))) Begin
Send CreateComObject of hoOcspRequest
End
Get Create (RefClass(cComChilkatHttp)) To hoHttp
If (Not(IsComObjectCreated(hoHttp))) Begin
Send CreateComObject of hoHttp
End
// Convert our JSON to a binary (ASN.1) OCSP request
Get pvComObject of hoJson to vJson
Get pvComObject of hoOcspRequest to vOcspRequest
Get ComCreateOcspRequest Of hoHttp vJson vOcspRequest To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoHttp To sTemp1
Showln sTemp1
Procedure_Return
End
// Send the OCSP request to the OCSP server
Get Create (RefClass(cComChilkatHttpResponse)) To hoResp
If (Not(IsComObjectCreated(hoResp))) Begin
Send CreateComObject of hoResp
End
Get pvComObject of hoOcspRequest to vOcspRequest
Get pvComObject of hoResp to vResp
Get ComHttpBd Of hoHttp "POST" sOcspUrl vOcspRequest "application/ocsp-request" vResp To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoHttp To sTemp1
Showln sTemp1
Procedure_Return
End
// Get the binary (ASN.1) OCSP reply
Get Create (RefClass(cComChilkatBinData)) To hoOcspReply
If (Not(IsComObjectCreated(hoOcspReply))) Begin
Send CreateComObject of hoOcspReply
End
Get pvComObject of hoOcspReply to vOcspReply
Get ComGetBodyBd Of hoResp vOcspReply To iSuccess
// Convert the binary reply to JSON.
// Also returns the overall OCSP response status.
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonReply
If (Not(IsComObjectCreated(hoJsonReply))) Begin
Send CreateComObject of hoJsonReply
End
Get pvComObject of hoOcspReply to vOcspReply
Get pvComObject of hoJsonReply to vJsonReply
Get ComParseOcspReply Of hoHttp vOcspReply vJsonReply To iOcspStatus
// The ocspStatus can have one of these values:
// -1: The ARG1 does not contain a valid OCSP reply.
// 0: Successful - Response has valid confirmations..
// 1: Malformed request - Illegal confirmation request.
// 2: Internal error - Internal error in issuer.
// 3: Try later - Try again later.
// 4: Not used - This value is never returned.
// 5: Sig required - Must sign the request.
// 6: Unauthorized - Request unauthorized.
If (iOcspStatus < 0) Begin
Showln "Invalid OCSP reply."
Procedure_Return
End
Showln "Overall OCSP Response Status: " iOcspStatus
// Let's examine the OCSP response (in JSON).
Set ComEmitCompact Of hoJsonReply To False
Get ComEmit Of hoJsonReply To sTemp1
Showln sTemp1
// The JSON reply looks like this:
// (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml
// to generate JSON parsing code.)
// {
// "responseStatus": 0,
// "responseTypeOid": "1.3.6.1.5.5.7.48.1.1",
// "responseTypeName": "ocspBasic",
// "response": {
// "responderIdChoice": "KeyHash",
// "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
// "dateTime": "20180803193937Z",
// "cert": [
// {
// "hashOid": "1.3.14.3.2.26",
// "hashAlg": "SHA-1",
// "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
// "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
// "serialNumber": "6175535D87BF94B6",
// "status": 0,
// "thisUpdate": "20180803193937Z",
// "nextUpdate": "20180810193937Z"
// }
// ]
// }
// }
//
// The certificate status:
Move -1 To iCertStatus
Get ComHasMember Of hoJsonReply "response.cert[0].status" To bTemp1
If (bTemp1 = True) Begin
Get ComIntOf Of hoJsonReply "response.cert[0].status" To iCertStatus
End
// Possible certStatus values are:
// -1: No status returned.
// 0: Good
// 1: Revoked
// 2: Unknown.
Showln "Certificate Status: " iCertStatus
End_Procedure