Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Validate Certificate using OCSP Protocol

See more Certificates Examples

Demonstrates how to validate a certificate (check the revoked status) using the OCSP protocol.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Prng,
  Chilkat.HttpResponse,
  Chilkat.JsonObject,
  Chilkat.Cert,
  Chilkat.Http,
  Chilkat.BinData;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  cert: TCert;
  ocspUrl: string;
  hashAlg: string;
  prng: TPrng;
  json: TJsonObject;
  ocspRequest: TBinData;
  http: THttp;
  resp: THttpResponse;
  ocspReply: TBinData;
  jsonReply: TJsonObject;
  ocspStatus: Integer;
  certStatus: Integer;

begin
  success := False;

  //  This requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  This example will check the revoked status of a certificate loaded from a file.
  cert := TCert.Create;
  success := cert.LoadFromFile('qa_data/certs/google.crt');
  if (success = False) then
    begin
      WriteLn(cert.LastErrorText);
      Exit;
    end;

  //  Get the cert's OCSP URL.
  ocspUrl := cert.OcspUrl;

  //  Build the JSON that will be the OCSP request.

  //  Possible hash algorithms are sha1, sha256, sha384, sha512.  
  hashAlg := 'sha256';
  prng := TPrng.Create;
  json := TJsonObject.Create;
  json.EmitCompact := False;
  //  Read more about OCSP nonce lengths
  json.UpdateString('extensions.ocspNonce',prng.GenRandom(16,'base64'));
  json.I := 0;
  json.UpdateString('request[i].cert.hashAlg',hashAlg);
  json.UpdateString('request[i].cert.issuerNameHash',cert.HashOf('IssuerDN',hashAlg,'base64'));
  json.UpdateString('request[i].cert.issuerKeyHash',cert.HashOf('IssuerPublicKey',hashAlg,'base64'));
  json.UpdateString('request[i].cert.serialNumber',cert.SerialNumber);

  WriteLn(json.Emit());

  //  Our OCSP request looks something like this:
  //  {
  //    "extensions": {
  //      "ocspNonce": "qZDfbpO+nUxRzz6c/SPjE5QCAsPfpkQlRDxTnGl0gnxt7iXO"
  //    },
  //    "request": [
  //      {
  //        "cert": {
  //          "hashAlg": "sha1",
  //          "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
  //          "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
  //          "serialNumber": "6175535D87BF94B6"
  //        }
  //      }
  //    ]
  //  }

  ocspRequest := TBinData.Create;
  http := THttp.Create;

  //  Convert our JSON to a binary (ASN.1) OCSP request
  success := http.CreateOcspRequest(json,ocspRequest);
  if (success = False) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  //  Send the OCSP request to the OCSP server
  resp := THttpResponse.Create;
  success := http.HttpBd('POST',ocspUrl,ocspRequest,'application/ocsp-request',resp);
  if (success = False) then
    begin
      WriteLn(http.LastErrorText);
      Exit;
    end;

  //  Get the binary (ASN.1) OCSP reply
  ocspReply := TBinData.Create;
  resp.GetBodyBd(ocspReply);

  //  Convert the binary reply to JSON.
  //  Also returns the overall OCSP response status.
  jsonReply := TJsonObject.Create;
  ocspStatus := http.ParseOcspReply(ocspReply,jsonReply);

  //  The ocspStatus can have one of these values:
  //  -1:  The ARG1 does not contain a valid OCSP reply.
  //  0:  Successful - Response has valid confirmations..
  //  1: Malformed request - Illegal confirmation request.
  //  2: Internal error - Internal error in issuer.
  //  3: Try later -  Try again later.
  //  4: Not used - This value is never returned.
  //  5: Sig required - Must sign the request.
  //  6: Unauthorized - Request unauthorized.

  if (ocspStatus < 0) then
    begin
      WriteLn('Invalid OCSP reply.');
      Exit;
    end;

  WriteLn('Overall OCSP Response Status: ' + ocspStatus);

  //  Let's examine the OCSP response (in JSON).
  jsonReply.EmitCompact := False;
  WriteLn(jsonReply.Emit());

  //  The JSON reply looks like this:
  //  (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml
  //  to generate JSON parsing code.)

  //  {
  //    "responseStatus": 0,
  //    "responseTypeOid": "1.3.6.1.5.5.7.48.1.1",
  //    "responseTypeName": "ocspBasic",
  //    "response": {
  //      "responderIdChoice": "KeyHash",
  //      "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
  //      "dateTime": "20180803193937Z",
  //      "cert": [
  //        {
  //          "hashOid": "1.3.14.3.2.26",
  //          "hashAlg": "SHA-1",
  //          "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
  //          "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
  //          "serialNumber": "6175535D87BF94B6",
  //          "status": 0,
  //          "thisUpdate": "20180803193937Z",
  //          "nextUpdate": "20180810193937Z"
  //        }
  //      ]
  //    }
  //  }
  //  

  //  The certificate status:
  certStatus := -1;
  if (jsonReply.HasMember('response.cert[0].status') = True) then
    begin
      certStatus := jsonReply.IntOf('response.cert[0].status');
    end;

  //  Possible certStatus values are:
  //  -1: No status returned.
  //  0: Good
  //  1: Revoked
  //  2: Unknown.
  WriteLn('Certificate Status: ' + certStatus);


  cert.Free;
  prng.Free;
  json.Free;
  ocspRequest.Free;
  http.Free;
  resp.Free;
  ocspReply.Free;
  jsonReply.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.