Table of Contents

Class OCSPVerifier

Namespace
iText.Signatures
Assembly
itext.sign.dll

Class that allows you to verify a certificate against one or more OCSP responses.

[Obsolete("starting from 8.0.5.iText.Signatures.Validation.V1.OCSPValidator should be used instead.")]
public class OCSPVerifier : RootStoreVerifier
Inheritance
OCSPVerifier
Inherited Members

Constructors

OCSPVerifier(CertificateVerifier, IList<IBasicOcspResponse>)

Creates an OCSPVerifier instance.

public OCSPVerifier(CertificateVerifier verifier, IList<IBasicOcspResponse> ocsps)

Parameters

verifier CertificateVerifier

the next verifier in the chain

ocsps IList<IBasicOcspResponse>

a list of iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse OCSP response wrappers for the certificate verification

Fields

LOGGER

The Logger instance

protected static readonly ILogger LOGGER

Field Value

ILogger

id_kp_OCSPSigning 

protected const string id_kp_OCSPSigning = "1.3.6.1.5.5.7.3.9"

Field Value

string

ocsps

The list of iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse OCSP response wrappers.

protected IList<IBasicOcspResponse> ocsps

Field Value

IList<IBasicOcspResponse>

Methods

GetOcspResponse(IX509Certificate, IX509Certificate)

Gets an OCSP response online and returns it without further checking.

public virtual IBasicOcspResponse GetOcspResponse(IX509Certificate signCert, IX509Certificate issuerCert)

Parameters

signCert IX509Certificate

the signing certificate

issuerCert IX509Certificate

the issuer certificate

Returns

IBasicOcspResponse

iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse an OCSP response wrapper.

IsSignatureValid(IBasicOcspResponse, IX509Certificate)

Checks if an OCSP response is genuine.

public virtual bool IsSignatureValid(IBasicOcspResponse ocspResp, IX509Certificate responderCert)

Parameters

ocspResp IBasicOcspResponse

iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse the OCSP response wrapper

responderCert IX509Certificate

the responder certificate

Returns

bool

true if the OCSP response verifies against the responder certificate.

IsValidResponse(IBasicOcspResponse, IX509Certificate, DateTime)

Verifies if an OCSP response is genuine.

public virtual void IsValidResponse(IBasicOcspResponse ocspResp, IX509Certificate issuerCert, DateTime signDate)

Parameters

ocspResp IBasicOcspResponse

iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse the OCSP response wrapper

issuerCert IX509Certificate

the issuer certificate. This certificate is considered trusted and valid by this method.

signDate DateTime

sign date for backwards compatibility

Remarks

Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert.

SetCrlClient(ICrlClient)

Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.

public virtual void SetCrlClient(ICrlClient crlClient)

Parameters

crlClient ICrlClient

ICrlClient to provide an Authorized Responder revocation data.

Remarks

Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking.

See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

Optional. Default one is CrlClientOnline.

SetOcspClient(IOcspClient)

Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder).

public virtual void SetOcspClient(IOcspClient ocspClient)

Parameters

ocspClient IOcspClient

IOcspClient to provide an Authorized Responder revocation data.

Remarks

Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder). Also, should be used in case responder's certificate doesn't have any method of revocation checking.

See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder.

Optional. Default one is OcspClientBouncyCastle.

Verify(IBasicOcspResponse, IX509Certificate, IX509Certificate, DateTime)

Verifies a certificate against a single OCSP response.

public virtual bool Verify(IBasicOcspResponse ocspResp, IX509Certificate signCert, IX509Certificate issuerCert, DateTime signDate)

Parameters

ocspResp IBasicOcspResponse

iText.Commons.Bouncycastle.Asn1.Ocsp.IBasicOcspResponse the OCSP response wrapper for a certificate verification

signCert IX509Certificate

the certificate that needs to be checked

issuerCert IX509Certificate

the certificate that issued signCert – immediate parent. This certificate is considered trusted and valid by this method.

signDate DateTime

sign date (or the date the certificate needs to be valid)

Returns

bool

true in case check is successful, false otherwise.

Verify(IX509Certificate, IX509Certificate, DateTime)

Verifies if a valid OCSP response is found for the certificate.

public override IList<VerificationOK> Verify(IX509Certificate signCert, IX509Certificate issuerCert, DateTime signDate)

Parameters

signCert IX509Certificate

the certificate that needs to be checked

issuerCert IX509Certificate

issuer of the certificate to be checked

signDate DateTime

the date the certificate needs to be valid

Returns

IList<VerificationOK>

a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Remarks

Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available.

See Also
Verify(IX509Certificate, IX509Certificate, DateTime)