Sample code for 30+ languages & platforms
AutoIt

Validate Certificate using OCSP Protocol

See more Certificates Examples

Demonstrates how to validate a certificate (check the revoked status) using the OCSP protocol.

Chilkat AutoIt Downloads

AutoIt
Local $bSuccess = False

; This requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.

; This example will check the revoked status of a certificate loaded from a file.
$oCert = ObjCreate("Chilkat.Cert")
$bSuccess = $oCert.LoadFromFile("qa_data/certs/google.crt")
If ($bSuccess = False) Then
    ConsoleWrite($oCert.LastErrorText & @CRLF)
    Exit
EndIf

; Get the cert's OCSP URL.
Local $sOcspUrl = $oCert.OcspUrl

; Build the JSON that will be the OCSP request.

; Possible hash algorithms are sha1, sha256, sha384, sha512.  
Local $sHashAlg = "sha256"
$oPrng = ObjCreate("Chilkat.Prng")
$oJson = ObjCreate("Chilkat.JsonObject")
$oJson.EmitCompact = False
; Read more about OCSP nonce lengths
$oJson.UpdateString("extensions.ocspNonce",$oPrng.GenRandom(16,"base64"))
$oJson.I = 0
$oJson.UpdateString("request[i].cert.hashAlg",$sHashAlg)
$oJson.UpdateString("request[i].cert.issuerNameHash",$oCert.HashOf("IssuerDN",$sHashAlg,"base64"))
$oJson.UpdateString("request[i].cert.issuerKeyHash",$oCert.HashOf("IssuerPublicKey",$sHashAlg,"base64"))
$oJson.UpdateString("request[i].cert.serialNumber",$oCert.SerialNumber)

ConsoleWrite($oJson.Emit() & @CRLF)

; Our OCSP request looks something like this:
; {
;   "extensions": {
;     "ocspNonce": "qZDfbpO+nUxRzz6c/SPjE5QCAsPfpkQlRDxTnGl0gnxt7iXO"
;   },
;   "request": [
;     {
;       "cert": {
;         "hashAlg": "sha1",
;         "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
;         "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
;         "serialNumber": "6175535D87BF94B6"
;       }
;     }
;   ]
; }

$oOcspRequest = ObjCreate("Chilkat.BinData")
$oHttp = ObjCreate("Chilkat.Http")

; Convert our JSON to a binary (ASN.1) OCSP request
$bSuccess = $oHttp.CreateOcspRequest($oJson,$oOcspRequest)
If ($bSuccess = False) Then
    ConsoleWrite($oHttp.LastErrorText & @CRLF)
    Exit
EndIf

; Send the OCSP request to the OCSP server
$oResp = ObjCreate("Chilkat.HttpResponse")
$bSuccess = $oHttp.HttpBd("POST",$sOcspUrl,$oOcspRequest,"application/ocsp-request",$oResp)
If ($bSuccess = False) Then
    ConsoleWrite($oHttp.LastErrorText & @CRLF)
    Exit
EndIf

; Get the binary (ASN.1) OCSP reply
$oOcspReply = ObjCreate("Chilkat.BinData")
$oResp.GetBodyBd($oOcspReply)

; Convert the binary reply to JSON.
; Also returns the overall OCSP response status.
$oJsonReply = ObjCreate("Chilkat.JsonObject")
Local $iOcspStatus = $oHttp.ParseOcspReply($oOcspReply,$oJsonReply)

; The ocspStatus can have one of these values:
; -1:  The ARG1 does not contain a valid OCSP reply.
; 0:  Successful - Response has valid confirmations..
; 1: Malformed request - Illegal confirmation request.
; 2: Internal error - Internal error in issuer.
; 3: Try later -  Try again later.
; 4: Not used - This value is never returned.
; 5: Sig required - Must sign the request.
; 6: Unauthorized - Request unauthorized.

If ($iOcspStatus < 0) Then
    ConsoleWrite("Invalid OCSP reply." & @CRLF)
    Exit
EndIf

ConsoleWrite("Overall OCSP Response Status: " & $iOcspStatus & @CRLF)

; Let's examine the OCSP response (in JSON).
$oJsonReply.EmitCompact = False
ConsoleWrite($oJsonReply.Emit() & @CRLF)

; The JSON reply looks like this:
; (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml
; to generate JSON parsing code.)

; {
;   "responseStatus": 0,
;   "responseTypeOid": "1.3.6.1.5.5.7.48.1.1",
;   "responseTypeName": "ocspBasic",
;   "response": {
;     "responderIdChoice": "KeyHash",
;     "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
;     "dateTime": "20180803193937Z",
;     "cert": [
;       {
;         "hashOid": "1.3.14.3.2.26",
;         "hashAlg": "SHA-1",
;         "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
;         "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
;         "serialNumber": "6175535D87BF94B6",
;         "status": 0,
;         "thisUpdate": "20180803193937Z",
;         "nextUpdate": "20180810193937Z"
;       }
;     ]
;   }
; }
; 

; The certificate status:
Local $iCertStatus = -1
If ($oJsonReply.HasMember("response.cert[0].status") = True) Then
    $iCertStatus = $oJsonReply.IntOf("response.cert[0].status")
EndIf

; Possible certStatus values are:
; -1: No status returned.
; 0: Good
; 1: Revoked
; 2: Unknown.
ConsoleWrite("Certificate Status: " & $iCertStatus & @CRLF)