AutoIt
AutoIt
Validate Certificate using OCSP Protocol
See more Certificates Examples
Demonstrates how to validate a certificate (check the revoked status) using the OCSP protocol.Chilkat AutoIt Downloads
Local $bSuccess = False
; This requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.
; This example will check the revoked status of a certificate loaded from a file.
$oCert = ObjCreate("Chilkat.Cert")
$bSuccess = $oCert.LoadFromFile("qa_data/certs/google.crt")
If ($bSuccess = False) Then
ConsoleWrite($oCert.LastErrorText & @CRLF)
Exit
EndIf
; Get the cert's OCSP URL.
Local $sOcspUrl = $oCert.OcspUrl
; Build the JSON that will be the OCSP request.
; Possible hash algorithms are sha1, sha256, sha384, sha512.
Local $sHashAlg = "sha256"
$oPrng = ObjCreate("Chilkat.Prng")
$oJson = ObjCreate("Chilkat.JsonObject")
$oJson.EmitCompact = False
; Read more about OCSP nonce lengths
$oJson.UpdateString("extensions.ocspNonce",$oPrng.GenRandom(16,"base64"))
$oJson.I = 0
$oJson.UpdateString("request[i].cert.hashAlg",$sHashAlg)
$oJson.UpdateString("request[i].cert.issuerNameHash",$oCert.HashOf("IssuerDN",$sHashAlg,"base64"))
$oJson.UpdateString("request[i].cert.issuerKeyHash",$oCert.HashOf("IssuerPublicKey",$sHashAlg,"base64"))
$oJson.UpdateString("request[i].cert.serialNumber",$oCert.SerialNumber)
ConsoleWrite($oJson.Emit() & @CRLF)
; Our OCSP request looks something like this:
; {
; "extensions": {
; "ocspNonce": "qZDfbpO+nUxRzz6c/SPjE5QCAsPfpkQlRDxTnGl0gnxt7iXO"
; },
; "request": [
; {
; "cert": {
; "hashAlg": "sha1",
; "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
; "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
; "serialNumber": "6175535D87BF94B6"
; }
; }
; ]
; }
$oOcspRequest = ObjCreate("Chilkat.BinData")
$oHttp = ObjCreate("Chilkat.Http")
; Convert our JSON to a binary (ASN.1) OCSP request
$bSuccess = $oHttp.CreateOcspRequest($oJson,$oOcspRequest)
If ($bSuccess = False) Then
ConsoleWrite($oHttp.LastErrorText & @CRLF)
Exit
EndIf
; Send the OCSP request to the OCSP server
$oResp = ObjCreate("Chilkat.HttpResponse")
$bSuccess = $oHttp.HttpBd("POST",$sOcspUrl,$oOcspRequest,"application/ocsp-request",$oResp)
If ($bSuccess = False) Then
ConsoleWrite($oHttp.LastErrorText & @CRLF)
Exit
EndIf
; Get the binary (ASN.1) OCSP reply
$oOcspReply = ObjCreate("Chilkat.BinData")
$oResp.GetBodyBd($oOcspReply)
; Convert the binary reply to JSON.
; Also returns the overall OCSP response status.
$oJsonReply = ObjCreate("Chilkat.JsonObject")
Local $iOcspStatus = $oHttp.ParseOcspReply($oOcspReply,$oJsonReply)
; The ocspStatus can have one of these values:
; -1: The ARG1 does not contain a valid OCSP reply.
; 0: Successful - Response has valid confirmations..
; 1: Malformed request - Illegal confirmation request.
; 2: Internal error - Internal error in issuer.
; 3: Try later - Try again later.
; 4: Not used - This value is never returned.
; 5: Sig required - Must sign the request.
; 6: Unauthorized - Request unauthorized.
If ($iOcspStatus < 0) Then
ConsoleWrite("Invalid OCSP reply." & @CRLF)
Exit
EndIf
ConsoleWrite("Overall OCSP Response Status: " & $iOcspStatus & @CRLF)
; Let's examine the OCSP response (in JSON).
$oJsonReply.EmitCompact = False
ConsoleWrite($oJsonReply.Emit() & @CRLF)
; The JSON reply looks like this:
; (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml
; to generate JSON parsing code.)
; {
; "responseStatus": 0,
; "responseTypeOid": "1.3.6.1.5.5.7.48.1.1",
; "responseTypeName": "ocspBasic",
; "response": {
; "responderIdChoice": "KeyHash",
; "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
; "dateTime": "20180803193937Z",
; "cert": [
; {
; "hashOid": "1.3.14.3.2.26",
; "hashAlg": "SHA-1",
; "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=",
; "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=",
; "serialNumber": "6175535D87BF94B6",
; "status": 0,
; "thisUpdate": "20180803193937Z",
; "nextUpdate": "20180810193937Z"
; }
; ]
; }
; }
;
; The certificate status:
Local $iCertStatus = -1
If ($oJsonReply.HasMember("response.cert[0].status") = True) Then
$iCertStatus = $oJsonReply.IntOf("response.cert[0].status")
EndIf
; Possible certStatus values are:
; -1: No status returned.
; 0: Good
; 1: Revoked
; 2: Unknown.
ConsoleWrite("Certificate Status: " & $iCertStatus & @CRLF)