Chilkat HOME .NET Core C# Android™ AutoIt C C# C++ Chilkat2-Python CkPython Classic ASP DataFlex Delphi ActiveX Delphi DLL Go Java Lianja Mono C# Node.js Objective-C PHP ActiveX PHP Extension Perl PowerBuilder PowerShell PureBasic Ruby SQL Server Swift 2 Swift 3,4,5... Tcl Unicode C Unicode C++ VB.NET VBScript Visual Basic 6.0 Visual FoxPro Xojo Plugin
(Delphi ActiveX) Validate Certificate using OCSP ProtocolDemonstrates how to validate a certificate (check the revoked status) using the OCSP protocol.
uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Chilkat_TLB; ... procedure TForm1.Button1Click(Sender: TObject); var cert: TChilkatCert; success: Integer; ocspUrl: WideString; hashAlg: WideString; prng: TChilkatPrng; json: TChilkatJsonObject; ocspRequest: TChilkatBinData; http: TChilkatHttp; resp: IChilkatHttpResponse; ocspReply: TChilkatBinData; jsonReply: TChilkatJsonObject; ocspStatus: Integer; certStatus: Integer; begin // Note: Requires Chilkat v9.5.0.75 or greater. // This requires the Chilkat API to have been previously unlocked. // See Global Unlock Sample for sample code. // This example will check the revoked status of a certificate loaded from a file. cert := TChilkatCert.Create(Self); success := cert.LoadFromFile('qa_data/certs/google.crt'); if (success <> 1) then begin Memo1.Lines.Add(cert.LastErrorText); Exit; end; // Get the cert's OCSP URL. ocspUrl := cert.OcspUrl; // Build the JSON that will be the OCSP request. // Possible hash algorithms are sha1, sha256, sha384, sha512. hashAlg := 'sha256'; prng := TChilkatPrng.Create(Self); json := TChilkatJsonObject.Create(Self); json.EmitCompact := 0; // Read more about OCSP nonce lengths json.UpdateString('extensions.ocspNonce',prng.GenRandom(16,'base64')); json.I := 0; json.UpdateString('request[i].cert.hashAlg',hashAlg); json.UpdateString('request[i].cert.issuerNameHash',cert.HashOf('IssuerDN',hashAlg,'base64')); json.UpdateString('request[i].cert.issuerKeyHash',cert.HashOf('IssuerPublicKey',hashAlg,'base64')); json.UpdateString('request[i].cert.serialNumber',cert.SerialNumber); Memo1.Lines.Add(json.Emit()); // Our OCSP request looks something like this: // { // "extensions": { // "ocspNonce": "qZDfbpO+nUxRzz6c/SPjE5QCAsPfpkQlRDxTnGl0gnxt7iXO" // }, // "request": [ // { // "cert": { // "hashAlg": "sha1", // "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=", // "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=", // "serialNumber": "6175535D87BF94B6" // } // } // ] // } ocspRequest := TChilkatBinData.Create(Self); http := TChilkatHttp.Create(Self); // Convert our JSON to a binary (ASN.1) OCSP request success := http.CreateOcspRequest(json.ControlInterface,ocspRequest.ControlInterface); if (success = 0) then begin Memo1.Lines.Add(http.LastErrorText); Exit; end; // Send the OCSP request to the OCSP server resp := http.PBinaryBd('POST',ocspUrl,ocspRequest.ControlInterface,'application/ocsp-request',0,0); if (http.LastMethodSuccess <> 1) then begin Memo1.Lines.Add(http.LastErrorText); Exit; end; // Get the binary (ASN.1) OCSP reply ocspReply := TChilkatBinData.Create(Self); resp.GetBodyBd(ocspReply.ControlInterface); // Convert the binary reply to JSON. // Also returns the overall OCSP response status. jsonReply := TChilkatJsonObject.Create(Self); ocspStatus := http.ParseOcspReply(ocspReply.ControlInterface,jsonReply.ControlInterface); // The ocspStatus can have one of these values: // -1: The ARG1 does not contain a valid OCSP reply. // 0: Successful - Response has valid confirmations.. // 1: Malformed request - Illegal confirmation request. // 2: Internal error - Internal error in issuer. // 3: Try later - Try again later. // 4: Not used - This value is never returned. // 5: Sig required - Must sign the request. // 6: Unauthorized - Request unauthorized. if (ocspStatus < 0) then begin Memo1.Lines.Add('Invalid OCSP reply.'); Exit; end; Memo1.Lines.Add('Overall OCSP Response Status: ' + IntToStr(ocspStatus)); // Let's examine the OCSP response (in JSON). jsonReply.EmitCompact := 0; Memo1.Lines.Add(jsonReply.Emit()); // The JSON reply looks like this: // (Use the online tool at https://tools.chilkat.io/jsonParse.cshtml // to generate JSON parsing code.) // { // "responseStatus": 0, // "responseTypeOid": "1.3.6.1.5.5.7.48.1.1", // "responseTypeName": "ocspBasic", // "response": { // "responderIdChoice": "KeyHash", // "responderKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=", // "dateTime": "20180803193937Z", // "cert": [ // { // "hashOid": "1.3.14.3.2.26", // "hashAlg": "SHA-1", // "issuerNameHash": "9u2wY2IygZo19o11oJ0CShGqbK0=", // "issuerKeyHash": "d8K4UJpndnaxLcKG0IOgfqZ+uks=", // "serialNumber": "6175535D87BF94B6", // "status": 0, // "thisUpdate": "20180803193937Z", // "nextUpdate": "20180810193937Z" // } // ] // } // } // // The certificate status: certStatus := -1; if (jsonReply.HasMember('response.cert[0].status') = 1) then begin certStatus := jsonReply.IntOf('response.cert[0].status'); end; // Possible certStatus values are: // -1: No status returned. // 0: Good // 1: Revoked // 2: Unknown. Memo1.Lines.Add('Certificate Status: ' + IntToStr(certStatus)); end; |
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.