1

我正在努力在 BouncyCastle 中查找有关 OCSP 的信息,我在网上找到的示例充其量是模糊的,所以我想我会尝试在这里提问。

这是我的问题:我正在尝试在 BouncyCastle for .NET 中执行 OCSP,但我遇到了 OCSP 响应问题,特别是,我不明白在序列化并发送响应后如何恢复响应给收件人。

问题很可能是我以错误的方式构建响应本身,因为我这样做的方式是从网上找到的点点滴滴和我的纯粹“直觉”拼凑而成的。这是我创建响应的方式:

        X509CrlEntry crlentry = Repository.CRL.GetRevokedCertificate(certToCheck.SerialNumber);
        BasicOcspRespGenerator basicRespGen = new BasicOcspRespGenerator(Repository.Data.BouncyCastlePublicKey);
        if (crlentry == null) {
            //still valid
            basicRespGen.AddResponse(certToCheck, CertificateStatus.Good);
        } else {
            //revoked
            DerGeneralizedTime dt = new DerGeneralizedTime(crlentry.RevocationDate);
            RevokedInfo rinfo = new RevokedInfo(dt, new CrlReason(CrlReason.CessationOfOperation));
            RevokedStatus rstatus = new RevokedStatus(rinfo);
            basicRespGen.AddResponse(certToCheck, rstatus);
        }
        BasicOcspResp response = basicRespGen.Generate("SHA512withRSA", Repository.Data.BouncyCastlePrivateKey, new X509Certificate[] { Repository.Data.MyCertificate }, DateTime.Now);
        byte[] responseBytes = response.GetEncoded;
    //I then send the bytes back to the client who made the request

问题是现在我不知道如何从其序列化的 byte[] 表单中获取响应......似乎没有工厂/解析器或构造函数来获取它。有一个接受 byte[] 作为参数的 OcspResp 构造函数,但它会引发异常,我想是因为 OcspResp 和 BasicOcspResp 是不同的东西。

有谁能够帮助我?我构建响应本身是错误的,还是只是我看不到如何反序列化它?有什么提示吗?

提前谢谢大师_T

4

1 回答 1

1

这太老了,但如果有人在寻找答案,那就是:在提取字节之前,必须将 BasicOcspResp 包装到 OcspResp 中。

在服务器上创建响应:

    X509CrlEntry crlentry = Repository.CRL.GetRevokedCertificate(certToCheck.SerialNumber);
    BasicOcspRespGenerator basicRespGen = new BasicOcspRespGenerator(Repository.Data.BouncyCastlePublicKey);
    if (crlentry == null) {
        //still valid
        basicRespGen.AddResponse(certToCheck, CertificateStatus.Good);
    } else {
        //revoked
        DerGeneralizedTime dt = new DerGeneralizedTime(crlentry.RevocationDate);
        RevokedInfo rinfo = new RevokedInfo(dt, new CrlReason(CrlReason.CessationOfOperation));
        RevokedStatus rstatus = new RevokedStatus(rinfo);
        basicRespGen.AddResponse(certToCheck, rstatus);
    }
    BasicOcspResp basicOcspResp = basicRespGen.Generate("SHA512withRSA", Repository.Data.BouncyCastlePrivateKey, new X509Certificate[] { Repository.Data.MyCertificate }, DateTime.Now);
    var ocspResponseGenerator = new OCSPRespGenerator();
    var ocspResponse = ocspResponseGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp);
    byte[] responseBytes = ocspResponse.GetEncoded();

读取客户端的响应:

    OcspResp ocspResponse = new OcspResp(responseBytes);
    BasicOcspResp basicOcspResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
于 2021-10-08T12:45:29.320 回答