OCSP in .NET class library RRS feed

  • Question

  • Hi, guys. I have a question about OCSP in .NET class. 

    I'm currently working on developing server software using .NET WPF.

    I've finished cross certificate through TLS 1.2 using SslStream class. 

    The next step what I have to do is OCSP. However, it seems there is no .NET class library or parameter for OCSP in SslStream class. There is only CRL probably (AuthenticateAsServer). 

    The only way to do OCSP is using 3rd party library like Chillkat or castle smth.. ? Those are not free opensource for commercial purpose as I've checked out.

    Please, give me some comments :)

    Wednesday, December 18, 2019 12:43 AM

All replies

  • I think the best answer could be found is this one:

    I've traced the source a bit, and verified it's like how he said - When you build / verify a chain with ChainPolicy.RevocationMode = X509RevocationMode.Online, it'll follow what the documentation on CertGetCertificateChain() says:


    This flag is used internally during chain building for an online certificate status protocol (OCSP) signer certificate to prevent cyclic revocation checks. During chain building, if the OCSP response is signed by an independent OCSP signer, then, in addition to the original chain build, there is a second chain built for the OCSP signer certificate itself. This flag is used during this second chain build to inhibit a recursive independent OCSP signer certificate. If the signer certificate contains the szOID_PKIX_OCSP_NOCHECK extension, revocation checking is skipped for the leaf signer certificate. Both OCSP and CRL checking are allowed


    So beware that the check can be skipped based on content of the e-certificate.

    If you want to be sure but not want to use 3rd party library, you may use P/Invoke to call functions listed here to do the query yourself, but I think for security related things that's not covered in .NET Framework itself, if you can use 3rd party solution with well reputation such as those from Chillkat or BouncyCastle, it'll be better.

    Wednesday, December 18, 2019 1:28 AM
  • Chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;

    bool tf = Chain.Build ( certificate2);

    is for CRL and OCSP process ? 

    As the test I did, I wasn't able to check any HTTP request and response in WireShark.

    Wednesday, December 18, 2019 7:08 AM
  • The OCSP check is not enforced if there aren't OCSP endpoint specified in the certificate itself, or szOID_PKIX_OCSP_NOCHECK is specified in the certificate.

    You'll want to use 3rd party implementation if you want to make sure the check is done.


    The "Online check" behavior changes with other things as well, say whether there is unexpiried OCSP result in cache, or whether relevent Group Policy is specified.


    If you don't want 3rd party, this PowerShell script would give you the lead on how it implement it yourself P/Invoking relevent Crypt32 API functions. (read the __verifyOCSP function)

    Wednesday, December 18, 2019 8:13 AM
  • Could you please show me a simple example for the PowerShell script __verifyOCSP ? 

    I'm trying to find to execute powershell script in C#, but it's not easy cause this is first experience.. 

    I have a certificate issued from Root CA. 

    Wednesday, December 18, 2019 10:37 AM
  • As you can see, the various "module imports" are plain C# code that can be copied directly into your source.

    And IMO, it's not difficult to translate the PowerShell script function __verifyOCSP into corresponding C# code as well. If you can't guess the variable types, just make it dynamic and let the runtime fix it for you.

    That said, I think your start point should be at __validateSinglePath where you try to extract to URL to verify with __verifyOCSP. (You may want to skip the CRL related part if it's not what you'll also want to check.)

    Thursday, December 19, 2019 1:09 AM