none
Help regarding below OCSP related structures in Visual C++ RRS feed

All replies

  • Hi,

     

    According to your description, I suggest you can send your issue to the Application Security for Windows Desktop forum

     

    Best Regards,

    Rob


    Rob Pan [MSFT]
    MSDN Community Support | Feedback to us
    Monday, December 12, 2011 8:55 AM
  •  

    Had already posted in Application Security for Windows Desktop .

    Was directed to this forum.


    Thanks!
    Wednesday, December 14, 2011 8:02 AM
  • Hi,

    I have been searching ways to manually create ocsp request to send to the responder.

    We have windows 7 on the client side and we use MS CAPI and Visual C++.

    Please let me know how to retrieve these additional info from the certificate and send out the OCSP req via GET/POST

    . ie, how to retrieve the below from the certificate:

    hashAlgorithm AlgorithmIdentifier,
    issuerNameHash OCTET STRING, -- Hash of Issuer's DN
    issuerKeyHash OCTET STRING, -- Hash of Issuers public key
    serialNumber CertificateSerialNumber

    NB:  I have been asking around the same in various forums for a while now ..have not got any proper reply..(http://social.msdn.microsoft.com/Forums/en-MY/windowssecurity/thread/f883c719-7191-485b-8901-ea6aa30fffda, http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/17f7c2d9-b340-4e2a-822d-8adfa3ed9091, http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/09075152-ff49-467e-b489-e198847c9700)

    Thanks.



    Thanks!

    • Merged by Mike Dos Zhang Monday, October 1, 2012 4:44 AM duplicate and security dev aspect
    Friday, September 28, 2012 11:19 AM
  • I'm not 100% sure, but it seems like the client should compute the issuerNameHash and issuerKeyHash according to the hashAlgorithm. Most likely OCSP responders will understand SHA-1.

    The serialNumber can be obtained by looking at the CERT_INFO.SerialNumber field of a certificate context. Once you have this data.

    You can create an OCSP_REQUEST structure using 0 for all values except the rgRequestEntry field. That structure has a CertId field which you can populate with the hashes, serial number, and hash algorithm.

    Then you can call CryptEncodeObjectEx to encode the OCSP_REQUEST. The result is what you can submit to an OCSP responder.

    Andrew

    Thursday, October 4, 2012 2:32 AM