I'm currently implementing an in house OCSP responder in C# and want to create a validator class for responses, but need some clarification
- The certificate identified in a received response corresponds to the certificate that was identified in the corresponding request;
Is the certificate in question the one the request is trying to find the status of? or one that is in the chain object of the entire request/response? what information should I be comparing between the request and response to make sure it matches?
I currently am checking if the CertificateID in the single request matches any CertificateID in the list of single responses
public static bool CertificateMatch(OcspSingleRequest singleRequest, OcspResponse response) =>
response.Responses.Any(x => x.GetCertID().Equals(singleRequest.GetCertID()));
- The signature on the response is valid
Is doing a .Verify(IssuerCertificate) on the basic response enough to fulfill this criteria?
- The identity of the signer matches the intended recipient of the request
Is matching the responses responderID Name and KeyHash with a passed in expectedResponderCertificate SubjectDN and calculated publicKeyHash enough to verify this?
if ((responderID.Name != expectedResponderCertificate.SubjectDN) &&
(responderID.KeyHash != expectedResponderKeyHash))
{
return false;
}
return true;
- The signer is currently authorized to provide a response for the certificate in question
I assume the only way to do this is to contact the CA directly, or just trust it if its not expired
thank you for any insights.
