User Profile

Hi, I'm doing some testing to use OCSP with SecureTransport, and I want to check if kSecTrustOptionRequireRevPerCert is still relevant or if the whole chain is always checked. I did some testing and seems that the whole chain is always checked. Cheers, Jose

Hi, I trying to enable certificate revocation checks using CRL I have the following policies: SecPolicyRef basicPolicy = SecPolicyCreateBasicX509() SecPolicyRef revocationPolicy = SecPolicyCreateRevocation( kSecRevocationCRLMethod | kSecRevocationRequirePositiveResponse); put both in an array that is used to call SecTrustCreateWithCertificates I'm testing with a self-signed certificate that has both CRL/OCSP as in        X509v3 CRL Distribution Points:          Full Name:          URI:http://127.0.0.1:20001/ca1.crl.pem       Authority Information Access:          CA Issuers - URI:http://127.0.0.1:20001/cacert1.pem         OCSP - URI:http://127.0.0.1:20002 The call to SecTrustEvaluateWithError reports verification fails with errSecIncompleteCertRevocationCheck I don't see any request to the CRL, isn't trust evaluation supposed to contact the CRL distribution point with the above policies? I see a request to the OCSP responder 448 855.029464 127.0.0.1 127.0.0.1 HTTP 396 GET /ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFMB29vuaNrKAoP2BoNnyRXxbT4igBBThcxB1ZocKBQzvh5KaoSjx%2FutKiAIIKz78bS0Gnsk%3D HTTP/1.1 I'm using OpenSSL ocsp responder for my testing and it complains it is a malformed request. Any idea about the malformed requests? why is an OCSP request when my policy specifies kSecRevocationCRLMethod? Any help would be appreciated. Cheers, Jose

Hi, Is there a way to clear the OCSP cache? I'm using SecTrustEvaluateWithError with a custom revocation policy, only the first call sends an OCSP request, seems subsequent calls use the cache response, but for my testing it would be good if I can clear this cache. Cheers, Jose