Post not yet marked as solved
Hi,
I'm doing some testing to use OCSP with SecureTransport, and I want to check if kSecTrustOptionRequireRevPerCert is still relevant or if the whole chain is always checked.
I did some testing and seems that the whole chain is always checked.
Cheers,
Jose
Post not yet marked as solved
Hi,
I trying to enable certificate revocation checks using CRL
I have the following policies:
SecPolicyRef basicPolicy = SecPolicyCreateBasicX509()
SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(
kSecRevocationCRLMethod |
kSecRevocationRequirePositiveResponse);
put both in an array that is used to call SecTrustCreateWithCertificates
I'm testing with a self-signed certificate that has both CRL/OCSP as in
X509v3 CRL Distribution Points:
Full Name:
URI:http://127.0.0.1:20001/ca1.crl.pem
Authority Information Access:
CA Issuers - URI:http://127.0.0.1:20001/cacert1.pem
OCSP - URI:http://127.0.0.1:20002
The call to SecTrustEvaluateWithError reports verification fails with errSecIncompleteCertRevocationCheck
I don't see any request to the CRL, isn't trust evaluation supposed to contact the CRL distribution point with the above policies?
I see a request to the OCSP responder
448 855.029464 127.0.0.1 127.0.0.1 HTTP 396 GET /ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFMB29vuaNrKAoP2BoNnyRXxbT4igBBThcxB1ZocKBQzvh5KaoSjx%2FutKiAIIKz78bS0Gnsk%3D HTTP/1.1
I'm using OpenSSL ocsp responder for my testing and it complains it is a malformed request.
Any idea about the malformed requests? why is an OCSP request when my policy specifies kSecRevocationCRLMethod?
Any help would be appreciated.
Cheers,
Jose
Post not yet marked as solved
Hi,
Is there a way to clear the OCSP cache? I'm using SecTrustEvaluateWithError with a custom revocation policy, only the first call sends an OCSP request, seems subsequent calls use the cache response, but for my testing it would be good if I can clear this cache.
Cheers,
Jose