OCSP Revocation check for X.509 certificate - iOS & Mac

UI Frameworks UIKit
Murali1304 OP
Created Sep ’17
Replies 0
Boosts 0
Views 1.3k
Participants 1

I wanted to check OSCP revocation status for X.509 certificate coming from server. I am using below code to do the same using 

System Security
APIs


CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, certificatePtr, certificateLength, kCFAllocatorNull);

SecCertificateRef certRef = SecCertificateCreateWithData(NULL, cert_data);

OSStatus status = checkOCSPRevocationStatus(certRef);

OSStatus checkOCSPRevocationStatus(SecCertificateRef certificate)

{

SecCertificateRef certs[1] = { certificate };

CFArrayRef array = CFArrayCreate(NULL, (const void **) certs, 1, NULL);

SecPolicyRef policy = SecPolicyCreateRevocation(kSecRevocationOCSPMethod);

SecTrustRef trust; OSStatus status = SecTrustCreateWithCertificates(array, policy, &trust);

if(status == errSecSuccess){

SecTrustResultType result = kSecTrustResultUnspecified;

status = SecTrustEvaluate(trust,&result);

}

return status;

}

But it is always returning Success response even though certificate has been revoked?

1.Is it the correct way to check revocation status using native APIs?
2.How can i clear OCSP cache on 

OSX 10.13 beta
, i tried 
sqlite3 ~/Library/Keychains//ocspcache.sqlite3 'DELETE FROM ocsp;'
but it is not working in 10.13


Note: i don't want to use 

OpenSSL
to do the same.
Replies  0
Boosts  0
Views  1.3k
Participants  1
OCSP Revocation check for X.509 certificate - iOS & Mac
First post date Last post date
 
 
Q