Creating BouncyCastle OCSP Responses

Question

I'm struggling to find information about OCSP in BouncyCastle, the examples I found online are vague at best, so I thought I'd try to ask here.

Here is my problem: I'm trying to do OCSP in BouncyCastle for .NET but I'm having problems with the OCSP response, in particular, I don't understand how to recover the response once I've serialized it and sent it to the recipient.

The problem may very well be that I'm building the response itself in a wrong way, since the way I do it is cobbled together from bits and pieces found online and pure "intuition" on my part. Here's how I'm creating the response:

        X509CrlEntry crlentry = Repository.CRL.GetRevokedCertificate(certToCheck.SerialNumber);
        BasicOcspRespGenerator basicRespGen = new BasicOcspRespGenerator(Repository.Data.BouncyCastlePublicKey);
        if (crlentry == null) {
            //still valid
            basicRespGen.AddResponse(certToCheck, CertificateStatus.Good);
        } else {
            //revoked
            DerGeneralizedTime dt = new DerGeneralizedTime(crlentry.RevocationDate);
            RevokedInfo rinfo = new RevokedInfo(dt, new CrlReason(CrlReason.CessationOfOperation));
            RevokedStatus rstatus = new RevokedStatus(rinfo);
            basicRespGen.AddResponse(certToCheck, rstatus);
        }
        BasicOcspResp response = basicRespGen.Generate("SHA512withRSA", Repository.Data.BouncyCastlePrivateKey, new X509Certificate[] { Repository.Data.MyCertificate }, DateTime.Now);
        byte[] responseBytes = response.GetEncoded;
    //I then send the bytes back to the client who made the request

The problem is that now I don't know how to get the Response back from its serialized byte[] form... there doesn't seem to be a factory/parser or constructor to get it back. There's a OcspResp constructor that accepts byte[] as parameter, but it throws an exception, I presume because OcspResp and BasicOcspResp are different things.

Can anybody help me? Am I building the response itself wrong, or is it just that I don't see how to deserialize it?? Any hints?

Thanks in advance Master_T

Answer 1

This is so old, but in case anyone looks for the answer, here it is: the BasicOcspResp must be wrapped into an OcspResp before extracting the bytes.

Creating the response on server:

    X509CrlEntry crlentry = Repository.CRL.GetRevokedCertificate(certToCheck.SerialNumber);
    BasicOcspRespGenerator basicRespGen = new BasicOcspRespGenerator(Repository.Data.BouncyCastlePublicKey);
    if (crlentry == null) {
        //still valid
        basicRespGen.AddResponse(certToCheck, CertificateStatus.Good);
    } else {
        //revoked
        DerGeneralizedTime dt = new DerGeneralizedTime(crlentry.RevocationDate);
        RevokedInfo rinfo = new RevokedInfo(dt, new CrlReason(CrlReason.CessationOfOperation));
        RevokedStatus rstatus = new RevokedStatus(rinfo);
        basicRespGen.AddResponse(certToCheck, rstatus);
    }
    BasicOcspResp basicOcspResp = basicRespGen.Generate("SHA512withRSA", Repository.Data.BouncyCastlePrivateKey, new X509Certificate[] { Repository.Data.MyCertificate }, DateTime.Now);
    var ocspResponseGenerator = new OCSPRespGenerator();
    var ocspResponse = ocspResponseGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp);
    byte[] responseBytes = ocspResponse.GetEncoded();

Reading the response on client:

    OcspResp ocspResponse = new OcspResp(responseBytes);
    BasicOcspResp basicOcspResponse = (BasicOcspResp)ocspResponse.GetResponseObject();