I'm making an OCSP request using BouncyCastle with a certificate I know its valid. My problem is that I'm getting an UNKNOWN certificate status. I know this means something went wrong in the server and it can return the state of the certificate.
Is there a way, within the BouncyCastle framework, to get an error description, an exception or some sort of message that could help me figure out exactly why is the server unabled to handle the verification of this certificate?
In the RFC6960 OCSP Protocol defines that OCSP response has to add the follow information for each certificate included in the OCSP Request:
...
The response for each of the certificates in a request consists of:o an identifier of the certificate for which revocation status information is being provided (i.e., the target certificate);
o the revocation status of the certificate (good, revoked, or unknown); if revoked, it indicates the time at which the certificate was revoked and, optionally, the reason why it was revoked;
o the validity interval of the response; and
o optional extensions. ...
As is defined in the RFC only when certificate status is revoked additional information is added to the OCSP Response(time and optionally revocation reason), when status is each good or unknown no other information is added.
You can see that in the ASN.1 definition for CertStatus in this document which is:
CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT CRLReason OPTIONAL }
UnknownInfo ::= NULL
So even BouncyCastle has a way to parse this OCSP Response information, you can't get additional detail information for unknown certificates. If you check the class org.bouncycastle.asn1.ocsp.CertStatus which represents this structure you can see the same:
public CertStatus(ASN1TaggedObject choice)
{
this.tagNo = choice.getTagNo();
switch (choice.getTagNo())
{
case 0:
value = new DERNull();
break;
case 1:
value = RevokedInfo.getInstance(choice, false);
break;
case 2:
value = new DERNull();
}
}
Like specification says good(0) and unknown(2) has NULL as info, and only for revoked(1) more information is added.
Anyway if you're curious about BouncyCastle at least in java (I suppose that also in C# version) there are the classes to work with OCSP protocol, take a look at classes in the org.bouncycastle.asn1.ocsp package which represents OCSPRequest and OCSPResponse elements in ASN.1 format as defined in the RFC6960.
Hope this helps,