Go Back   TechArena Community > Technology > Networking & Security
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Reply
 
Thread Tools Search this Thread
  #1  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
OCSP Request message

Hi ,
I am trying to send a OCSP request via the HTTP GET method. I am getting the response as malformed packet. Can anybody please help me to get some correct ethereal GET message log for a sample OCSP request
Reply With Quote
  #2  
Old 13-06-2008
Member
 
Join Date: Jan 2006
Posts: 2,254
You just need to create a HTTP connection to the OCSP server send a request and process the response.

There aren't currently any helper classes in BC for creating the HTTP messages. It should just be a matter of Base64 encoding the the results of calling getEncoded() on the various OCSP and sending it off, you'll need to use the MIME library as well.

Regards
Reply With Quote
  #3  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
I have already created the OCSP request message. The request reaches the server. The request is of the form {url}/{request} but the server sends the 200 Ok response and it states Malformed request. I have the packet captured using ethereal. Now i want to get the Ethereal packet Log for a sucessful GET request for OCSP . I am not able to infer why is the packet malformed.
Reply With Quote
  #4  
Old 13-06-2008
Member
 
Join Date: Jan 2006
Posts: 3,782
Malformed packet means that the dissector can't work out the contents of the packet any further. This can have various reasons:
  • The chosen dissector is wrong for this packet
  • The packet is longer that a single frame and not reassembled
  • There is a bug in the dissector
  • (dare I say it?) The packet is wrong

Any of these is possible. You'll have to look into the specific situation to determine what it is. You could disable the dissector by disabling the protocol on the Analyzer menu and check how Ethereal displays the packet then. You could (if it's TCP) enable reassembly for TCP and the specific dissector (if possible) in the Edit|Preferences menu. You could check the packet contents yourself by reading the packet bytes and comparing it to the protocol specification. This could reveil a dissector bug. Or you could find out that the packet is indeed wrong.

Have fun
Reply With Quote
  #5  
Old 13-06-2008
Member
 
Join Date: Jan 2006
Posts: 2,254
They are reported as malformed because they run ontop of port 5000.

The only protocol Ethereal knows about that use port 5000 is CPFI which is a protocol to transport fibrechannel frames ontop of UDP port 5000.

So ethereal tries to dissect it as CPFI which it is not and thus fails with malformed packet.
Reply With Quote
  #6  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
I would like to know the exact format of the HTTP GET message and the response we can get from the OCSP responder. My GET message as captured by ethereal looks like the below

GET http://{url}/{base64 encoded der encoded OCSP request}

Can you please tell me how to check wherther the request is correctly formed or not.
Reply With Quote
  #7  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
Sample OCSP GET request

I want to know about a sample OCSP request example via the HTTP GET method. How does a request look like and what are the required headers to be included
Reply With Quote
  #8  
Old 13-06-2008
Member
 
Join Date: Jan 2006
Posts: 3,782
Perhaps this code is useful for you:

/**
... CONSTRUCT REQUEST STRUCTURE [1]...
*/

// Coding the request:
byte[] array = ocspRequest.getEncoded();

// Sending the Request:
// serviceAddr is the HTTP location (URL) of OCSP service
if (serviceAddr != null) {
hostAddr = serviceAddr;
try {
if (serviceAddr.startsWith("https")) {
HttpsURLConnection con = null;
URL url = new URL((String) serviceAddr);
con = (HttpsURLConnection) url.openConnection();
con.setRequestProperty("Content-Type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
con.setDoOutput(true);
OutputStream out = con.getOutputStream();
DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
dataOut.write(array);
dataOut.flush();
dataOut.close();

// Looking for errors in the response:
if (con.getResponseCode() / 100 != 2) {
throw new Exception(...);
}

InputStream in = (InputStream) con.getContent();
ocspResponse = new OCSPResp(in);

/**
... DECODING THE RESPONSE [2] ...
*/

}
else {
...
}
}
catch (Exception e) {
...
}
}

[1] For construct OCSP request you can use class "OCSPClientExample" of chapter 7 of the book (or similar request generator).
[2] When decoding OCSP response you must verify signature of response, you can get status, you must manage single response/s (class SingleResp of BouncyCastle OCSP Package), etc.

Regards.
Reply With Quote
  #9  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
Thanks for the code . But the problem here is i am using the Opensource libraries for constructing the message and i am writing interface to send the HTTP request. So i will have to restrict to using the API's avaliable to me. Now i have a certificate chain and i have extracted the AIA extension from it. I have also constructed the OCSP request. Its as follows
GET http:{aia}/MEowSDBGMEQwQjAHBgUrDgMCGgQUe0Y3WX9XB1C9zPoP%2BJRjGFhFykEFDsSfpaXh6YJ%2Fw%3D%3D
Can you tell me what is rong with the above request.
As the responder is replying with malformed packet
Reply With Quote
  #10  
Old 13-06-2008
Member
 
Join Date: Jun 2008
Posts: 7
question

Quote:
Originally Posted by BIG FISH View Post
Perhaps this code is useful for you:

/**
... CONSTRUCT REQUEST STRUCTURE [1]...
*/

// Coding the request:
byte[] array = ocspRequest.getEncoded();

// Sending the Request:
// serviceAddr is the HTTP location (URL) of OCSP service
if (serviceAddr != null) {
hostAddr = serviceAddr;
try {
if (serviceAddr.startsWith("https")) {
HttpsURLConnection con = null;
URL url = new URL((String) serviceAddr);
con = (HttpsURLConnection) url.openConnection();
con.setRequestProperty("Content-Type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
con.setDoOutput(true);
OutputStream out = con.getOutputStream();
DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out));
dataOut.write(array);
dataOut.flush();
dataOut.close();

// Looking for errors in the response:
if (con.getResponseCode() / 100 != 2) {
throw new Exception(...);
}

InputStream in = (InputStream) con.getContent();
ocspResponse = new OCSPResp(in);

/**
... DECODING THE RESPONSE [2] ...
*/

}
else {
...
}
}
catch (Exception e) {
...
}
}

[1] For construct OCSP request you can use class "OCSPClientExample" of chapter 7 of the book (or similar request generator).
[2] When decoding OCSP response you must verify signature of response, you can get status, you must manage single response/s (class SingleResp of BouncyCastle OCSP Package), etc.

Regards.
I have written my request below. Can u please help me out on this. I am not able to figure it out and i am new to OCSP too.
Reply With Quote
  #11  
Old 06-12-2011
Member
 
Join Date: Nov 2011
Posts: 3
Re: OCSP Request message

I am trying to create an OCSP request using Visual C++ for Windows 7 client.
I need some help on how to construct the OCSP Message.

Using Wireshark Traces I have the below sample trace of an http GET Request:

To be specific, I Would like to know how to construct this part of the request --> "MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdKNEwjytjKBQADcgM61jfflNpyQQUv1NDgnjQnsOA5RtnygUA37lIg6UCAQI%3 D" using existing Microsoft API's in Visual C++.
Reply With Quote
  #12  
Old 07-12-2011
Member
 
Join Date: Dec 2007
Posts: 1,728
Re: OCSP Request message

Quote:
Originally Posted by RA_Client View Post
I am trying to create an OCSP request using Visual C++ for Windows 7 client.
I need some help on how to construct the OCSP Message.

Using Wireshark Traces I have the below sample trace of an http GET Request:

To be specific, I Would like to know how to construct this part of the request --> "MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdKNEwjytjKBQADcgM61jfflNpyQQUv1NDgnjQnsOA5RtnygUA37lIg6UCAQI%3 D" using existing Microsoft API's in Visual C++.
In C++, you create an instance of this interface by calling the CoCreateInstance function with the CLSID_OCSPAdmin class identifier. In Visual Basic Scripting Edition, you create an instance of the OCSPAdmin object. More information can be found here - http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
Reply With Quote
  #13  
Old 07-12-2011
Member
 
Join Date: Nov 2011
Posts: 3
Re: OCSP Request message

Thankyou for the reply.
I just went through the doccumentationand I see this note : "This interface does not include functionality to create or parse certificate status requests."

I basically want to create an OCSP certificate status request as stated in RFC2560 -'Binary of DER Encoded OCSP Req' Would like to know how to retrieve these additional info from the certificate and construct it in that format.
Any examples would be helpful.

Thanks Again.
Reply With Quote
  #14  
Old 08-12-2011
Member
 
Join Date: Nov 2011
Posts: 3
Re: OCSP Request message

Hi,
Searching for ways to send OCSP Request, today I
came across these structures holding OCSP Request parameters.

typedef struct _OCSP_REQUEST_INFO,
typedef struct _OCSP_REQUEST_ENTRY,
typedef struct _OCSP_CERT_ID.

But I have no clue if there are any functions(WIn Crypto API) using these structures.
Please let me know if anyone has used these structs
Reply With Quote
  #15  
Old 09-12-2011
Member
 
Join Date: Dec 2007
Posts: 2,273
Re: OCSP Request message

I think that in the RSA BSAFE toolkit an OCSP context is created first. This context is used to hold the defaults for any OCSP requests which are created from it.

To create and OCSP context from a library context:
Code:
 R_LIB_CTX *lib_ctx;
 R_OCSP_CTX *ocsp_ctx = NULL;
 ...
 ret = R_OCSP_CTX_new(lib_ctx, R_RES_FLAG_DEF, &ocsp_ctx);
 if (ret != R_ERROR_NONE)
 {
     goto done;
 }
Reply With Quote
Reply

  TechArena Community > Technology > Networking & Security
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "OCSP Request message"
Thread Thread Starter Forum Replies Last Post
Getting Itunes store request with error 310 message in MacBook pro Tulsi Maa Portable Devices 5 02-08-2011 08:24 AM
OCSP error when accessing secure sites Kingfisher Technology & Internet 3 16-11-2009 10:54 PM
OCSP response query techie_praveen Networking & Security 1 23-06-2008 12:00 PM
Error message : The class installer has denied the request to install or upgrade this device while installing a USB Still Camera Pratim XP Hardware 2 06-11-2006 10:46 PM


All times are GMT +5.5. The time now is 06:00 PM.