views:

1563

answers:

5

Hi!

Does anybody know of a tool to test OCSP responses? Preferably, something that can be used from a Windows Command-line and/or can be included (easily) in a Java/python program

+1  A: 

The newpki client claims to be able to do that. http://www.newpki.org/

Alexey Feldgendler
Thanks a lot, Alexey.The newpki client seems to be a bit more complex than I look for, as it's a full PKI admin tool
+1  A: 

Can you test it over HTTP as described in the specs in Appendix A? If so, then you can use any web test util. Since you mentioned Java, JMeter comes to mind. With JMeter, you can create your java code to do validation, etc and re-use it in your test cases.

Can you use something other than CMD line, such as a BASH script via Cygwin?

You'd still have to script some things to validate the test, perhaps using openssl?

curl http://some.ocsp.url/  > resp.der
openssl ocsp -respin resp.der -text

See page http://www.ietf.org/rfc/rfc2560.txt

Dustin
+1  A: 

Looking a bit more, I think I've found some answers:

a) OpenSSL at the rescue:

openssl ocsp -whatever

For more info, http://www.openssl.org/docs/apps/ocsp.html

b) http://www.openvalidation.org/ is another way of testing a cert. And via its links, I got to:

Thanks to all the answers!

JJarava
+1  A: 

bouncycastle has a Java crypto-provider and support for OCSP requests and responses. The differences between OCSPReq and OCSPRequest and OCSPResp and OCSPResponse class are a little confusing, though.

A: 

Here is a good ressource to have a simple OCSP Client or OCSP Responder with OpenSSL : http://backreference.org/2010/05/09/ocsp-verification-with-openssl/

ohe