OCSPResponse

Represents an OCSP response described in RFC6960 Section 4.2

Examples

const asnOcspResp = asn1js.fromBER(ocspRespRaw);
const ocspResp = new pkijs.OCSPResponse({ schema: asnOcspResp.result });

if (!ocspResp.responseBytes) {
  throw new Error("No \"ResponseBytes\" in the OCSP Response - nothing to verify");
}

const asnOcspRespBasic = asn1js.fromBER(ocspResp.responseBytes.response.valueBlock.valueHex);
const ocspBasicResp = new pkijs.BasicOCSPResponse({ schema: asnOcspRespBasic.result });
const ok = await ocspBasicResp.verify({ trustedCerts: [cert] });

const ocspBasicResp = new pkijs.BasicOCSPResponse();

// Create specific TST info structure to sign
ocspBasicResp.tbsResponseData.responderID = issuerCert.subject;
ocspBasicResp.tbsResponseData.producedAt = new Date();

const certID = new pkijs.CertID();
await certID.createForCertificate(cert, {
  hashAlgorithm: "SHA-256",
  issuerCertificate: issuerCert,
});
const response = new pkijs.SingleResponse({
  certID,
});
response.certStatus = new asn1js.Primitive({
  idBlock: {
    tagClass: 3, // CONTEXT-SPECIFIC
    tagNumber: 0 // [0]
  },
  lenBlockLength: 1 // The length contains one byte 0x00
}); // status - success
response.thisUpdate = new Date();

ocspBasicResp.tbsResponseData.responses.push(response);

// Add certificates for chain OCSP response validation
ocspBasicResp.certs = [issuerCert];

await ocspBasicResp.sign(keys.privateKey, "SHA-256");

// Finally create completed OCSP response structure
const ocspBasicRespRaw = ocspBasicResp.toSchema().toBER(false);

const ocspResp = new pkijs.OCSPResponse({
  responseStatus: new asn1js.Enumerated({ value: 0 }), // success
  responseBytes: new pkijs.ResponseBytes({
    responseType: pkijs.id_PKIX_OCSP_Basic,
    response: new asn1js.OctetString({ valueHex: ocspBasicRespRaw }),
  }),
});

const ocspRespRaw = ocspResp.toSchema().toBER();

Extends

• PkiObject

Implements

• IOCSPResponse

Constructors

new OCSPResponse()

new OCSPResponse(parameters): OCSPResponse

Initializes a new instance of the OCSPResponse class

Parameters

• parameters: OCSPResponseParameters = {}

Initialization parameters

Returns

OCSPResponse

Overrides

PkiObject.constructor

Properties

responseBytes?

optional responseBytes: ResponseBytes

Implementation of

IOCSPResponse.responseBytes

---

responseStatus

responseStatus: Enumerated

Implementation of

IOCSPResponse.responseStatus

---

CLASS_NAME

static CLASS_NAME: string = "OCSPResponse"

Name of the class

Overrides

PkiObject.CLASS_NAME

Accessors

className

get className(): string

Returns

string

Inherited from

PkiObject.className

Methods

fromSchema()

fromSchema(schema): void

Converts parsed ASN.1 object into current class

Parameters

• schema: any

ASN.1 schema

Returns

void

Overrides

PkiObject.fromSchema

---

getCertificateStatus()

getCertificateStatus(certificate, issuerCertificate, crypto): Promise<CertificateStatus>

Get OCSP response status for specific certificate

Parameters

• certificate: Certificate

• issuerCertificate: Certificate

• crypto: ICryptoEngine = ...

Crypto engine

Returns

Promise<CertificateStatus>

---

sign()

sign(privateKey, hashAlgorithm?, crypto?): Promise<void>

Make a signature for current OCSP Response

Parameters

• privateKey: CryptoKey

Private key for "subjectPublicKeyInfo" structure

• hashAlgorithm?: string

Hashing algorithm. Default SHA-1

• crypto?: ICryptoEngine = ...

Returns

Promise<void>

---

toJSON()

toJSON(): OCSPResponseJson

Converts the class to JSON object

Returns

OCSPResponseJson

JSON object

Overrides

PkiObject.toJSON

---

toSchema()

toSchema(): Sequence

Converts current object to ASN.1 object and sets correct values

Returns

Sequence

ASN.1 object

Overrides

PkiObject.toSchema

---

toString()

toString(encoding): string

Parameters

• encoding: "base64" | "base64url" | "hex" = "hex"

Returns

string

Inherited from

PkiObject.toString

---

verify()

verify(issuerCertificate, crypto): Promise<boolean>

Verify current OCSP Response

Parameters

• issuerCertificate: null | Certificate = null

In order to decrease size of resp issuer cert could be omitted. In such case you need manually provide it.

• crypto: ICryptoEngine = ...

Crypto engine

Returns

Promise<boolean>

---

blockName()

static blockName(): string

Returns block name

Returns

string

Returns string block name

Inherited from

PkiObject.blockName

---

compareWithDefault()

static compareWithDefault(memberName, memberValue): boolean

Compare values with default values for all class members

Parameters

• memberName: string

String name for a class member

• memberValue: any

Value to compare with default value

Returns

boolean

---

defaultValues()

defaultValues(memberName)

static defaultValues(memberName): Enumerated

Returns default values for all class members

Parameters

• memberName: "responseStatus"

String name for a class member

Returns

Enumerated

Default value

Overrides

PkiObject.defaultValues

defaultValues(memberName)

static defaultValues(memberName): ResponseBytes

Returns default values for all class members

Parameters

• memberName: "responseBytes"

String name for a class member

Returns

ResponseBytes

Default value

Overrides

PkiObject.defaultValues

---

fromBER()

static fromBER<T>(this, raw): T

Creates PKI object from the raw data

Type Parameters

• T extends PkiObject

Parameters

• this: PkiObjectConstructor<T>

• raw: BufferSource

ASN.1 encoded raw data

Returns

T

Initialized and filled current class object

Inherited from

PkiObject.fromBER

---

schema()

static schema(parameters): any

Returns value of pre-defined ASN.1 schema for current class

Parameters

• parameters: SchemaParameters<object> = {}

Input parameters for the schema

Returns

any

ASN.1 schema object

Overrides

PkiObject.schema