Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
613 views
in Technique[技术] by (71.8m points)

itext - iTextSharp OcspClientBouncyCastle constructor is deprecated, what's the replacement?

I'm using iTextSharp 5.5.10. OcspClientBouncyCastle default's constructor is deprecated.

IOcspClient ocspClient = new OcspClientBouncyCastle();

The other one is :

OcspClientBouncyCastle(OcspVerifier verifier)

But i cant't find any way to use it. Could anybody provide a sample with this new constructor, please ?

Thank you very much.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you want the former behavior, i.e. the OCSP response retrieved by the OcspClientBouncyCastle is trusted without further ado, you can simply use null as argument:

IOcspClient ocspClient = new OcspClientBouncyCastle(null);

But if you want the retrieved OCSP response to be checked, you have to supply an OCSPVerifier instance.

How this instance has to be initialized, depends on the CA's PKI from which the OCSP response is queried. If it supplies sufficient information in the OCSP response and the response is signed with a certificate not requiring further checks (e.g. if it has the id-pkix-ocsp-nocheck extension), you can initialize it with null arguments:

OCSPVerifier ocspVerifier = new OCSPVerifier(null, null);
IOcspClient ocspClient = new OcspClientBouncyCastle(ocspVerifier);

But a CA may choose not to specify any method of revocation checking for the responder's certificate (RFC 2560). In the worst case this might require an initialization of the verifier which is specific to that very CA.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...