itext - iTextSharp OcspClientBouncyCastle constructor is deprecated, what's the replacement?

Question

I'm using iTextSharp 5.5.10. OcspClientBouncyCastle default's constructor is deprecated.

IOcspClient ocspClient = new OcspClientBouncyCastle();

The other one is :

OcspClientBouncyCastle(OcspVerifier verifier)

But i cant't find any way to use it. Could anybody provide a sample with this new constructor, please ?

Thank you very much.

Answer 1

If you want the former behavior, i.e. the OCSP response retrieved by the OcspClientBouncyCastle is trusted without further ado, you can simply use null as argument:

IOcspClient ocspClient = new OcspClientBouncyCastle(null);

But if you want the retrieved OCSP response to be checked, you have to supply an OCSPVerifier instance.

How this instance has to be initialized, depends on the CA's PKI from which the OCSP response is queried. If it supplies sufficient information in the OCSP response and the response is signed with a certificate not requiring further checks (e.g. if it has the id-pkix-ocsp-nocheck extension), you can initialize it with null arguments:

OCSPVerifier ocspVerifier = new OCSPVerifier(null, null);
IOcspClient ocspClient = new OcspClientBouncyCastle(ocspVerifier);

But a CA may choose not to specify any method of revocation checking for the responder's certificate (RFC 2560). In the worst case this might require an initialization of the verifier which is specific to that very CA.