不建议使用iTextSharp OcspClientBouncyCastle构造函数，该用什么代替? [英] iTextSharp OcspClientBouncyCastle constructor is deprecated, what's the replacement?

问题描述

我正在使用iTextSharp 5.5.10.不建议使用OcspClientBouncyCastle默认的构造函数.

I'm using iTextSharp 5.5.10. OcspClientBouncyCastle default's constructor is deprecated.

IOcspClient ocspClient = new OcspClientBouncyCastle();

另一个是:

OcspClientBouncyCastle(OcspVerifier verifier)

但是我找不到任何使用它的方法. 任何人都可以提供带有此新构造函数的示例吗?

But i cant't find any way to use it. Could anybody provide a sample with this new constructor, please ?

非常感谢您.

推荐答案

如果您希望以前的行为(例如，通过OcspClientBouncyCastle检索的OCSP响应不受信任)，可以简单地使用null作为参数:

If you want the former behavior, i.e. the OCSP response retrieved by the OcspClientBouncyCastle is trusted without further ado, you can simply use null as argument:

IOcspClient ocspClient = new OcspClientBouncyCastle(null);

但是，如果要检查检索到的OCSP响应，则必须提供一个OCSPVerifier实例.

But if you want the retrieved OCSP response to be checked, you have to supply an OCSPVerifier instance.

如何初始化此实例，取决于查询OCSP响应的CA的PKI.如果它在OCSP响应中提供了足够的信息，并且该响应已使用不需要进一步检查的证书进行了签名(例如，它具有 id-pkix-ocsp-nocheck 扩展名)，则可以使用null参数:

How this instance has to be initialized, depends on the CA's PKI from which the OCSP response is queried. If it supplies sufficient information in the OCSP response and the response is signed with a certificate not requiring further checks (e.g. if it has the id-pkix-ocsp-nocheck extension), you can initialize it with null arguments:

OCSPVerifier ocspVerifier = new OCSPVerifier(null, null);
IOcspClient ocspClient = new OcspClientBouncyCastle(ocspVerifier);

但是 CA可以选择不为响应者的证书指定任何吊销检查方法(RFC 2560).在最坏的情况下，这可能需要初始化特定于该CA的验证程序.

But a CA may choose not to specify any method of revocation checking for the responder's certificate (RFC 2560). In the worst case this might require an initialization of the verifier which is specific to that very CA.

这篇关于不建议使用iTextSharp OcspClientBouncyCastle构造函数，该用什么代替?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！