trustid revoke server developer guide

[email protected]

elevenpaths.com

ElevenPaths, radical and disruptive innovation in security solutions

TrustID Revoke Server,

Developer guide

TrustID Revoke Server Developer guide

V.2.1 – October 2016

2016 © Telefónica Digital España, S.L.U. All rights reserved. of 24

TABLE OF CONTENT

1 Introduction ................................................................................................................ 3

2 Certificate Validation Web Service .............................................................................. 4

2.1 Validate Method ....................................................................................................................... 4

2.1.1 Input Parameters ........................................................................................................................ 4

2.1.2 Output parameters ..................................................................................................................... 4

2.1.3 Example ...................................................................................................................................... 5

3 Download Web Service of CRLs/OCSP Responses ........................................................ 6

3.1 GetRevocationObject Method .................................................................................................. 6


3.1.2 Output Parameters ..................................................................................................................... 6

3.1.3 Example ...................................................................................................................................... 7

4 Revocation Verification Web Service ........................................................................... 9

4.1 Verify Method ........................................................................................................................... 9


4.1.2 Output Parameters ..................................................................................................................... 9

4.1.3 Example .................................................................................................................................... 10

5 Annex I ...................................................................................................................... 12

5.1 Description of the Validation Web Service of Certificates in WSDL Format .......................... 12

5.2 Examples of SOAP Requests and Responses to the Certificate Validation Service ................ 14

5.2.1 Example of SOAP 1.1 ................................................................................................................ 14

5.2.2 Example of SOAP 1.2 ................................................................................................................ 15

5.3 Description of the Download Web Service in WSDL Format .................................................. 15

5.4 Examples of SOAP Requests and Responses to the Download Service .................................. 17

5.4.1 Example of SOAP 1.1 ................................................................................................................ 17

5.4.2 Example of SOAP 1.2 ................................................................................................................ 18

5.5 Description of the Revocation Verification Web Service in WSDL Format ............................ 19

5.6 Examples of SOAP Requests and Responses to the Revocation Verification Service ............ 20

5.6.1 Example of SOAP 1.1 ................................................................................................................ 21

5.6.2 Example of SOAP 1.2 ................................................................................................................ 21

6 Resources .................................................................................................................. 23




1 Introduction

TrustID® Revoke Server integrates certificates in the organization of multiple external entities of certificate issuance through a centralized validation system of the revocation status of digital certificates used by users and organizational systems. It can also customize the revocation process based on administrator-defined rules, thus eliminating the need to grant access to each computer or application to online CRLs publishing servers of each certification services provider.

The product is designed as a Web Service to facilitate its integration with other applications and systems. This document lists the technical information necessary for the integration of both the certificate verification service and the download service of CRLs and OCSP responses with third party applications.

Annex I details the formal definition of the Web services interface in WSDL format for applications that support calls to Web Services using WSDL and SOAP.




2 Certificate Validation Web Service

This section describes the methods published by the certificate validation Web service. The Web service is available on machines where the “TrustID® Revoke Server Setup” module is installed.

The default path of the Web Service is http://<servidor>/RevokeClientWS/Certificate.asmx

2.1 Validate Method

This method receives the certificate to be verified and carries out a complete validation of the certificate according to the input parameters and validation rules configured in the Revoke server.

2.1.1 Input Parameters Parameters of the SOAP request are detailed in this section:

<computerName>: Name of the requesting computer in string format. The entered value will be displayed in the audit log. It is mandatory.

<userName>: Requesting user account in string format. The entered value will be displayed in the audit log. It is mandatory.

<sourceCertificate>: Certificate, in Base64, the status of which you wish to obtain. It is mandatory.

<verificationFileTimeUtc>: Date and time on which you want to verify the certificate status. The UTC value of the date and time must be specified in Windows File Time format. If the specified value is 0, the current date and time of the Revoke server are applied.

2.1.2 Output parameters Parameters of the SOAP response are detailed in this section:

<certificateStatus>: It returns information about the certificate status. The possible returned values match the values of the X509ChainStatusFlags class of the .Net Framework 2.0. Their most common values are:

o NoError: The status of the certificate is correct on the specified date.

o Revoked: The certificate was revoked on the specified date.

o NotTimeValid: The certificate was not valid on the specified date.

o UntrustedRoot: The certificate is issued by an entity that is not trusted by the Revoke server.

o PartialChain: The certification string could not be built.

o RevocationStatusUnknown: Revocation status of the certificate is unknown.

o OfflineRevocation: Revocation information of the certificate could not be found.

o NotSignatureValid: The certificate signature is invalid.

You can get further information about the returned values on this article of the Windows knowledge database: X509ChainStatusFlags Enumeration.

http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509chainstatusflags.aspx




2.1.3 Example The following is an example of a call to the Validate method from an application developed in C# .NET. Previously you need to add the Web reference:

Figure 01: Adding a web reference.

After adding the Web reference to the project, you can instantiate a Web service proxy class and make the request to the server:

C#

Certificate. Certificate certificateWS = new Certificate.Certificate();

Certificate.ValidateCertificateRequest validateCertificateRequest = new

Certificate.ValidateCertificateRequest();

Certificate.ValidateCertificateResponse validateCertificateResponse = null;

validateCertificateRequest.computerName = ...;

validateCertificateRequest.userName = ...;

validateCertificateRequest.sourceCertificate = ...;

validateCertificateRequest.verifyRevocation = ...;

validateCertificateRequest.verificationFileTimeUtc = ...;

validateCertificateResponse = certificateWS.Validate(validateCertificateRequest);

switch (validateCertificateResponse.certificateStatus)

{

case X509ChainStatusFlags.NoError:

Console.Write(“Valid Certificate.”);

break;

case X509ChainStatusFlags.Revoked:

Console.Write(“Revoked Certificate. ”);

break;

default:

Console.Write(“Error.”);

}




3 Download Web Service of CRLs/OCSP Responses

This section describes the methods published by the Web service of revocation objects download. The Web service is available on machines where the “TrustID® Revoke Server Setup” module is installed.

The default path of the Web Service is http://<servidor>/RevokeClientWS/Downloads.asmx

3.1 GetRevocationObject Method

This method receives the certificate, the revocation information of which you wish to get, and returns an OCSP response, a base CRL, or base CRL + a delta CRL, depending on the certificate and the rules configured on the server.




<sourceCertificate>: Certificate, in Base64, the revocation information of which you wish to obtain. It is mandatory.

3.1.2 Output Parameters Parameters of the SOAP response are detailed in this section:

<LastError>: It returns information about the error, if any. Its value can be any Windows error code. The most common values are:

o ERROR_SUCCESS (0x00000000): The status of the certificate is correct.

o CRYPT_E_NO_REVOCATION_DLL (0x80092011): There is no server component installed or registered to verify the certificate revocation.

o CRYPT_E_NO_REVOCATION_CHECK (0x80092012): The server component could not verify the certificate revocation.

o CRYPT_E_REVOCATION_OFFLINE (0x80092013): Unable to connect to the revocation server.

o CRYPT_E_NOT_IN_REVOCATION_DATABASE (0x80092014): The certificate is not in the revocation server database.

<objectType>: It indicates the type of the revocation object returned in the response. Its possible values are:

o None: No revocation object is returned.

o BASE_CRL: A base CRL is returned.

o BASE_CRL + DELTA_CRL: A base CRL and a delta CRL are returned.

o OCSP_RESP: An OCSP response is returned.




o <baseCRL>: If the objectType is the same as BASE_CRL or BASE_CRL + DELTA_CRL, it will contain the base CRL, in Base64, corresponding to the certificate. Otherwise, it will be a null value.

o <deltaCRL>: If the objectType is the same as BASE_CRL + DELTA_CRL, it will contain the delta CRL, in Base64, corresponding to the certificate. Otherwise, it will be a null value.

o <ocspResponse>: If the objectType is the same as OCSP_RESP, it will contain the OCSP response, in Base64, corresponding to the certificate. Otherwise, it will be a null value.

3.1.3 Example The following is an example of a call to the GetRevocationObject method from an application developed in C# .NET. Previously you need to add the Web reference:

Image 02: Adding a web reference.


C#

Downloads.Downloads downloadsWS = new Downloads.Downloads();

Downloads.GetRevocationObjectRequest downloadRequest = new

Downloads.GetRevocationObjectRequest();

Downloads.GetRevocationObjectResponse downloadResponse = null;

downloadRequest.computerName = ...;

downloadRequest.userName = ...;

downloadRequest.sourceCertificate = ...;




downloadResponse = downloadsWS.GetRevocationObject(downloadRequest);

if (downloadResponse.LastError == ERROR_SUCCESS )

{

switch ((int)downloadResponse.objectType)

{

case (int)Downloads.ObjectType.BASE_CRL:

{

// Use downloadResponse.baseCRL

break;

}

case (int)Downloads.ObjectType.BASE_CRL +

(int)Downloads.ObjectType.DELTA_CRL:

{

// Use downloadResponse.baseCRL and

downloadResponse.deltaCRL

break;

}

case (int)Downloads.ObjectType.OCSP_RESP:

{

// Use downloadResponse.ocspResponse

break;

}

}

}

else

{


}




4 Revocation Verification Web Service

The verification web service of certificate revocation status is available to any application that just wants to know the revocation status of a certificate. If you wish to completely validate a certificate, not only its revocation, you need to invoke the certificate validation Web service.

This section describes the methods published by the certificate revocation verification Web service. The Web service is available on machines where the “TrustID® Revoke Server Setup” module is installed.

The default path of the Web Service is http://<servidor>/RevokeClientWS/Revocation.asmx

4.1 Verify Method

This method receives the certificate to be verified and returns its status according to the rules configured on the server.




<ConfigurationVersion>: Reserved for future actions. It is optional.

<Base64Cert>: Certificate the revocation of which will be validated by the server in Base64 format. It is mandatory.

<lngTimeToUse>: Reserved for future actions. It is optional.

4.1.2 Output Parameters Parameters of the SOAP response are detailed in this section:

<AgentCode>: Reserved for future actions.

<LastError>: It returns information about the error, if any. The most common values are:

o ERROR_SUCCESS (0x00000000): The status of the certificate is correct.

o CRYPT_E_REVOKED (0x80092010): The status of the certificate is revoked.

o CRYPT_E_NO_REVOCATION_DLL (0x80092011): There is no server component installed or registered to verify the certificate revocation.

o CRYPT_E_NO_REVOCATION_CHECK (0x80092012): The server component could not verify the certificate revocation.

o CRYPT_E_REVOCATION_OFFLINE (0x80092013): Unable to connect to the revocation server.

o CRYPT_E_NOT_IN_REVOCATION_DATABASE (0x80092014): The certificate is not in the revocation server database.

<ReasonCode>: If the revocation status verification has worked well and the status of the certificate is revoked, this parameter returns the revocation cause. Its possible values are:




o CRL_REASON_UNSPECIFIED (0): No reason was specified for the revocation.

o CRL_REASON_KEY_COMPROMISE (1): The private key or some other important field of the certificate has been compromised.

o CRL_REASON_CA_COMPROMISE (2): The private key or some other important field of the root certificate has been compromised.

o CRL_REASON_AFFILIATION_CHANGED (3): The subject or some other important field of the certificate has changed, although there is reason to suspect that the private key is compromised.

o CRL_REASON_SUPERSEDED (4): The certificate has been replaced, although there is no reason to suspect that the private key is compromised.

o CRL_REASON_CESSATION_OF_OPERATION (5): The certificate is no longer necessary for the purpose for which it was issued, although there is no reason to suspect that the private key is compromised.

o CRL_REASON_CERTIFICATE_HOLD (6): The certificate is in standby mode.

<lngRevocationDate>: Reserved for future actions.

<Action>: Reserved for future actions.

4.1.3 Example The following is an example of a call to the Verify method from an application developed in C# .NET. Previously you need to add the Web reference:

Image 03: Adding a web reference





C#

Revocation.Revocation revocationWS = new Revocation.Revocation();

Revocation.CVerificationRequest revocationRequest = new

Revocation.CVerificationRequest();

Revocation.CVerificationResponse revocationResponse = null;

revocationRequest.computerName = ...;

revocationRequest.userName = ...;

revocationRequest.Base64Cert = ...;

revocationResponse = revocationWS.Verify(revocationRequest);

switch (revocationResponse.LastError)

{

case ERROR_SUCCESS:

Console.Write(“Valid Certificate.”);

break;

case CRYPT_E_REVOKED:

Console.Write(“Revoked Certificate. Reason: ”);

Console.Write(revocationResponse.ReasonCode.ToString());

break;

default:


}




5 Annex I

5.1 Description of the Validation Web Service of Certificates in WSDL

Format

<?xml version="1.0" encoding="utf-8" ?>

- <wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"

xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"

xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"

xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"

xmlns:tns="http://smartaccess.es/RevokeClient"

xmlns:s="http://www.w3.org/2001/XMLSchema"

xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"

xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"

targetNamespace="http://smartaccess.es/RevokeClient"

xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">

- <wsdl:types>

- <s:schema elementFormDefault="qualified"

targetNamespace="http://smartaccess.es/RevokeClient">

- <s:element name="Validate">

- <s:complexType>

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="Request"

type="tns:ValidateCertificateRequest" />

</s:sequence>

</s:complexType>

</s:element>

- <s:complexType name="ValidateCertificateRequest">

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="computerName" type="s:string" />

<s:element minOccurs="0" maxOccurs="1" name="userName" type="s:string" />

<s:element minOccurs="0" maxOccurs="1" name="sourceCertificate"

type="s:base64Binary" />

<s:element minOccurs="1" maxOccurs="1" name="verifyRevocation" type="s:boolean"

/>

<s:element minOccurs="1" maxOccurs="1" name="verificationFileTimeUtc"

type="s:long" />

</s:sequence>

</s:complexType>

- <s:element name="ValidateResponse">

- <s:complexType>

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="ValidateResult"

type="tns:ValidateCertificateResponse" />

</s:sequence>

</s:complexType>

</s:element>

- <s:complexType name="ValidateCertificateResponse">

- <s:sequence>

<s:element minOccurs="1" maxOccurs="1" name="certificateStatus"

type="tns:X509ChainStatusFlags" />

</s:sequence>

</s:complexType>

- <s:simpleType name="X509ChainStatusFlags">

- <s:list>

- <s:simpleType>

- <s:restriction base="s:string">

<s:enumeration value="NoError" />

<s:enumeration value="NotTimeValid" />

<s:enumeration value="NotTimeNested" />

<s:enumeration value="Revoked" />




<s:enumeration value="NotSignatureValid" />

<s:enumeration value="NotValidForUsage" />

<s:enumeration value="UntrustedRoot" />

<s:enumeration value="RevocationStatusUnknown" />

<s:enumeration value="Cyclic" />

<s:enumeration value="InvalidExtension" />

<s:enumeration value="InvalidPolicyConstraints" />

<s:enumeration value="InvalidBasicConstraints" />

<s:enumeration value="InvalidNameConstraints" />

<s:enumeration value="HasNotSupportedNameConstraint" />

<s:enumeration value="HasNotDefinedNameConstraint" />

<s:enumeration value="HasNotPermittedNameConstraint" />

<s:enumeration value="HasExcludedNameConstraint" />

<s:enumeration value="PartialChain" />

<s:enumeration value="CtlNotTimeValid" />

<s:enumeration value="CtlNotSignatureValid" />

<s:enumeration value="CtlNotValidForUsage" />

<s:enumeration value="OfflineRevocation" />

<s:enumeration value="NoIssuanceChainPolicy" />

</s:restriction>

</s:simpleType>

</s:list>

</s:simpleType>

</s:schema>

</wsdl:types>

- <wsdl:message name="ValidateSoapIn">

<wsdl:part name="parameters" element="tns:Validate" />

</wsdl:message>

- <wsdl:message name="ValidateSoapOut">

<wsdl:part name="parameters" element="tns:ValidateResponse" />

</wsdl:message>

- <wsdl:portType name="CertificateSoap">

- <wsdl:operation name="Validate">

<wsdl:input message="tns:ValidateSoapIn" />

<wsdl:output message="tns:ValidateSoapOut" />

</wsdl:operation>

</wsdl:portType>

- <wsdl:binding name="CertificateSoap" type="tns:CertificateSoap">

<soap:binding transport="http://schemas.xmlsoap.org/soap/http" />


<soap:operation soapAction="http://smartaccess.es/RevokeClient/Validate"

style="document" />

- <wsdl:input>

<soap:body use="literal" />

</wsdl:input>

- <wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

- <wsdl:binding name="CertificateSoap12" type="tns:CertificateSoap">

<soap12:binding transport="http://schemas.xmlsoap.org/soap/http" />


<soap12:operation soapAction="http://smartaccess.es/RevokeClient/Validate"

style="document" />

- <wsdl:input>

<soap12:body use="literal" />

</wsdl:input>

- <wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

- <wsdl:service name="Certificate">




- <wsdl:port name="CertificateSoap" binding="tns:CertificateSoap">

<soap:address location="http://localhost/RevokeClientWS/certificate.asmx" />

</wsdl:port>

- <wsdl:port name="CertificateSoap12" binding="tns:CertificateSoap12">

<soap12:address location="http://localhost/RevokeClientWS/certificate.asmx" />

</wsdl:port>

</wsdl:service>

</wsdl:definitions>

5.2 Examples of SOAP Requests and Responses to the Certificate

Validation Service

This section provides examples of SOAP 1.1 and SOAP 1.2 requests and responses. In these examples, it would be necessary to replace the text in bold and blue with the actual values in the petitions:

5.2.1 Example of SOAP 1.1 POST /RevokeClientWS/certificate.asmx HTTP/1.1

Host: XXX.XXX.XXX.XXX

Content-Type: text/xml; charset=utf-8

Content-Length: length

SOAPAction: "http://smartaccess.es/RevokeClient/Validate"

<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

<soap:Body>

<Validate xmlns="http://smartaccess.es/RevokeClient">

<Request>

<computerName>string</computerName>

<userName>string</userName>

<sourceCertificate>base64Binary</sourceCertificate>

<verifyRevocation>boolean</verifyRevocation>

<verificationFileTimeUtc>long</verificationFileTimeUtc>

</Request>

</Validate>

</soap:Body>

</soap:Envelope>

HTTP/1.1 200 OK







<soap:Body>

<ValidateResponse xmlns="http://smartaccess.es/RevokeClient">

<ValidateResult>

<certificateStatus>NoError or NotTimeValid or NotTimeNested or Revoked or

NotSignatureValid or NotValidForUsage or UntrustedRoot or RevocationStatusUnknown

or Cyclic or InvalidExtension or InvalidPolicyConstraints or

InvalidBasicConstraints or InvalidNameConstraints or HasNotSupportedNameConstraint

or HasNotDefinedNameConstraint or HasNotPermittedNameConstraint or

HasExcludedNameConstraint or PartialChain or CtlNotTimeValid or

CtlNotSignatureValid or CtlNotValidForUsage or OfflineRevocation or

NoIssuanceChainPolicy</certificateStatus>

</ValidateResult>




</ValidateResponse>

</soap:Body>

</soap:Envelope>

5.2.2 Example of SOAP 1.2 POST /RevokeClientWS/certificate.asmx HTTP/1.1


Content-Type: application/soap+xml; charset=utf-8



<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"


xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">

<soap12:Body>

<Validate xmlns="http://smartaccess.es/RevokeClient">

<Request>




<verifyRevocation>boolean</verifyRevocation>

<verificationFileTimeUtc>long</verificationFileTimeUtc>

</Request>

</Validate>

</soap12:Body>

</soap12:Envelope>

HTTP/1.1 200 OK







<soap12:Body>

<ValidateResponse xmlns="http://smartaccess.es/RevokeClient">

<ValidateResult>

<certificateStatus>NoError or NotTimeValid or NotTimeNested or Revoked or

NotSignatureValid or NotValidForUsage or UntrustedRoot or RevocationStatusUnknown

or Cyclic or InvalidExtension or InvalidPolicyConstraints or

InvalidBasicConstraints or InvalidNameConstraints or HasNotSupportedNameConstraint

or HasNotDefinedNameConstraint or HasNotPermittedNameConstraint or

HasExcludedNameConstraint or PartialChain or CtlNotTimeValid or

CtlNotSignatureValid or CtlNotValidForUsage or OfflineRevocation or

NoIssuanceChainPolicy</certificateStatus>

</ValidateResult>

</ValidateResponse>

</soap12:Body>

</soap12:Envelope>

5.3 Description of the Download Web Service in WSDL Format

<?xml version="1.0" encoding="utf-8" ?>

- <wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"













- <wsdl:types>

- <s:schema elementFormDefault="qualified"


- <s:element name="GetRevocationObject">

- <s:complexType>

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="Request"

type="tns:GetRevocationObjectRequest" />

</s:sequence>

</s:complexType>

</s:element>

- <s:complexType name="GetRevocationObjectRequest">

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="computerName" type="s:string" />


<s:element minOccurs="0" maxOccurs="1" name="sourceCertificate"

type="s:base64Binary" />

</s:sequence>

</s:complexType>

- <s:element name="GetRevocationObjectResponse">

- <s:complexType>

- <s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="GetRevocationObjectResult"

type="tns:GetRevocationObjectResponse" />

</s:sequence>

</s:complexType>

</s:element>

- <s:complexType name="GetRevocationObjectResponse">

- <s:sequence>

<s:element minOccurs="1" maxOccurs="1" name="lastError" type="s:unsignedInt" />

<s:element minOccurs="1" maxOccurs="1" name="objectType" type="tns:ObjectType" />

<s:element minOccurs="0" maxOccurs="1" name="baseCRL" type="s:base64Binary" />

<s:element minOccurs="0" maxOccurs="1" name="deltaCRL" type="s:base64Binary" />

<s:element minOccurs="0" maxOccurs="1" name="ocspResponse" type="s:base64Binary"

/>

</s:sequence>

</s:complexType>

- <s:simpleType name="ObjectType">

- <s:list>

- <s:simpleType>

- <s:restriction base="s:string">

<s:enumeration value="None" />

<s:enumeration value="BASE_CRL" />

<s:enumeration value="DELTA_CRL" />

<s:enumeration value="OCSP_RESP" />

</s:restriction>

</s:simpleType>

</s:list>

</s:simpleType>

</s:schema>

</wsdl:types>

- <wsdl:message name="GetRevocationObjectSoapIn">

<wsdl:part name="parameters" element="tns:GetRevocationObject" />

</wsdl:message>

- <wsdl:message name="GetRevocationObjectSoapOut">

<wsdl:part name="parameters" element="tns:GetRevocationObjectResponse" />

</wsdl:message>

- <wsdl:portType name="DownloadsSoap">

- <wsdl:operation name="GetRevocationObject">

<wsdl:input message="tns:GetRevocationObjectSoapIn" />

<wsdl:output message="tns:GetRevocationObjectSoapOut" />

</wsdl:operation>




</wsdl:portType>

- <wsdl:binding name="DownloadsSoap" type="tns:DownloadsSoap">



<soap:operation

soapAction="http://smartaccess.es/RevokeClient/GetRevocationObject"

style="document" />

- <wsdl:input>


</wsdl:input>

- <wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

- <wsdl:binding name="DownloadsSoap12" type="tns:DownloadsSoap">



<soap12:operation

soapAction="http://smartaccess.es/RevokeClient/GetRevocationObject"

style="document" />

- <wsdl:input>


</wsdl:input>

- <wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

- <wsdl:service name="Downloads">

- <wsdl:port name="DownloadsSoap" binding="tns:DownloadsSoap">

<soap:address location="http://localhost/RevokeClientWS/Downloads.asmx" />

</wsdl:port>

- <wsdl:port name="DownloadsSoap12" binding="tns:DownloadsSoap12">

<soap12:address location="http://localhost/RevokeClientWS/Downloads.asmx" />

</wsdl:port>

</wsdl:service>

</wsdl:definitions>

5.4 Examples of SOAP Requests and Responses to the Download Service


5.4.1 Example of SOAP 1.1 POST /RevokeClientWS/Downloads.asmx HTTP/1.1




SOAPAction: "http://smartaccess.es/RevokeClient/GetRevocationObject"





<soap:Body>

<GetRevocationObject xmlns="http://smartaccess.es/RevokeClient">

<Request>







</Request>

</GetRevocationObject>

</soap:Body>

</soap:Envelope>

HTTP/1.1 200 OK







<soap:Body>

<GetRevocationObjectResponse xmlns="http://smartaccess.es/RevokeClient">

<GetRevocationObjectResult>

<lastError>unsignedInt</lastError>

<objectType>None or BASE_CRL or DELTA_CRL or OCSP_RESP</objectType>

<baseCRL>base64Binary</baseCRL>

<deltaCRL>base64Binary</deltaCRL>

<ocspResponse>base64Binary</ocspResponse>

</GetRevocationObjectResult>

</GetRevocationObjectResponse>

</soap:Body>

</soap:Envelope>

5.4.2 Example of SOAP 1.2 POST /RevokeClientWS/Downloads.asmx HTTP/1.1








<soap12:Body>

<GetRevocationObject xmlns="http://smartaccess.es/RevokeClient">

<Request>




</Request>

</GetRevocationObject>

</soap12:Body>

</soap12:Envelope>

HTTP/1.1 200 OK







<soap12:Body>

<GetRevocationObjectResponse xmlns="http://smartaccess.es/RevokeClient">

<GetRevocationObjectResult>

<lastError>unsignedInt</lastError>

<objectType>None or BASE_CRL or DELTA_CRL or OCSP_RESP</objectType>

<baseCRL>base64Binary</baseCRL>

<deltaCRL>base64Binary</deltaCRL>




<ocspResponse>base64Binary</ocspResponse>

</GetRevocationObjectResult>

</GetRevocationObjectResponse>

</soap12:Body>

</soap12:Envelope>

5.5 Description of the Revocation Verification Web Service in WSDL

Format


<wsdl:definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"










<wsdl:types>

<s:schema elementFormDefault="qualified"


<s:element name="Verify">

<s:complexType>

<s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="VerificationRequest"

type="tns:CVerificationRequest" />

</s:sequence>

</s:complexType>

</s:element>

<s:complexType name="CVerificationRequest">

<s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="computerName"

type="s:string" />


<s:element minOccurs="1" maxOccurs="1" name="ConfigurationVersion"

nillable="true" type="s:int" />

<s:element minOccurs="0" maxOccurs="1" name="Base64Cert" type="s:string"

/>

<s:element minOccurs="1" maxOccurs="1" name="lngTimeToUse" type="s:long"

/>

</s:sequence>

</s:complexType>

<s:element name="VerifyResponse">

<s:complexType>

<s:sequence>

<s:element minOccurs="0" maxOccurs="1" name="VerifyResult"

type="tns:CVerificationResponse" />

</s:sequence>

</s:complexType>

</s:element>

<s:complexType name="CVerificationResponse">

<s:sequence>

<s:element minOccurs="1" maxOccurs="1" name="AgentCode" type="s:boolean"

/>

<s:element minOccurs="1" maxOccurs="1" name="ReasonCode" type="s:int" />

<s:element minOccurs="1" maxOccurs="1" name="LastError"

type="s:unsignedInt" />

<s:element minOccurs="1" maxOccurs="1" name="lngRevocationDate"

type="s:long" />




<s:element minOccurs="1" maxOccurs="1" name="Action" nillable="true"

type="s:unsignedInt" />

</s:sequence>

</s:complexType>

</s:schema>

</wsdl:types>

<wsdl:message name="VerifySoapIn">

<wsdl:part name="parameters" element="tns:Verify" />

</wsdl:message>

<wsdl:message name="VerifySoapOut">

<wsdl:part name="parameters" element="tns:VerifyResponse" />

</wsdl:message>

<wsdl:portType name="RevocationSoap">

<wsdl:operation name="Verify">

<wsdl:input message="tns:VerifySoapIn" />

<wsdl:output message="tns:VerifySoapOut" />

</wsdl:operation>

</wsdl:portType>

<wsdl:binding name="RevocationSoap" type="tns:RevocationSoap">



<soap:operation soapAction="http://smartaccess.es/RevokeClient/Verify"

style="document" />

<wsdl:input>


</wsdl:input>

<wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="RevocationSoap12" type="tns:RevocationSoap">



<soap12:operation soapAction="http://smartaccess.es/RevokeClient/Verify"

style="document" />

<wsdl:input>


</wsdl:input>

<wsdl:output>


</wsdl:output>

</wsdl:operation>

</wsdl:binding>

<wsdl:service name="Revocation">

<wsdl:port name="RevocationSoap" binding="tns:RevocationSoap">

<soap:address location="http://localhost/RevokeClientWS/Revocation.asmx" />

</wsdl:port>

<wsdl:port name="RevocationSoap12" binding="tns:RevocationSoap12">

<soap12:address location="http://localhost/RevokeClientWS/Revocation.asmx" />

</wsdl:port>

</wsdl:service>

</wsdl:definitions>

5.6 Examples of SOAP Requests and Responses to the Revocation

Verification Service





5.6.1 Example of SOAP 1.1 POST /revokeclientws/revocation.asmx HTTP/1.1




SOAPAction: "http://smartaccess.es/RevokeClient/Verify"





<soap:Body>

<Verify xmlns="http://smartaccess.es/RevokeClient">

<VerificationRequest>



<ConfigurationVersion>int</ConfigurationVersion>

<Base64Cert>string</Base64Cert>

<lngTimeToUse>long</lngTimeToUse>

</VerificationRequest>

</Verify>

</soap:Body>

</soap:Envelope>

HTTP/1.1 200 OK







<soap:Body>

<VerifyResponse xmlns="http://smartaccess.es/RevokeClient">

<VerifyResult>

<AgentCode>boolean</AgentCode>

<ReasonCode>int</ReasonCode>

<LastError>unsignedInt</LastError>

<lngRevocationDate>long</lngRevocationDate>

<Action>unsignedInt</Action>

</VerifyResult>

</VerifyResponse>

</soap:Body>

</soap:Envelope>

5.6.2 Example of SOAP 1.2 POST /revokeclientws/revocation.asmx HTTP/1.1








<soap12:Body>

<Verify xmlns="http://smartaccess.es/RevokeClient">

<VerificationRequest>



<ConfigurationVersion>int</ConfigurationVersion>

<Base64Cert>string</Base64Cert>

<lngTimeToUse>long</lngTimeToUse>

</VerificationRequest>




</Verify>

</soap12:Body>

</soap12:Envelope>

HTTP/1.1 200 OK







<soap12:Body>

<VerifyResponse xmlns="http://smartaccess.es/RevokeClient">

<VerifyResult>

<AgentCode>boolean</AgentCode>

<ReasonCode>int</ReasonCode>

<LastError>unsignedInt</LastError>

<lngRevocationDate>long</lngRevocationDate>

<Action>unsignedInt</Action>

</VerifyResult>

</VerifyResponse>

</soap12:Body>

</soap12:Envelope>




6 Resources

For information about the different SealSign services available, please go to this address:

https://www.elevenpaths.com/technology/sealsign/index.html

Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.

You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.

http://blog.elevenpaths.com/

https://www.youtube.com/user/ElevenPaths

http://vimeo.com/elevenpaths

http://www.slideshare.net/elevenpaths/




PUBLICATION

October 2016

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.

trustid revoke server developer guide

Technology