PHPackages                             web-eid/ocsp-php - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. web-eid/ocsp-php

AbandonedArchivedLibrary[Utility &amp; Helpers](/categories/utility)

web-eid/ocsp-php
================

OCSP library for PHP

1.1.2(2y ago)335.3k↓57.1%4MITPHPPHP &gt;=8.1

Since Jan 13Pushed 1y ago9 watchersCompare

[ Source](https://github.com/web-eid/ocsp-php)[ Packagist](https://packagist.org/packages/web-eid/ocsp-php)[ RSS](/packages/web-eid-ocsp-php/feed)WikiDiscussions main Synced 2d ago

READMEChangelog (5)Dependencies (2)Versions (7)Used By (0)

ocsp-php
========

[](#ocsp-php)

**NB! Please note that the ocsp-php code was moved to web-eid-authtoken-validation-php repository.
We won't be accepting pull requests or responding to issues in this repository anymore. We are happy to accept your proposals in the web-eid-authtoken-validation-php repository: .**

ocsp-php is a library for PHP for checking if certificates are revoked, by using Online Certificate Status Protocol (OCSP).

This library does not include any HTTP client, you can use cURL for example.

Quickstart
==========

[](#quickstart)

Complete the steps below to include the library in your project.

A PHP web application that uses Composer to manage packages is needed for running this quickstart.

Add the library to your project
-------------------------------

[](#add-the-library-to-your-project)

Install using Composer:

```
composer require web-eid/ocsp-php
```

Loading the certificates
------------------------

[](#loading-the-certificates)

By using **CertificateLoader**, you can load certificates from file or string.

```
// Loading certificate from file
$certificate = (new CertificateLoader)->fromFile('/path/to/cert.crt')->getCert();

// Loading certificate from string
$certificate = (new CertificateLoader)->fromString('-----BEGIN CERTIFICATE-----MIIEAzCCA...-----END CERTIFICATE-----')->getCert();
```

Getting the issuer certificate from certificate
-----------------------------------------------

[](#getting-the-issuer-certificate-from-certificate)

The certificate usually contains a URL where you can find certificate of the certificate issuer.

You can use this code to extract this URL from the certificate.

```
$certLoader = (new CertificateLoader)->fromFile('/path/to/cert.crt');
$issuerCertificateUrl = $certLoader->getIssuerCertificateUrl();
```

`$issuerCertificateUrl` will contain the URL where the issuer certificate can be downloaded. When it is an empty string, that means the issuer certificate URL is not included in the SSL certificate.

Getting the OCSP responder URL
------------------------------

[](#getting-the-ocsp-responder-url)

To check if a SSL Certificate is valid, you need to know the OCSP URL, that is provided by the authority that issued the certificate. This URL can be called to check if the certificate has been revoked.

This URL may be included in the SSL Certificate itself.

You can use this code to extract the OCSP responder URL from the SSL Certificate.

```
$certLoader = (new CertificateLoader)->fromFile('/path/to/cert.crt');
$ocspResponderUrl = $certLoader->getOcspResponderUrl();
```

When it is an empty string, that means the OCSP responder URL is not included in the SSL Certificate.

Checking the revocation status of an SSL Certificate
----------------------------------------------------

[](#checking-the-revocation-status-of-an-ssl-certificate)

Once you have the SSL Certificate, the issuer certificate, and the OCSP responder URL, you can check whether the SSL certificate has been revoked or is still valid.

```
$subjectCert = (new CertificateLoader)->fromFile('/path/to/subject.crt')->getCert();
$issuerCert = (new CertificateLoader)->fromFile('/path/to/issuer.crt')->getCert();

// Create the certificateId
$certificateId = (new Ocsp)->generateCertificateId($subjectCert, $issuerCert);

// Build request body
$requestBody = new OcspRequest();
$requestBody->addCertificateId($certificateId);

// Add nonce extension when the nonce feature is enabled,
// otherwise skip this line
$requestBody->addNonceExtension(random_bytes(8));

// Send request to OCSP responder URL
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $ocspResponderUrl);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, ['Content-Type: ' .Ocsp::OCSP_REQUEST_MEDIATYPE]);
curl_setopt($curl, CURLOPT_POSTFIELDS, $requestBody->getEncodeDer());
$result = curl_exec($curl);
$info = curl_getinfo($curl);
if ($info["http_code"] !== 200) {
    throw new RuntimeException("HTTP status is not 200");
}

// Check the response content type
if ($info["content_type"] != Ocsp::OCSP_RESPONSE_MEDIATYPE) {
    throw new RuntimeException("Content-Type header of the response is wrong");
}

// Decode the raw response from the OCSP Responder
$response = new OcspResponse($result);

// Validate response certificateId
$response->validateCertificateId($certificateId);

// Validate response signature
$response->validateSignature();

// Validate nonce when the nonce feature is enabled,
$basicResponse = $response->getBasicResponse();
if ($requestBody->getNonceExtension() != $basicResponse->getNonceExtension()) {
    throw new RuntimeException("OCSP request nonce and response nonce do not match");
}
```

`$response` contains instance of the `web_eid\ocsp_php\OcspResponse` class:

- `$response->isRevoked() === false` when the certificate is not revoked
- `$response->isRevoked() === true` when the certificate is revoked (to get revoke reason, call `$response->getRevokeReason()`)
- when `$response->isRevoked()` returns null, then the certificate revoke status is unknown

To get more detailed information from response, you can use:

```
// Read response status
$response->getStatus();
$basicResponse = $response->getBasicResponse();
```

Following methods can be called with `$basicResponse`:

- `$basicResponse->getResponses()` - returns array of the responses
- `$basicResponse->getCertificates()` - returns array of X.509 certificates (phpseclib3\\File\\X509)
- `$basicResponse->getSignature()` - returns signature
- `$basicResponse->getProducedAt()` - returns DateTime object
- `$basicResponse->getThisUpdate()` - returns DateTime object
- `$basicResponse->getNextUpdate()` - returns DateTime object (is `null` when `nextUpdate` field does not exist)
- `$basicResponse->getSignatureAlgorithm()` - returns signature algorithm as string (throws exception, when signature algorithm is not implemented)
- `$basicResponse->getNonceExtension()` - returns nonce (when value is `null` then nonce extension does not exist in response)
- `$basicResponse->getCertID()` - returns response certificateID

To get the full response for debugging or logging purposes, use `$response->getResponse()`

Exceptions
==========

[](#exceptions)

All exceptions are handled by the `web_eid\ocsp_php\exceptions\OcspException` class. To catch these errors, you can enclose your code within try/catch statements:

```
try {
    // code
} catch (OcspException $e) {
    // exception handler
}
```

PHPSeclib versioning policy
===========================

[](#phpseclib-versioning-policy)

Starting from version 1.1.0 we adopt a flexible versioning policy for `phpseclib` and specify the dependency as `3.0.*`. This approach allows our library integrators to quickly incorporate security patches and minor updates from `phpseclib`.

Why we include `composer.lock`
------------------------------

[](#why-we-include-composerlock)

While it is common practice for applications to include a `composer.lock` file to lock down the specific versions of dependencies used, this is less common for libraries. However, we have chosen to include `composer.lock` in our repository to clearly indicate the exact versions of dependencies we have tested against.

Although our library is designed to work with any minor version of `phpseclib`within the specified range, the `composer.lock` file ensures that integrators are aware of the specific version we consider stable and secure. The provided `composer.lock` is intended to be used as a reference, not as a strict requirement.

Code formatting
===============

[](#code-formatting)

We are using `Prettier` for code formatting. To install Prettier, use following command:

```
npm install --global prettier @prettier/plugin-php

```

Run command for code formatting:

```
composer fix-php

```

Testing
=======

[](#testing)

Run phpunit in the root directory to run all unit tests.

```
./vendor/bin/phpunit tests

```

###  Health Score

37

—

LowBetter than 81% of packages

Maintenance29

Infrequent updates — may be unmaintained

Popularity32

Limited adoption so far

Community16

Small or concentrated contributor base

Maturity59

Maturing project, gaining track record

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~106 days

Total

5

Last Release

841d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/dc7634aef190e56488181d8167aebcff4d1ff57a41e0e339dff84a3ef27799ea?d=identicon)[ria-eid](/maintainers/ria-eid)

---

Top Contributors

[![metsma](https://avatars.githubusercontent.com/u/5708849?v=4)](https://github.com/metsma "metsma (6 commits)")[![mrts](https://avatars.githubusercontent.com/u/44880?v=4)](https://github.com/mrts "mrts (6 commits)")[![kristelmerilain](https://avatars.githubusercontent.com/u/25638036?v=4)](https://github.com/kristelmerilain "kristelmerilain (4 commits)")

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/web-eid-ocsp-php/health.svg)

```
[![Health](https://phpackages.com/badges/web-eid-ocsp-php/health.svg)](https://phpackages.com/packages/web-eid-ocsp-php)
```

###  Alternatives

[civicrm/civicrm-core

Open source constituent relationship management for non-profits, NGOs and advocacy organizations.

751291.4k43](/packages/civicrm-civicrm-core)[phpseclib/mcrypt_compat

PHP 5.x-8.x polyfill for mcrypt extension

28131.4M43](/packages/phpseclib-mcrypt-compat)[akeneo/pim-community-dev

Akeneo PIM, the future of catalog management is open!

1.0k624.1k85](/packages/akeneo-pim-community-dev)[phpseclib/phpseclib2_compat

phpseclib 2.0 polyfill built with phpseclib 3.0

132.1M17](/packages/phpseclib-phpseclib2-compat)[shopware/core

Shopware platform is the core for all Shopware ecommerce products.

585.6M572](/packages/shopware-core)[shopware/app-php-sdk

Shopware App SDK for PHP

15109.8k3](/packages/shopware-app-php-sdk)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
