private OcspReq GenerateOcspRequest(CertificateID id)
{
OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator();
ocspRequestGenerator.AddRequest(id);
BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks);
ArrayList oids = new ArrayList();
Hashtable values = new Hashtable();
oids.Add(OcspObjectIdentifiers.PkixOcsp);
Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));
values.Add(OcspObjectIdentifiers.PkixOcsp, new X509Extension(false, asn1));
ocspRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values));
return ocspRequestGenerator.Generate();
}
/// <exception cref="System.IO.IOException"></exception>
public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate)
{
try
{
this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod);
LOG.Info("OCSP URI: " + this.OcspUri);
if (this.OcspUri == null)
{
return null;
}
OcspReqGenerator ocspReqGenerator = new OcspReqGenerator();
CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate
, certificate.SerialNumber);
ocspReqGenerator.AddRequest(certId);
OcspReq ocspReq = ocspReqGenerator.Generate();
byte[] ocspReqData = ocspReq.GetEncoded();
OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream
(ocspReqData)));
try
{
return (BasicOcspResp)ocspResp.GetResponseObject();
}
catch (ArgumentNullException)
{
// Encountered a case when the OCSPResp is initialized with a null OCSP response...
// (and there are no nullity checks in the OCSPResp implementation)
return null;
}
}
catch (CannotFetchDataException)
{
return null;
}
catch (OcspException e)
{
LOG.Error("OCSP error: " + e.Message);
return null;
}
}
/// <summary>
/// Verifies the certificate chain via OCSP
/// </summary>
/// <returns>
/// <c>true</c>, if certificate is revoked, <c>false</c> otherwise.
/// </returns>
/// <param name='chain'>
/// The certificate chain.
/// </param>
private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain)
{
List<X509Certificate> certsList = new List<X509Certificate> ();
List<Uri> certsUrls = new List<Uri> ();
bool bCertificateIsRevoked = false;
try {
//Get the OCSP URLS to be validated for each certificate.
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) {
X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension (X509Extensions.AuthorityInfoAccess);
if (ext != null) {
AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance (ext).GetAccessDescriptions ();
Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString ().StartsWith("http://")) ? new Uri (certUrls [0].AccessLocation.Name.ToString ()) : null;
certsList.Add (BCCert);
if (!certsUrls.Contains (url))
certsUrls.Add (url);
}
}
}
if(certsUrls.Count>0){
//create requests for each cert
List<OcspReq> RequestList = new List<OcspReq>();
OcspReqGenerator OCSPRequestGenerator;
for (int i =0; i< (certsList.Count -1); i++) {
OCSPRequestGenerator = new OcspReqGenerator ();
BigInteger nonce = BigInteger.ValueOf (DateTime.Now.Ticks);
List<DerObjectIdentifier> oids = new List<DerObjectIdentifier> ();
oids.Add (Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
List<X509Extension> values = new List<X509Extension> ();
values.Add (new X509Extension (false, new DerOctetString (nonce.ToByteArray ())));
OCSPRequestGenerator.SetRequestExtensions (new X509Extensions (oids, values));
CertificateID ID = new CertificateID (CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber);
OCSPRequestGenerator.AddRequest (ID);
RequestList.Add(OCSPRequestGenerator.Generate());
}
//send requests to the OCSP server and read the response
for (int i =0; i< certsUrls.Count && !bCertificateIsRevoked; i++) {
for(int j = 0; j< RequestList.Count && !bCertificateIsRevoked ; j++){
HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create (certsUrls [i]);
requestToOCSPServer.Method = "POST";
requestToOCSPServer.ContentType = "application/ocsp-request";
requestToOCSPServer.Accept = "application/ocsp-response";
requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection
requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response
byte[] bRequestBytes = RequestList[j].GetEncoded();
using (Stream requestStream = requestToOCSPServer.GetRequestStream()) {
requestStream.Write (bRequestBytes, 0, bRequestBytes.Length);
requestStream.Flush ();
}
HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse ();
OcspResp OCSPResponse = new OcspResp (serverResponse.GetResponseStream ());
BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject ();
//get the status from the response
if (basicOCSPResponse != null) {
foreach (SingleResp singleResponse in basicOCSPResponse.Responses) {
object certStatus = singleResponse.GetCertStatus ();
if (certStatus is RevokedStatus)
bCertificateIsRevoked = true;
}
}
}
}
}else { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");}
} catch (Exception e) {
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message);
bCertificateIsRevoked = true;
}
if(bCertificateIsRevoked)
SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked");
return bCertificateIsRevoked;
}
/// <summary>
/// Generate OCSP Request
/// </summary>
/// <param name="id"></param>
/// <param name="cert"></param>
/// <returns></returns>
byte[] GenerateOCSPRequest(Org.BouncyCastle.Ocsp.CertificateID id,
Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] nonce = new byte[16];
Random rand = new Random();
rand.NextBytes(nonce);
//OCSP OID
var asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));
//Create OCSP Request
var gen = new Org.BouncyCastle.Ocsp.OcspReqGenerator();
gen.AddRequest(id);
gen.SetRequestorName(new Org.BouncyCastle.Asn1.X509.GeneralName(
Org.BouncyCastle.Asn1.X509.GeneralName.DirectoryName, cert.SubjectDN));
IList oids = new ArrayList();
IList values = new ArrayList();
oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false,
new Org.BouncyCastle.Asn1.DerOctetString(
new Org.BouncyCastle.Asn1.DerOctetString(nonce))));
oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcsp);
values.Add(new X509Extension(false, asn1));
gen.SetRequestExtensions(new X509Extensions(oids, values));
var req = gen.Generate();
return(req.GetEncoded());
}
/// <summary>
/// Creates the ocsprequest to send to the ocsp responder.
/// </summary>
/// <param name="issuerCert">Certificate of the issuer of the client certificate</param>
/// <param name="serialNumber">Serial number of the client certificate</param>
/// <returns>Ocsp Request to be sent to OCSP responder</returns>
private BouncyCastleOCSP.OcspReq CreateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber)
{
BouncyCastleOCSP.CertificateID certID = new BouncyCastleOCSP.CertificateID(BouncyCastleOCSP.CertificateID.HashSha1, issuerCert, serialNumber);
BouncyCastleOCSP.OcspReqGenerator ocspRequestGenerator = new BouncyCastleOCSP.OcspReqGenerator();
ocspRequestGenerator.AddRequest(certID);
return(ocspRequestGenerator.Generate());
}
private static BCO.OcspReq GetOcspReqBody(this X509Certificate2 cert, X509Certificate2 issuer)
{
var ocspReqGen = new BCO.OcspReqGenerator();
ocspReqGen.AddRequest(
new BCO.CertificateID(BCO.CertificateID.HashSha1,
DotNetUtilities.FromX509Certificate(issuer),
DotNetUtilities.FromX509Certificate(cert).SerialNumber));
return(ocspReqGen.Generate());
}
private static byte[] GenerateOcspRequest(BigInteger subjectSerialNumber, X509Certificate issuerCert)
{
// We need a request generator.
var generator = new OcspReqGenerator();
// Then we add the certificate we're asking about to it.
generator.AddRequest(new CertificateID(CertificateID.HashSha1, issuerCert, subjectSerialNumber));
// Then we generate the DER-encoded request.
var req = generator.Generate();
return req.GetEncoded();
}
/**
* Generates an OCSP request using BouncyCastle.
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) {
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber);
// basic request generation with nonce
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
// create details for nonce extension
IDictionary extensions = new Hashtable();
extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
gen.SetRequestExtensions(new X509Extensions(extensions));
return gen.Generate();
}
static OcspReqAndId CreateOcspRequest(Asn1OctetString issuerNameHash,
Asn1OctetString issuerKeyHash, string serialNumber)
{
var hashAlgorithm = new AlgorithmIdentifier(X509ObjectIdentifiers.IdSha1, DerNull.Instance);
var derSerialNumber = new DerInteger(new BigInteger(serialNumber));
var id = new CertID(hashAlgorithm, issuerNameHash, issuerKeyHash, derSerialNumber);
var generator = new OcspReqGenerator();
generator.AddRequest(new CertificateID(id));
return new OcspReqAndId(generator.Generate(), id);
}
