private void ValidateResponse(BasicOcspResp or, X509Certificate issuerCert) { X509Certificate OCSPRespondercert = or.GetCerts()[0]; ValidateSignerAuthorization(issuerCert, OCSPRespondercert); ValidateResponseSignature(or, OCSPRespondercert.GetPublicKey()); }
//2. The signature on the response is valid; private void ValidateResponseSignature(BasicOcspResp or, Org.BouncyCastle.Crypto.AsymmetricKeyParameter asymmetricKeyParameter) { if (!or.Verify(asymmetricKeyParameter)) { throw new OCSPExpection("Invalid OCSP signature"); } }
private void ValidarResponseSignature(BasicOcspResp in_OcspResp, Org.BouncyCastle.Crypto.AsymmetricKeyParameter in_PublicKey) { if (!in_OcspResp.Verify(in_PublicKey)) { throw new Exception("Firma OCSP Invalida"); } }
/// <param name="ocspResp"></param> /// <returns></returns> public virtual bool Match(BasicOcspResp ocspResp) { try { IDigest digest = DigestUtilities.GetDigest(algorithm); byte[] oscpBytes; if (matchOnlyBasicOCSPResponse) { oscpBytes = ocspResp.GetEncoded(); } else { oscpBytes = OCSPUtils.FromBasicToResp(ocspResp).GetEncoded(); } digest.BlockUpdate(oscpBytes, 0, oscpBytes.Length); byte[] computedValue = DigestUtilities.DoFinal(digest); LOG.Info("Compare " + Hex.ToHexString(digestValue) + " to computed value " + Hex.ToHexString(computedValue) + " of BasicOcspResp produced at " + ocspResp .ProducedAt); return(Arrays.Equals(digestValue, computedValue)); } catch (NoSuchAlgorithmException ex) { throw new RuntimeException("Maybe BouncyCastle provider is not installed ?", ex); } catch (IOException ex) { throw new RuntimeException(ex); } }
private List <RevocationInfo> GetRevocationInfos(BasicOcspResp basicOcspResp) { List <RevocationInfo> responses = new List <RevocationInfo>(); foreach (var response in basicOcspResp.Responses) { object status = response.GetCertStatus(); switch (status) { case null: case UnknownStatus unknownStatus: responses.Add(RevocationInfo.UnknownRevocationInfo); break; case RevokedStatus revokedStatus: var item2 = revokedStatus.HasRevocationReason ? new CrlReason(revokedStatus.RevocationReason).ToString() : "Unknown"; responses.Add(new RevocationInfo(revokedStatus.RevocationTime, item2)); break; default: responses.Add(RevocationInfo.UnknownRevocationInfo); break; } } return(responses); }
/// <summary>Gets OCSP response.</summary> /// <remarks> /// Gets OCSP response. If /// <see cref="OCSPVerifier"/> /// was set, the response will be checked. /// </remarks> /// <param name="checkCert">to certificate to check</param> /// <param name="rootCert">the parent certificate</param> /// <param name="url">to get the verification</param> public virtual BasicOcspResp GetBasicOCSPResp(X509Certificate checkCert, X509Certificate rootCert, String url) { try { OcspResp ocspResponse = GetOcspResponse(checkCert, rootCert, url); if (ocspResponse == null) { return(null); } if (ocspResponse.Status != Org.BouncyCastle.Asn1.Ocsp.OcspResponseStatus.Successful) { return(null); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (verifier != null) { verifier.IsValidResponse(basicResponse, rootCert); } return(basicResponse); } catch (Exception ex) { LOGGER.Error(ex.Message); } return(null); }
private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext cert) { CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert); if (issuerCertificate == null) { return(false); } else { //try //{ CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate .Certificate, cert.Certificate.SerialNumber); foreach (SingleResp resp in basicOcspResp.Responses) { if (resp.GetCertID().Equals(matchingCertID)) { return(true); } } return(false); //} //catch (OcspException ex) //{ // throw new RuntimeException(ex); //} } }
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * @param checkCert to certificate to check * @param rootCert the parent certificate * @param the url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained */ public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) { LOGGER.Error(ex.Message); } } return(null); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Org.BouncyCastle.Operator.OperatorCreationException"/> /// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/> public virtual bool VerifyAuthorizedOCSPResponderTest(DateTime ocspResponderCertStartDate, DateTime ocspResponderCertEndDate , DateTime checkDate) { X509Certificate caCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(certsSrc + "intermediateRsa.p12" , password)[0]; ICipherParameters caPrivateKey = Pkcs12FileHelper.ReadFirstKey(certsSrc + "intermediateRsa.p12", password, password); String checkCertFileName = certsSrc + "signCertRsaWithChain.p12"; X509Certificate checkCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(checkCertFileName, password)[ 0]; RsaKeyPairGenerator keyGen = SignTestPortUtil.BuildRSA2048KeyPairGenerator(); AsymmetricCipherKeyPair key = keyGen.GenerateKeyPair(); ICipherParameters ocspRespPrivateKey = key.Private; AsymmetricKeyParameter ocspRespPublicKey = key.Public; TestCertificateBuilder certBuilder = new TestCertificateBuilder(ocspRespPublicKey, caCert, caPrivateKey, "CN=iTextTestOCSPResponder, OU=test, O=iText" ); certBuilder.SetStartDate(ocspResponderCertStartDate); certBuilder.SetEndDate(ocspResponderCertEndDate); X509Certificate ocspResponderCert = certBuilder.BuildAuthorizedOCSPResponderCert(); TestOcspResponseBuilder builder = new TestOcspResponseBuilder(ocspResponderCert, ocspRespPrivateKey); TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder); byte[] basicOcspRespBytes = ocspClient.GetEncoded(checkCert, caCert, null); Asn1Object var2 = Asn1Object.FromByteArray(basicOcspRespBytes); BasicOcspResp basicOCSPResp = new BasicOcspResp(BasicOcspResponse.GetInstance(var2)); OCSPVerifier ocspVerifier = new OCSPVerifier(null, null); return(ocspVerifier.Verify(basicOCSPResp, checkCert, caCert, checkDate)); }
public virtual byte[] MakeOcspResponse(byte[] requestBytes) { OcspReq ocspRequest = new OcspReq(requestBytes); Req[] requestList = ocspRequest.GetRequestList(); X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce); if (extNonce != null) { // TODO ensure X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, extNonce } }); responseBuilder.SetResponseExtensions(responseExtensions); } foreach (Req req in requestList) { responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null); } DateTime time = DateTimeUtil.GetCurrentUtcTime(); BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time); // return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded(); return(ocspResponse.GetEncoded()); }
/** * Verifies if the signature of the response is valid. * If it doesn't verify against the responder certificate, it may verify * using a trusted anchor. * @param ocspResp the response object * @param responderCert the certificate that may be used to sign the response * @return true if the response can be trusted */ virtual public bool VerifyResponse(BasicOcspResp ocspResp, X509Certificate responderCert) { // testing using the responder certificate if (IsSignatureValid(ocspResp, responderCert)) { return(true); } // testing using trusted anchors if (certificates == null) { return(false); } try { // loop over the certificates in the root store foreach (X509Certificate anchor in certificates) { try { if (IsSignatureValid(ocspResp, anchor)) { return(true); } } catch (GeneralSecurityException) {} } } catch (GeneralSecurityException) { return(false); } return(false); }
/** * Verifies if an OCSP response is genuine * @param ocspResp the OCSP response * @param issuerCert the issuer certificate * @throws GeneralSecurityException * @throws IOException */ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) { // by default the OCSP responder certificate is the issuer certificate X509Certificate responderCert = issuerCert; // check if there's a responder certificate X509Certificate[] certs = ocspResp.GetCerts(); if (certs.Length > 0) { responderCert = certs[0]; try { responderCert.Verify(issuerCert.GetPublicKey()); } catch (GeneralSecurityException) { if (base.Verify(responderCert, issuerCert, DateTime.MaxValue).Count == 0) { throw new VerificationException(responderCert, String.Format("{0} Responder certificate couldn't be verified", responderCert)); } } } // verify if the signature of the response is valid if (!VerifyResponse(ocspResp, responderCert)) { throw new VerificationException(responderCert, String.Format("{0} OCSP response could not be verified", responderCert)); } }
/** * Verifies a certificate against a single OCSP response * @param ocspResp the OCSP response * @param signCert the certificate that needs to be checked * @param issuerCert the certificate of CA * @param signDate sign date * @return {@code true}, in case successful check, otherwise false. * @throws GeneralSecurityException * @throws IOException */ virtual public bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, DateTime signDate) { if (ocspResp == null) { return(false); } // Getting the responses SingleResp[] resp = ocspResp.Responses; for (int i = 0; i < resp.Length; ++i) { // check if the serial number corresponds if (!signCert.SerialNumber.Equals(resp[i].GetCertID().SerialNumber)) { continue; } // check if the issuer matches try { if (issuerCert == null) { issuerCert = signCert; } if (!resp[i].GetCertID().MatchesIssuer(issuerCert)) { LOGGER.Info("OCSP: Issuers doesn't match."); continue; } } catch (OcspException) { continue; } // check if the OCSP response was valid at the time of signing DateTimeObject nextUpdate = resp[i].NextUpdate; DateTime nextUpdateDate; if (nextUpdate == null) { nextUpdateDate = resp[i].ThisUpdate.AddSeconds(180); LOGGER.Info("No 'next update' for OCSP Response; assuming " + nextUpdateDate); } else { nextUpdateDate = nextUpdate.Value; } if (signDate > nextUpdateDate) { if (LOGGER.IsLogging(Level.INFO)) { LOGGER.Info(String.Format("OCSP no longer valid: {0} after {1}", signDate, nextUpdateDate)); } continue; } // check the status of the certificate Object status = resp[i].GetCertStatus(); if (status == CertificateStatus.Good) { // check if the OCSP response was genuine IsValidResponse(ocspResp, issuerCert); return(true); } } return(false); }
public FirmaXades.Clients.CertificateStatus ProcessOcspResponse(byte[] binaryResp) { if (binaryResp.Length != 0) { OcspResp ocspResp = new OcspResp(binaryResp); FirmaXades.Clients.CertificateStatus result = FirmaXades.Clients.CertificateStatus.Unknown; if (ocspResp.Status != 0) { throw new Exception("Unknow status '" + ocspResp.Status + "'."); } BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); if (basicOcspResp.Responses.Length == 1) { SingleResp singleResp = basicOcspResp.Responses[0]; object certStatus = singleResp.GetCertStatus(); if (certStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { result = FirmaXades.Clients.CertificateStatus.Good; } else if (certStatus is RevokedStatus) { result = FirmaXades.Clients.CertificateStatus.Revoked; } else if (certStatus is UnknownStatus) { result = FirmaXades.Clients.CertificateStatus.Unknown; } } return(result); } return(FirmaXades.Clients.CertificateStatus.Unknown); }
static void CheckValidityOfResponse(CertID id, BasicOcspResp responseObject, Ca ca) { var inputStream = new MemoryStream(responseObject.GetEncoded()); var asn1Sequence = (Asn1Sequence) new Asn1InputStream(inputStream).ReadObject(); var response = BasicOcspResponse.GetInstance(asn1Sequence); var ocspChain = CreateOcspCertificateChain(ca); if (ocspChain.Length == 0) { throw new OcspException("OCSP certificate chain is invalid"); } var ocesOcspCertificate = OcesCertificateFactory.Instance.Generate(CompleteOcspChain(response, ocspChain)); CheckBasicOcspResp(id, responseObject, ocesOcspCertificate, ca); var signingCertificate = new X509CertificateParser().ReadCertificate(response.Certs[0].GetEncoded()); var issuingCertificate = new X509CertificateParser().ReadCertificate(ocspChain[0].GetRawCertData()); signingCertificate.Verify(issuingCertificate.GetPublicKey()); if (!responseObject.Verify(signingCertificate.GetPublicKey())) { throw new OcspException("Signature is invalid"); } }
/// <summary>Gets an encoded byte array with OCSP validation.</summary> /// <remarks>Gets an encoded byte array with OCSP validation. The method should not throw an exception.</remarks> /// <param name="checkCert">to certificate to check</param> /// <param name="rootCert">the parent certificate</param> /// <param name="url"> /// to get the verification. It it's null it will be taken /// from the check cert or from other implementation specific source /// </param> /// <returns>a byte array with the validation or null if the validation could not be obtained</returns> public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else { if (status is RevokedStatus) { throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_REVOKED); } else { throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_UNKNOWN); } } } } } catch (Exception ex) { LOGGER.Error(ex.Message); } return(null); }
public OcspResponse ParseOcspResponse(BasicOcspResp brep) { SingleResp singleResp = brep.Responses.Single(); var itstatus = singleResp.GetCertStatus(); var status = new OcspResponse() { ProducedAt = brep.ProducedAt, ThisUpdate = singleResp.ThisUpdate, NextUpdate = singleResp.NextUpdate.Value }; if (itstatus == CertificateStatus.Good) { status.Status = OcspRevocationStatus.Good; } else if (itstatus is RevokedStatus revokedStatus) { status.Status = OcspRevocationStatus.Revoked; status.RevocationTime = revokedStatus.RevocationTime; try { status.RevocationReason = revokedStatus.RevocationReason; } catch (InvalidOperationException) { status.RevocationReason = -1; } } else { status.Status = OcspRevocationStatus.Unknown; } return(status); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod) { bool byKey = false; List <string> list = new List <string>(); Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); OcspClient ocspClient = new OcspClient(); string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate); if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl)) { list.Add(authorityInformationAccessOcspUrl); } foreach (string ocspServer in ocspServers) { list.Add(ocspServer); } foreach (string item in list) { byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item); switch (ocspClient.ProcessOcspResponse(array)) { case FirmaXades.Clients.CertificateStatus.Revoked: throw new Exception("Certificado revocado"); case FirmaXades.Clients.CertificateStatus.Good: { OcspResp ocspResp = new OcspResp(array); byte[] encoded = ocspResp.GetEncoded(); BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); string str = Guid.NewGuid().ToString(); OCSPRef oCSPRef = new OCSPRef(); oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str; DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest); ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object(); string responderName = GetResponderName(responderId, ref byKey); if (!byKey) { oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName); } else { oCSPRef.OCSPIdentifier.ResponderID = responderName; oCSPRef.OCSPIdentifier.ByKey = true; } oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef); OCSPValue oCSPValue = new OCSPValue(); oCSPValue.PkiData = encoded; oCSPValue.Id = "OcspValue" + str; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue); return((from cert in basicOcspResp.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } } throw new Exception("El certificado no ha podido ser validado"); }
static bool SerialNumberInResponseIsNotRevoked(BasicOcspResp response, string serialNumber) { var responseElements = new List <SingleResp>(response.Responses); return(responseElements .Exists(r => r.GetCertStatus() == null && r.GetCertID().SerialNumber.ToString() == serialNumber)); }
/** * Checks if an OCSP response is genuine * @param ocspResp the OCSP response * @param responderCert the responder certificate * @return true if the OCSP response verifies against the responder certificate */ virtual public bool IsSignatureValid(BasicOcspResp ocspResp, X509Certificate responderCert) { try { return(ocspResp.Verify(responderCert.GetPublicKey())); } catch (OcspException) { return(false); } }
static bool CertificateIsValid(CertID id, OcspResp ocspResp, string serialNumber, Ca ca) { CheckOcspResp(ocspResp); BasicOcspResp response = GetResponseObject(ocspResp); CheckValidityOfResponse(id, response, ca); return(SerialNumberInResponseIsNotRevoked(response, serialNumber)); }
/// <summary>Checks if an OCSP response is genuine</summary> /// <param name="ocspResp">the OCSP response</param> /// <param name="responderCert">the responder certificate</param> /// <returns>true if the OCSP response verifies against the responder certificate</returns> public virtual bool IsSignatureValid(BasicOcspResp ocspResp, X509Certificate responderCert) { try { return(SignUtils.IsSignatureValid(ocspResp, responderCert)); } catch (Exception) { return(false); } }
virtual public bool VerifyResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) { try { IsValidResponse(ocspResp, issuerCert); return(true); } catch (Exception e) { return(false); } }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public byte[] GetEncoded() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } return(null); }
/// <summary> /// @see com.lowagie.text.pdf.OcspClient#getEncoded() /// </summary> /// <returns> a byte array</returns> public byte[] GetEncoded() { OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url); con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStreamAsync().Result; outp.Write(array, 0, array.Length); outp.Dispose(); HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result; if (response.StatusCode != HttpStatusCode.OK) { throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}"); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Dispose(); response.Dispose(); if (ocspResponse.Status != 0) { throw new IOException("Invalid status: " + ocspResponse.Status); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is RevokedStatus) { throw new IOException("OCSP Status is revoked!"); } else { throw new IOException("OCSP Status is unknown!"); } } } return(null); }
/// <summary>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </summary> /// <remarks>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </remarks> /// <param name="basicOCSPResp"></param> /// <returns></returns> public static OcspResp FromBasicToResp(BasicOcspResp basicOCSPResp) { try { return(FromBasicToResp(basicOCSPResp.GetEncoded())); } catch (IOException e) { throw new RuntimeException(e); } }
/// <summary> /// Create a reference on a OcspResp /// </summary> private static OcspResponsesID MakeOcspResponsesID(BasicOcspResp ocspResp) { byte[] digestValue = DigestUtilities.CalculateDigest (X509ObjectIdentifiers.IdSha1, ocspResp.GetEncoded()); OtherHash hash = new OtherHash(digestValue); OcspResponsesID ocsprespid = new OcspResponsesID(new OcspIdentifier(ocspResp.ResponderId .ToAsn1Object(), ocspResp.ProducedAt), hash); logger.Info("Incorporate OcspResponseId[hash=" + Hex.ToHexString(digestValue) + ",producedAt=" + ocspResp.ProducedAt); return(ocsprespid); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(byte[] binaryResp, bool checkNonce) { if (binaryResp.Length == 0) { return(CertificateStatus.Unknown); } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (checkNonce) { if (or.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).ToString() != _nonceAsn1OctetString.ToString()) { throw new Exception("Bad nonce value"); } } if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return(cStatus); }
public override bool Equals(object obj) { if (obj == this) { return(true); } BasicOcspResp basicOcspResp = obj as BasicOcspResp; if (basicOcspResp == null) { return(false); } return(resp.Equals(basicOcspResp.resp)); }
private CertificateStatus processOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp, out string respMsg) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); validateResponse(or, issuerCert); respMsg = string.Empty; if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; validateCertificateId(issuerCert, clientCert, resp.GetCertID()); validateThisUpdate(resp); validateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.good; respMsg = "Certificado Válido"; } else if (certificateStatus is RevokedStatus) { cStatus = CertificateStatus.revoked; respMsg = "Certificado Revocado"; } else if (certificateStatus is UnknownStatus) { cStatus = CertificateStatus.unknown; respMsg = "Certificado Desconocido"; } } break; default: respMsg = "No se ha podido procesar la respuesta OCSP"; //throw new Exception("Status Desconocido '" + r.Status + "'."); return(cStatus); } return(cStatus); }