private void ValidateResponse(BasicOcspResp or, X509Certificate issuerCert)
{
X509Certificate OCSPRespondercert = or.GetCerts()[0];
ValidateSignerAuthorization(issuerCert, OCSPRespondercert);
ValidateResponseSignature(or, OCSPRespondercert.GetPublicKey());
}
//2. The signature on the response is valid;
private void ValidateResponseSignature(BasicOcspResp or, Org.BouncyCastle.Crypto.AsymmetricKeyParameter asymmetricKeyParameter)
{
if (!or.Verify(asymmetricKeyParameter))
{
throw new OCSPExpection("Invalid OCSP signature");
}
}
private void ValidarResponseSignature(BasicOcspResp in_OcspResp, Org.BouncyCastle.Crypto.AsymmetricKeyParameter in_PublicKey)
{
if (!in_OcspResp.Verify(in_PublicKey))
{
throw new Exception("Firma OCSP Invalida");
}
}
/// <param name="ocspResp"></param>
/// <returns></returns>
public virtual bool Match(BasicOcspResp ocspResp)
{
try
{
IDigest digest = DigestUtilities.GetDigest(algorithm);
byte[] oscpBytes;
if (matchOnlyBasicOCSPResponse)
{
oscpBytes = ocspResp.GetEncoded();
}
else
{
oscpBytes = OCSPUtils.FromBasicToResp(ocspResp).GetEncoded();
}
digest.BlockUpdate(oscpBytes, 0, oscpBytes.Length);
byte[] computedValue = DigestUtilities.DoFinal(digest);
LOG.Info("Compare " + Hex.ToHexString(digestValue) + " to computed value " +
Hex.ToHexString(computedValue) + " of BasicOcspResp produced at " + ocspResp
.ProducedAt);
return(Arrays.Equals(digestValue, computedValue));
}
catch (NoSuchAlgorithmException ex)
{
throw new RuntimeException("Maybe BouncyCastle provider is not installed ?", ex);
}
catch (IOException ex)
{
throw new RuntimeException(ex);
}
}
private List <RevocationInfo> GetRevocationInfos(BasicOcspResp basicOcspResp)
{
List <RevocationInfo> responses = new List <RevocationInfo>();
foreach (var response in basicOcspResp.Responses)
{
object status = response.GetCertStatus();
switch (status)
{
case null:
case UnknownStatus unknownStatus:
responses.Add(RevocationInfo.UnknownRevocationInfo);
break;
case RevokedStatus revokedStatus:
var item2 = revokedStatus.HasRevocationReason ? new CrlReason(revokedStatus.RevocationReason).ToString() : "Unknown";
responses.Add(new RevocationInfo(revokedStatus.RevocationTime, item2));
break;
default:
responses.Add(RevocationInfo.UnknownRevocationInfo);
break;
}
}
return(responses);
}
/// <summary>Gets OCSP response.</summary>
/// <remarks>
/// Gets OCSP response. If
/// <see cref="OCSPVerifier"/>
/// was set, the response will be checked.
/// </remarks>
/// <param name="checkCert">to certificate to check</param>
/// <param name="rootCert">the parent certificate</param>
/// <param name="url">to get the verification</param>
public virtual BasicOcspResp GetBasicOCSPResp(X509Certificate checkCert, X509Certificate rootCert, String
url)
{
try {
OcspResp ocspResponse = GetOcspResponse(checkCert, rootCert, url);
if (ocspResponse == null)
{
return(null);
}
if (ocspResponse.Status != Org.BouncyCastle.Asn1.Ocsp.OcspResponseStatus.Successful)
{
return(null);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (verifier != null)
{
verifier.IsValidResponse(basicResponse, rootCert);
}
return(basicResponse);
}
catch (Exception ex) {
LOGGER.Error(ex.Message);
}
return(null);
}
private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext
cert)
{
CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert);
if (issuerCertificate == null)
{
return(false);
}
else
{
//try
//{
CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate
.Certificate, cert.Certificate.SerialNumber);
foreach (SingleResp resp in basicOcspResp.Responses)
{
if (resp.GetCertID().Equals(matchingCertID))
{
return(true);
}
}
return(false);
//}
//catch (OcspException ex)
//{
// throw new RuntimeException(ex);
//}
}
}
/**
* Gets an encoded byte array with OCSP validation. The method should not throw an exception.
* @param checkCert to certificate to check
* @param rootCert the parent certificate
* @param the url to get the verification. It it's null it will be taken
* from the check cert or from other implementation specific source
* @return a byte array with the validation or null if the validation could not be obtained
*/
public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try {
BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url);
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
}
catch (Exception ex) {
if (LOGGER.IsLogging(Level.ERROR))
{
LOGGER.Error(ex.Message);
}
}
return(null);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.BouncyCastle.Operator.OperatorCreationException"/>
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
public virtual bool VerifyAuthorizedOCSPResponderTest(DateTime ocspResponderCertStartDate, DateTime ocspResponderCertEndDate
, DateTime checkDate)
{
X509Certificate caCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(certsSrc + "intermediateRsa.p12"
, password)[0];
ICipherParameters caPrivateKey = Pkcs12FileHelper.ReadFirstKey(certsSrc + "intermediateRsa.p12", password,
password);
String checkCertFileName = certsSrc + "signCertRsaWithChain.p12";
X509Certificate checkCert = (X509Certificate)Pkcs12FileHelper.ReadFirstChain(checkCertFileName, password)[
0];
RsaKeyPairGenerator keyGen = SignTestPortUtil.BuildRSA2048KeyPairGenerator();
AsymmetricCipherKeyPair key = keyGen.GenerateKeyPair();
ICipherParameters ocspRespPrivateKey = key.Private;
AsymmetricKeyParameter ocspRespPublicKey = key.Public;
TestCertificateBuilder certBuilder = new TestCertificateBuilder(ocspRespPublicKey, caCert, caPrivateKey, "CN=iTextTestOCSPResponder, OU=test, O=iText"
);
certBuilder.SetStartDate(ocspResponderCertStartDate);
certBuilder.SetEndDate(ocspResponderCertEndDate);
X509Certificate ocspResponderCert = certBuilder.BuildAuthorizedOCSPResponderCert();
TestOcspResponseBuilder builder = new TestOcspResponseBuilder(ocspResponderCert, ocspRespPrivateKey);
TestOcspClient ocspClient = new TestOcspClient().AddBuilderForCertIssuer(caCert, builder);
byte[] basicOcspRespBytes = ocspClient.GetEncoded(checkCert, caCert, null);
Asn1Object var2 = Asn1Object.FromByteArray(basicOcspRespBytes);
BasicOcspResp basicOCSPResp = new BasicOcspResp(BasicOcspResponse.GetInstance(var2));
OCSPVerifier ocspVerifier = new OCSPVerifier(null, null);
return(ocspVerifier.Verify(basicOCSPResp, checkCert, caCert, checkDate));
}
public virtual byte[] MakeOcspResponse(byte[] requestBytes)
{
OcspReq ocspRequest = new OcspReq(requestBytes);
Req[] requestList = ocspRequest.GetRequestList();
X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce);
if (extNonce != null)
{
// TODO ensure
X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, extNonce }
});
responseBuilder.SetResponseExtensions(responseExtensions);
}
foreach (Req req in requestList)
{
responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null);
}
DateTime time = DateTimeUtil.GetCurrentUtcTime();
BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time);
// return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded();
return(ocspResponse.GetEncoded());
}
/**
* Verifies if the signature of the response is valid.
* If it doesn't verify against the responder certificate, it may verify
* using a trusted anchor.
* @param ocspResp the response object
* @param responderCert the certificate that may be used to sign the response
* @return true if the response can be trusted
*/
virtual public bool VerifyResponse(BasicOcspResp ocspResp, X509Certificate responderCert)
{
// testing using the responder certificate
if (IsSignatureValid(ocspResp, responderCert))
{
return(true);
}
// testing using trusted anchors
if (certificates == null)
{
return(false);
}
try {
// loop over the certificates in the root store
foreach (X509Certificate anchor in certificates)
{
try {
if (IsSignatureValid(ocspResp, anchor))
{
return(true);
}
} catch (GeneralSecurityException) {}
}
}
catch (GeneralSecurityException) {
return(false);
}
return(false);
}
/**
* Verifies if an OCSP response is genuine
* @param ocspResp the OCSP response
* @param issuerCert the issuer certificate
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert)
{
// by default the OCSP responder certificate is the issuer certificate
X509Certificate responderCert = issuerCert;
// check if there's a responder certificate
X509Certificate[] certs = ocspResp.GetCerts();
if (certs.Length > 0)
{
responderCert = certs[0];
try {
responderCert.Verify(issuerCert.GetPublicKey());
}
catch (GeneralSecurityException) {
if (base.Verify(responderCert, issuerCert, DateTime.MaxValue).Count == 0)
{
throw new VerificationException(responderCert, String.Format("{0} Responder certificate couldn't be verified", responderCert));
}
}
}
// verify if the signature of the response is valid
if (!VerifyResponse(ocspResp, responderCert))
{
throw new VerificationException(responderCert, String.Format("{0} OCSP response could not be verified", responderCert));
}
}
/**
* Verifies a certificate against a single OCSP response
* @param ocspResp the OCSP response
* @param signCert the certificate that needs to be checked
* @param issuerCert the certificate of CA
* @param signDate sign date
* @return {@code true}, in case successful check, otherwise false.
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, DateTime signDate)
{
if (ocspResp == null)
{
return(false);
}
// Getting the responses
SingleResp[] resp = ocspResp.Responses;
for (int i = 0; i < resp.Length; ++i)
{
// check if the serial number corresponds
if (!signCert.SerialNumber.Equals(resp[i].GetCertID().SerialNumber))
{
continue;
}
// check if the issuer matches
try {
if (issuerCert == null)
{
issuerCert = signCert;
}
if (!resp[i].GetCertID().MatchesIssuer(issuerCert))
{
LOGGER.Info("OCSP: Issuers doesn't match.");
continue;
}
} catch (OcspException) {
continue;
}
// check if the OCSP response was valid at the time of signing
DateTimeObject nextUpdate = resp[i].NextUpdate;
DateTime nextUpdateDate;
if (nextUpdate == null)
{
nextUpdateDate = resp[i].ThisUpdate.AddSeconds(180);
LOGGER.Info("No 'next update' for OCSP Response; assuming " + nextUpdateDate);
}
else
{
nextUpdateDate = nextUpdate.Value;
}
if (signDate > nextUpdateDate)
{
if (LOGGER.IsLogging(Level.INFO))
{
LOGGER.Info(String.Format("OCSP no longer valid: {0} after {1}", signDate, nextUpdateDate));
}
continue;
}
// check the status of the certificate
Object status = resp[i].GetCertStatus();
if (status == CertificateStatus.Good)
{
// check if the OCSP response was genuine
IsValidResponse(ocspResp, issuerCert);
return(true);
}
}
return(false);
}
public FirmaXades.Clients.CertificateStatus ProcessOcspResponse(byte[] binaryResp)
{
if (binaryResp.Length != 0)
{
OcspResp ocspResp = new OcspResp(binaryResp);
FirmaXades.Clients.CertificateStatus result = FirmaXades.Clients.CertificateStatus.Unknown;
if (ocspResp.Status != 0)
{
throw new Exception("Unknow status '" + ocspResp.Status + "'.");
}
BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject();
if (basicOcspResp.Responses.Length == 1)
{
SingleResp singleResp = basicOcspResp.Responses[0];
object certStatus = singleResp.GetCertStatus();
if (certStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
result = FirmaXades.Clients.CertificateStatus.Good;
}
else if (certStatus is RevokedStatus)
{
result = FirmaXades.Clients.CertificateStatus.Revoked;
}
else if (certStatus is UnknownStatus)
{
result = FirmaXades.Clients.CertificateStatus.Unknown;
}
}
return(result);
}
return(FirmaXades.Clients.CertificateStatus.Unknown);
}
static void CheckValidityOfResponse(CertID id, BasicOcspResp responseObject, Ca ca)
{
var inputStream = new MemoryStream(responseObject.GetEncoded());
var asn1Sequence = (Asn1Sequence) new Asn1InputStream(inputStream).ReadObject();
var response = BasicOcspResponse.GetInstance(asn1Sequence);
var ocspChain = CreateOcspCertificateChain(ca);
if (ocspChain.Length == 0)
{
throw new OcspException("OCSP certificate chain is invalid");
}
var ocesOcspCertificate = OcesCertificateFactory.Instance.Generate(CompleteOcspChain(response, ocspChain));
CheckBasicOcspResp(id, responseObject, ocesOcspCertificate, ca);
var signingCertificate = new X509CertificateParser().ReadCertificate(response.Certs[0].GetEncoded());
var issuingCertificate = new X509CertificateParser().ReadCertificate(ocspChain[0].GetRawCertData());
signingCertificate.Verify(issuingCertificate.GetPublicKey());
if (!responseObject.Verify(signingCertificate.GetPublicKey()))
{
throw new OcspException("Signature is invalid");
}
}
/// <summary>Gets an encoded byte array with OCSP validation.</summary>
/// <remarks>Gets an encoded byte array with OCSP validation. The method should not throw an exception.</remarks>
/// <param name="checkCert">to certificate to check</param>
/// <param name="rootCert">the parent certificate</param>
/// <param name="url">
/// to get the verification. It it's null it will be taken
/// from the check cert or from other implementation specific source
/// </param>
/// <returns>a byte array with the validation or null if the validation could not be obtained</returns>
public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try {
BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url);
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else
{
if (status is RevokedStatus)
{
throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_REVOKED);
}
else
{
throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_UNKNOWN);
}
}
}
}
}
catch (Exception ex) {
LOGGER.Error(ex.Message);
}
return(null);
}
public OcspResponse ParseOcspResponse(BasicOcspResp brep)
{
SingleResp singleResp = brep.Responses.Single();
var itstatus = singleResp.GetCertStatus();
var status = new OcspResponse()
{
ProducedAt = brep.ProducedAt,
ThisUpdate = singleResp.ThisUpdate,
NextUpdate = singleResp.NextUpdate.Value
};
if (itstatus == CertificateStatus.Good)
{
status.Status = OcspRevocationStatus.Good;
}
else if (itstatus is RevokedStatus revokedStatus)
{
status.Status = OcspRevocationStatus.Revoked;
status.RevocationTime = revokedStatus.RevocationTime;
try
{
status.RevocationReason = revokedStatus.RevocationReason;
}
catch (InvalidOperationException)
{
status.RevocationReason = -1;
}
}
else
{
status.Status = OcspRevocationStatus.Unknown;
}
return(status);
}
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod)
{
bool byKey = false;
List <string> list = new List <string>();
Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate();
OcspClient ocspClient = new OcspClient();
string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate);
if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl))
{
list.Add(authorityInformationAccessOcspUrl);
}
foreach (string ocspServer in ocspServers)
{
list.Add(ocspServer);
}
foreach (string item in list)
{
byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item);
switch (ocspClient.ProcessOcspResponse(array))
{
case FirmaXades.Clients.CertificateStatus.Revoked:
throw new Exception("Certificado revocado");
case FirmaXades.Clients.CertificateStatus.Good:
{
OcspResp ocspResp = new OcspResp(array);
byte[] encoded = ocspResp.GetEncoded();
BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject();
string str = Guid.NewGuid().ToString();
OCSPRef oCSPRef = new OCSPRef();
oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str;
DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest);
ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object();
string responderName = GetResponderName(responderId, ref byKey);
if (!byKey)
{
oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName);
}
else
{
oCSPRef.OCSPIdentifier.ResponderID = responderName;
oCSPRef.OCSPIdentifier.ByKey = true;
}
oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef);
OCSPValue oCSPValue = new OCSPValue();
oCSPValue.PkiData = encoded;
oCSPValue.Id = "OcspValue" + str;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue);
return((from cert in basicOcspResp.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
}
throw new Exception("El certificado no ha podido ser validado");
}
static bool SerialNumberInResponseIsNotRevoked(BasicOcspResp response, string serialNumber)
{
var responseElements = new List <SingleResp>(response.Responses);
return(responseElements
.Exists(r => r.GetCertStatus() == null &&
r.GetCertID().SerialNumber.ToString() == serialNumber));
}
/**
* Checks if an OCSP response is genuine
* @param ocspResp the OCSP response
* @param responderCert the responder certificate
* @return true if the OCSP response verifies against the responder certificate
*/
virtual public bool IsSignatureValid(BasicOcspResp ocspResp, X509Certificate responderCert)
{
try {
return(ocspResp.Verify(responderCert.GetPublicKey()));
} catch (OcspException) {
return(false);
}
}
static bool CertificateIsValid(CertID id, OcspResp ocspResp, string serialNumber, Ca ca)
{
CheckOcspResp(ocspResp);
BasicOcspResp response = GetResponseObject(ocspResp);
CheckValidityOfResponse(id, response, ca);
return(SerialNumberInResponseIsNotRevoked(response, serialNumber));
}
/// <summary>Checks if an OCSP response is genuine</summary>
/// <param name="ocspResp">the OCSP response</param>
/// <param name="responderCert">the responder certificate</param>
/// <returns>true if the OCSP response verifies against the responder certificate</returns>
public virtual bool IsSignatureValid(BasicOcspResp ocspResp, X509Certificate responderCert)
{
try {
return(SignUtils.IsSignatureValid(ocspResp, responderCert));
}
catch (Exception) {
return(false);
}
}
virtual public bool VerifyResponse(BasicOcspResp ocspResp, X509Certificate issuerCert)
{
try {
IsValidResponse(ocspResp, issuerCert);
return(true);
} catch (Exception e) {
return(false);
}
}
/**
* @return a byte array
* @see com.lowagie.text.pdf.OcspClient#getEncoded()
*/
public byte[] GetEncoded()
{
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
if (ocspResponse.Status != 0)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status));
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
return(null);
}
/// <summary>
/// @see com.lowagie.text.pdf.OcspClient#getEncoded()
/// </summary>
/// <returns> a byte array</returns>
public byte[] GetEncoded()
{
OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url);
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStreamAsync().Result;
outp.Write(array, 0, array.Length);
outp.Dispose();
HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result;
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}");
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Dispose();
response.Dispose();
if (ocspResponse.Status != 0)
{
throw new IOException("Invalid status: " + ocspResponse.Status);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is RevokedStatus)
{
throw new IOException("OCSP Status is revoked!");
}
else
{
throw new IOException("OCSP Status is unknown!");
}
}
}
return(null);
}
/// <summary>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL).
/// </summary>
/// <remarks>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL).
/// </remarks>
/// <param name="basicOCSPResp"></param>
/// <returns></returns>
public static OcspResp FromBasicToResp(BasicOcspResp basicOCSPResp)
{
try
{
return(FromBasicToResp(basicOCSPResp.GetEncoded()));
}
catch (IOException e)
{
throw new RuntimeException(e);
}
}
/// <summary>
/// Create a reference on a OcspResp
/// </summary>
private static OcspResponsesID MakeOcspResponsesID(BasicOcspResp ocspResp)
{
byte[] digestValue = DigestUtilities.CalculateDigest
(X509ObjectIdentifiers.IdSha1, ocspResp.GetEncoded());
OtherHash hash = new OtherHash(digestValue);
OcspResponsesID ocsprespid = new OcspResponsesID(new OcspIdentifier(ocspResp.ResponderId
.ToAsn1Object(), ocspResp.ProducedAt), hash);
logger.Info("Incorporate OcspResponseId[hash=" + Hex.ToHexString(digestValue) +
",producedAt=" + ocspResp.ProducedAt);
return(ocsprespid);
}
/// <summary>
/// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado
/// </summary>
/// <param name="binaryResp"></param>
/// <returns></returns>
public CertificateStatus ProcessOcspResponse(byte[] binaryResp, bool checkNonce)
{
if (binaryResp.Length == 0)
{
return(CertificateStatus.Unknown);
}
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.Unknown;
if (r.Status == OcspRespStatus.Successful)
{
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
if (checkNonce)
{
if (or.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).ToString() !=
_nonceAsn1OctetString.ToString())
{
throw new Exception("Bad nonce value");
}
}
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.Good;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
cStatus = CertificateStatus.Revoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
cStatus = CertificateStatus.Unknown;
}
}
}
else
{
throw new Exception("Unknow status '" + r.Status + "'.");
}
return(cStatus);
}
public override bool Equals(object obj)
{
if (obj == this)
{
return(true);
}
BasicOcspResp basicOcspResp = obj as BasicOcspResp;
if (basicOcspResp == null)
{
return(false);
}
return(resp.Equals(basicOcspResp.resp));
}
private CertificateStatus processOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp, out string respMsg)
{
OcspResp r = new OcspResp(binaryResp);
CertificateStatus cStatus = CertificateStatus.unknown;
switch (r.Status)
{
case OcspRespStatus.Successful:
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
validateResponse(or, issuerCert);
respMsg = string.Empty;
if (or.Responses.Length == 1)
{
SingleResp resp = or.Responses[0];
validateCertificateId(issuerCert, clientCert, resp.GetCertID());
validateThisUpdate(resp);
validateNextUpdate(resp);
Object certificateStatus = resp.GetCertStatus();
if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
cStatus = CertificateStatus.good;
respMsg = "Certificado Válido";
}
else if (certificateStatus is RevokedStatus)
{
cStatus = CertificateStatus.revoked;
respMsg = "Certificado Revocado";
}
else if (certificateStatus is UnknownStatus)
{
cStatus = CertificateStatus.unknown;
respMsg = "Certificado Desconocido";
}
}
break;
default:
respMsg = "No se ha podido procesar la respuesta OCSP";
//throw new Exception("Status Desconocido '" + r.Status + "'.");
return(cStatus);
}
return(cStatus);
}
