Ejemplo n.º 1
0
        /// <param name="cert"></param>
        /// <returns></returns>
        public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext
                                                                         cert)
        {
            if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
            {
                CertificateStatus status = new CertificateStatus();
                status.Validity         = CertificateValidity.VALID;
                status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST;
                status.Certificate      = cert.GetCertificate();
                return(status);
            }
            CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);

            if (issuer == null)
            {
                return(null);
            }
            IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp);
            ICrlSource  crlSource  = new ListCRLSource(neededCRL);
            OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();

            verifier.SetCrlSource(crlSource);
            verifier.SetOcspSource(ocspSource);
            return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate
                                      ()));
        }
Ejemplo n.º 2
0
 /// <summary>The default constructor for CertificateVerification.</summary>
 /// <remarks>The default constructor for CertificateVerification.</remarks>
 /// <param name="cert"></param>
 /// <param name="ctx"></param>
 public CertificateVerification(CertificateAndContext cert, ValidationContext ctx)
 {
     certificate = cert;
     if (cert != null)
     {
         try
         {
             cert.GetCertificate().CheckValidity(ctx.GetValidationDate());
             validityPeriodVerification = new Result(Result.ResultStatus.VALID, null);
         }
         catch (CertificateExpiredException)
         {
             validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.expired"
                                                     );
         }
         catch (CertificateNotYetValidException)
         {
             validityPeriodVerification = new Result(Result.ResultStatus.INVALID, "certificate.not.yet.valid"
                                                     );
         }
         CertificateStatus status = ctx.GetCertificateStatusFromContext(cert);
         if (status != null)
         {
             certificateStatus = new RevocationVerificationResult(status);
         }
     }
 }
Ejemplo n.º 3
0
        private bool ConcernsCertificate(BasicOcspResp basicOcspResp, CertificateAndContext
                                         cert)
        {
            CertificateAndContext issuerCertificate = GetIssuerCertificateFromThisContext(cert
                                                                                          );

            if (issuerCertificate == null)
            {
                return(false);
            }
            else
            {
                try
                {
                    CertificateID matchingCertID = new CertificateID(CertificateID.HashSha1, issuerCertificate
                                                                     .GetCertificate(), cert.GetCertificate().SerialNumber);
                    foreach (SingleResp resp in basicOcspResp.Responses)
                    {
                        if (resp.GetCertID().Equals(matchingCertID))
                        {
                            return(true);
                        }
                    }
                    return(false);
                }
                catch (OcspException ex)
                {
                    throw new RuntimeException(ex);
                }
            }
        }
Ejemplo n.º 4
0
        private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext
                                                         potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource
                                                         optionalOCSPSource)
        {
            if (optionalCRLSource != null || optionalOCSPSource != null)
            {
                LOG.Info("Verify with offline services");
                OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
                verifier.SetCrlSource(optionalCRLSource);
                verifier.SetOcspSource(optionalOCSPSource);
                CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer.
                                                          GetCertificate(), validationDate);
                if (status != null)
                {
                    return(status);
                }
            }
            LOG.Info("Verify with online services");
            OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier(
                );

            onlineVerifier.SetCrlSource(crlSource);
            onlineVerifier.SetOcspSource(ocspSource);
            return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate
                                            (), validationDate));
        }
Ejemplo n.º 5
0
        public virtual bool Check(CertificateAndContext cert)
        {
            //TODO jbonilla - validar.
            //byte[] certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies);
            Asn1OctetString certificatePolicies = cert.GetCertificate().GetExtensionValue(X509Extensions.CertificatePolicies);

            if (certificatePolicies != null)
            {
                try
                {
                    //Asn1InputStream input = new Asn1InputStream(certificatePolicies);
                    //DerOctetString s = (DerOctetString)input.ReadObject();
                    DerOctetString  s       = (DerOctetString)certificatePolicies;
                    byte[]          content = s.GetOctets();
                    Asn1InputStream input   = new Asn1InputStream(content);
                    DerSequence     seq     = (DerSequence)input.ReadObject();
                    for (int i = 0; i < seq.Count; i++)
                    {
                        PolicyInformation policyInfo = PolicyInformation.GetInstance(seq[i]);
                        if (policyInfo.PolicyIdentifier.Id.Equals(policyOid))
                        {
                            return(true);
                        }
                    }
                }
                catch (IOException e)
                {
                    throw new RuntimeException(e);
                }
            }
            return(false);
        }
Ejemplo n.º 6
0
        public virtual bool Check(CertificateAndContext cert)
        {
            //TODO jbonilla - Validar
            //byte[] qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements);
            Asn1OctetString qcStatement = cert.GetCertificate().GetExtensionValue(X509Extensions.QCStatements);

            if (qcStatement != null)
            {
                try
                {
                    //Asn1InputStream input = new Asn1InputStream(qcStatement);
                    //DerOctetString s = (DerOctetString)input.ReadObject();
                    DerOctetString  s       = (DerOctetString)qcStatement;
                    byte[]          content = s.GetOctets();
                    Asn1InputStream input   = new Asn1InputStream(content);
                    DerSequence     seq     = (DerSequence)input.ReadObject();
                    for (int i = 0; i < seq.Count; i++)
                    {
                        QCStatement statement = QCStatement.GetInstance(seq[i]);
                        if (statement.StatementId.Id.Equals(qcStatementId))
                        {
                            return(true);
                        }
                    }
                    return(false);
                }
                catch (IOException e)
                {
                    throw new RuntimeException(e);
                }
            }
            return(false);
        }
Ejemplo n.º 7
0
        /// <summary>Returns the CRLs in the context which concern the provided certificate.</summary>
        /// <remarks>
        /// Returns the CRLs in the context which concern the provided certificate. It can happen there are more than one,
        /// even though this is unlikely.
        /// </remarks>
        /// <param name="cert">the X509 certificate</param>
        /// <returns>the list of CRLs related to the certificate</returns>
        public virtual IList <X509Crl> GetRelatedCRLs(CertificateAndContext cert)
        {
            IList <X509Crl> crls = new AList <X509Crl>();

            foreach (X509Crl crl in this.neededCRL)
            {
                if (ConcernsCertificate(crl, cert))
                {
                    crls.AddItem(crl);
                }
            }
            return(crls);
        }
Ejemplo n.º 8
0
        /// <summary>Retrieve all the qualifiers for which the corresponding condition evaluate to true.
        ///     </summary>
        /// <remarks>Retrieve all the qualifiers for which the corresponding condition evaluate to true.
        ///     </remarks>
        /// <param name="cert"></param>
        /// <returns></returns>
        public virtual IList <string> GetQualifiers(CertificateAndContext cert)
        {
            IList <string> list = new List <string>();

            foreach (KeyValuePair <string, Condition> e in qualifiersAndConditions)
            {
                if (e.Value.Check(cert))
                {
                    list.Add(e.Key);
                }
            }
            return(list);
        }
Ejemplo n.º 9
0
        /// <summary>Returns the OCSP responses in the context which concern the provided certificate.
        ///     </summary>
        /// <remarks>
        /// Returns the OCSP responses in the context which concern the provided certificate. It can happen there are more
        /// than one, even though this is unlikely.
        /// </remarks>
        /// <param name="cert">the X509 certificate</param>
        /// <returns>the list of OCSP responses related to the certificate</returns>
        /// <exception cref="Org.Bouncycastle.Ocsp.OcspException">Org.Bouncycastle.Ocsp.OcspException
        ///     </exception>
        public virtual IList <BasicOcspResp> GetRelatedOCSPResp(CertificateAndContext cert
                                                                )
        {
            IList <BasicOcspResp> ocspresps = new AList <BasicOcspResp>();

            foreach (BasicOcspResp ocspresp in this.neededOCSPResp)
            {
                if (this.ConcernsCertificate(ocspresp, cert))
                {
                    ocspresps.AddItem(ocspresp);
                }
            }
            return(ocspresps);
        }
Ejemplo n.º 10
0
        /// <summary>Return the ServiceInfo of the parent (in the Trusted List) of the certificate
        ///     </summary>
        /// <returns></returns>
        public virtual ServiceInfo GetRelevantServiceInfo()
        {
            CertificateAndContext cert   = new CertificateAndContext(GetCertificate());
            CertificateAndContext parent = GetParentFromTrustedList(cert);

            if (parent == null)
            {
                return(null);
            }
            else
            {
                ServiceInfo info = (ServiceInfo)parent.GetContext();
                return(info);
            }
        }
Ejemplo n.º 11
0
 /// <summary>Finds the provided certificate's issuer in the context</summary>
 /// <param name="cert">The certificate whose issuer to find</param>
 /// <returns>the issuer's X509Certificate</returns>
 public virtual CertificateAndContext GetIssuerCertificateFromThisContext(CertificateAndContext
                                                                          cert)
 {
     if (cert.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN))
     {
         return(null);
     }
     foreach (CertificateAndContext c in neededCertificates)
     {
         if (c.GetCertificate().SubjectDN.Equals(cert.GetCertificate().IssuerDN))
         {
             return(c);
         }
     }
     return(null);
 }
Ejemplo n.º 12
0
 internal virtual void AddNotYetVerifiedToken(SignedToken signedToken)
 {
     if (!revocationInfo.ContainsKey(signedToken))
     {
         LOG.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode
                      ());
         revocationInfo.Put(signedToken, null);
         if (signedToken is CRLToken)
         {
             neededCRL.AddItem(((CRLToken)signedToken).GetX509crl());
         }
         else
         {
             if (signedToken is OCSPRespToken)
             {
                 neededOCSPResp.AddItem(((OCSPRespToken)signedToken).GetOcspResp());
             }
             else
             {
                 if (signedToken is CertificateToken)
                 {
                     bool found = false;
                     CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext
                                                         ();
                     foreach (CertificateAndContext c in neededCertificates)
                     {
                         if (c.GetCertificate().Equals(newCert.GetCertificate()))
                         {
                             found = true;
                             break;
                         }
                     }
                     if (!found)
                     {
                         neededCertificates.AddItem(newCert);
                     }
                 }
             }
         }
     }
     else
     {
         LOG.Info("Token was already in list " + signedToken);
     }
 }
Ejemplo n.º 13
0
        /// <summary>Retrieve the parent from the trusted list</summary>
        /// <param name="ctx"></param>
        /// <returns></returns>
        public virtual CertificateAndContext GetParentFromTrustedList(CertificateAndContext
                                                                      ctx)
        {
            CertificateAndContext parent = ctx;

            while (GetIssuerCertificateFromThisContext(parent) != null)
            {
                parent = GetIssuerCertificateFromThisContext(parent);
                if (parent.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
                {
                    LOG.Info("Parent from TrustedList found " + parent);
                    return(parent);
                }
            }
            LOG.Warn("No issuer in the TrustedList for this certificate. The parent found is "
                     + parent);
            return(null);
        }
Ejemplo n.º 14
0
        public virtual bool Check(CertificateAndContext cert)
        {
            switch (composition)
            {
            case CompositeCriteriaList.Composition.all:
            {
                foreach (Condition c in conditions)
                {
                    if (!c.Check(cert))
                    {
                        return(false);
                    }
                }
                return(true);
            }

            case CompositeCriteriaList.Composition.atLeastOne:
            {
                foreach (Condition c_1 in conditions)
                {
                    if (c_1.Check(cert))
                    {
                        return(true);
                    }
                }
                return(false);
            }

            case CompositeCriteriaList.Composition.none:
            {
                foreach (Condition c_2 in conditions)
                {
                    if (c_2.Check(cert))
                    {
                        return(false);
                    }
                }
                return(true);
            }
            }
            throw new InvalidOperationException("Unsupported Composition " + composition);
        }
Ejemplo n.º 15
0
 public virtual bool Check(CertificateAndContext cert)
 {
     return(cert.GetCertificate().GetKeyUsage()[(int)bit]);
 }
Ejemplo n.º 16
0
        /// <summary>Build the validation context for the specific date</summary>
        /// <param name="validationDate"></param>
        /// <param name="optionalSource"></param>
        /// <exception cref="System.IO.IOException"></exception>
        public virtual void Validate(DateTime validationDate, CertificateSource optionalSource
                                     , ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource)
        {
            int         previousSize     = revocationInfo.Count;
            int         previousVerified = VerifiedTokenCount();
            SignedToken signedToken      = GetOneNotYetVerifiedToken();

            if (signedToken != null)
            {
                CertificateSource otherSource = optionalSource;
                if (signedToken != null)
                {
                    otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource
                                                                     (), optionalSource);
                }
                CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate
                                                                    );
                RevocationData data = null;
                if (issuer == null)
                {
                    LOG.Warn("Don't found any issuer for token " + signedToken);
                    data = new RevocationData(signedToken);
                }
                else
                {
                    AddNotYetVerifiedToken(new CertificateToken(issuer));
                    if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate
                                                                     ().IssuerDN))
                    {
                        SignedToken    trustedToken     = new CertificateToken(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        // noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST);
                        Validate(trustedToken, noNeedToValidate);
                    }
                    if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
                    {
                        SignedToken    trustedToken     = new CertificateToken(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
                        Validate(trustedToken, noNeedToValidate);
                    }
                    if (signedToken is CertificateToken)
                    {
                        CertificateToken  ct     = (CertificateToken)signedToken;
                        CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(),
                                                                          issuer, validationDate, optionalCRLSource, optionalOCPSSource);
                        data = new RevocationData(signedToken);
                        if (status != null)
                        {
                            data.SetRevocationData(status.StatusSource);
                            if (status.StatusSource is X509Crl)
                            {
                                AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
                            }
                            else
                            {
                                if (status.StatusSource is BasicOcspResp)
                                {
                                    AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
                                }
                            }
                        }
                        else
                        {
                            LOG.Warn("No status for " + signedToken);
                        }
                    }
                    else
                    {
                        if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
                        {
                            data = new RevocationData(signedToken);
                            data.SetRevocationData(issuer);
                        }
                        else
                        {
                            throw new RuntimeException("Not supported token type " + signedToken.GetType().Name
                                                       );
                        }
                    }
                }
                Validate(signedToken, data);
                LOG.Info(this.ToString());
                int newSize     = revocationInfo.Count;
                int newVerified = VerifiedTokenCount();
                if (newSize != previousSize || newVerified != previousVerified)
                {
                    Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource);
                }
            }
        }
Ejemplo n.º 17
0
 /// <summary>Create a CertificateToken</summary>
 /// <param name="cert"></param>
 /// <param name="sourceFactory"></param>
 public CertificateToken(CertificateAndContext cert, CertificateSourceFactory sourceFactory
                         )
 {
     this.cert          = cert;
     this.sourceFactory = sourceFactory;
 }
Ejemplo n.º 18
0
 /// <summary>Create a CertificateToken</summary>
 /// <param name="cert"></param>
 public CertificateToken(CertificateAndContext cert) : this(cert, null)
 {
 }
Ejemplo n.º 19
0
 private bool ConcernsCertificate(X509Crl x509crl, CertificateAndContext cert)
 {
     return(x509crl.IssuerDN.Equals(cert.GetCertificate().IssuerDN));
 }
Ejemplo n.º 20
0
 /// <param name="certificate">the certificate to set</param>
 public virtual void SetCertificate(CertificateAndContext certificate)
 {
     this.certificate = certificate;
 }