Ejemplo n.º 1
1
        private OcspReq GenerateOcspRequest(CertificateID id)
        {
            OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator();

            ocspRequestGenerator.AddRequest(id);

            BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks);

            ArrayList oids = new ArrayList();
            Hashtable values = new Hashtable();

            oids.Add(OcspObjectIdentifiers.PkixOcsp);

            Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));

            values.Add(OcspObjectIdentifiers.PkixOcsp, new X509Extension(false, asn1));
            ocspRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values));

            return ocspRequestGenerator.Generate();
        }
Ejemplo n.º 2
1
		/// <exception cref="System.IO.IOException"></exception>
		public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate)		
		{
			try
			{
				this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod);
                LOG.Info("OCSP URI: " + this.OcspUri);
                if (this.OcspUri == null)
				{
					return null;
				}
				OcspReqGenerator ocspReqGenerator = new OcspReqGenerator();
				CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate
					, certificate.SerialNumber);
				ocspReqGenerator.AddRequest(certId);
				OcspReq ocspReq = ocspReqGenerator.Generate();
				byte[] ocspReqData = ocspReq.GetEncoded();
                OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream
					(ocspReqData)));
				try
				{
					return (BasicOcspResp)ocspResp.GetResponseObject();
				}
				catch (ArgumentNullException)
				{
					// Encountered a case when the OCSPResp is initialized with a null OCSP response...
					// (and there are no nullity checks in the OCSPResp implementation)
					return null;
				}
			}
			catch (CannotFetchDataException)
			{
				return null;
			}
			catch (OcspException e)
			{
				LOG.Error("OCSP error: " + e.Message);
				return null;
			}
		}
Ejemplo n.º 3
1
        /// <summary>
        /// Verifies the certificate chain via OCSP
        /// </summary>
        /// <returns>
        /// <c>true</c>, if certificate is revoked, <c>false</c> otherwise.
        /// </returns>
        /// <param name='chain'>
        /// The certificate chain.
        /// </param>
        private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain)
        {
            List<X509Certificate> certsList = new List<X509Certificate> ();
            List<Uri> certsUrls = new List<Uri> ();
            bool bCertificateIsRevoked = false;
            try {
                //Get the OCSP URLS to be validated for each certificate.
                foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) {
                    X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate);
                    if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) {
                        X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension (X509Extensions.AuthorityInfoAccess);
                        if (ext != null) {
                            AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance (ext).GetAccessDescriptions ();
                            Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString ().StartsWith("http://")) ? new Uri (certUrls [0].AccessLocation.Name.ToString ()) : null;
                            certsList.Add (BCCert);
                            if (!certsUrls.Contains (url))
                                certsUrls.Add (url);
                        }
                    }
                }
                if(certsUrls.Count>0){
                    //create requests for each cert
                    List<OcspReq> RequestList = new List<OcspReq>();
                    OcspReqGenerator OCSPRequestGenerator;
                    for (int i =0; i< (certsList.Count -1); i++) {
                        OCSPRequestGenerator = new OcspReqGenerator ();
                        BigInteger nonce = BigInteger.ValueOf (DateTime.Now.Ticks);
                        List<DerObjectIdentifier> oids = new List<DerObjectIdentifier> ();
                        oids.Add (Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
                        List<X509Extension> values = new List<X509Extension> ();
                        values.Add (new X509Extension (false, new DerOctetString (nonce.ToByteArray ())));
                        OCSPRequestGenerator.SetRequestExtensions (new X509Extensions (oids, values));
                        CertificateID ID = new CertificateID (CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber);
                        OCSPRequestGenerator.AddRequest (ID);
                        RequestList.Add(OCSPRequestGenerator.Generate());
                    }

                    //send requests to the OCSP server and read the response
                    for (int i =0; i< certsUrls.Count && !bCertificateIsRevoked; i++) {
                        for(int j = 0; j<  RequestList.Count && !bCertificateIsRevoked ; j++){
                            HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create (certsUrls [i]);
                            requestToOCSPServer.Method = "POST";
                            requestToOCSPServer.ContentType = "application/ocsp-request";
                            requestToOCSPServer.Accept = "application/ocsp-response";
                            requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection
                            requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response

                            byte[] bRequestBytes = RequestList[j].GetEncoded();
                            using (Stream requestStream = requestToOCSPServer.GetRequestStream()) {
                                requestStream.Write (bRequestBytes, 0, bRequestBytes.Length);
                                requestStream.Flush ();
                            }
                            HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse ();
                            OcspResp OCSPResponse = new OcspResp (serverResponse.GetResponseStream ());
                            BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject ();
                            //get the status from the response
                            if (basicOCSPResponse != null) {
                                foreach (SingleResp singleResponse in basicOCSPResponse.Responses) {
                                    object certStatus = singleResponse.GetCertStatus ();
                                    if (certStatus is RevokedStatus)
                                        bCertificateIsRevoked = true;
                                }
                            }
                        }
                    }
                }else { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");}
            } catch (Exception e) {
                SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message);
                bCertificateIsRevoked = true;
            }
            if(bCertificateIsRevoked)
                SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked");
            return bCertificateIsRevoked;
        }
Ejemplo n.º 4
0
        /// <summary>
        /// Generate OCSP Request
        /// </summary>
        /// <param name="id"></param>
        /// <param name="cert"></param>
        /// <returns></returns>
        byte[] GenerateOCSPRequest(Org.BouncyCastle.Ocsp.CertificateID id,
                                   Org.BouncyCastle.X509.X509Certificate cert)
        {
            byte[] nonce = new byte[16];
            Random rand  = new Random();

            rand.NextBytes(nonce);

            //OCSP OID
            var asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));

            //Create OCSP Request
            var gen = new Org.BouncyCastle.Ocsp.OcspReqGenerator();

            gen.AddRequest(id);
            gen.SetRequestorName(new Org.BouncyCastle.Asn1.X509.GeneralName(
                                     Org.BouncyCastle.Asn1.X509.GeneralName.DirectoryName, cert.SubjectDN));

            IList oids   = new ArrayList();
            IList values = new ArrayList();

            oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
            values.Add(new X509Extension(false,
                                         new Org.BouncyCastle.Asn1.DerOctetString(
                                             new Org.BouncyCastle.Asn1.DerOctetString(nonce))));

            oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcsp);
            values.Add(new X509Extension(false, asn1));
            gen.SetRequestExtensions(new X509Extensions(oids, values));

            var req = gen.Generate();

            return(req.GetEncoded());
        }
Ejemplo n.º 5
0
        /// <summary>
        /// Creates the ocsprequest to send to the ocsp responder.
        /// </summary>
        /// <param name="issuerCert">Certificate of the issuer of the client certificate</param>
        /// <param name="serialNumber">Serial number of the client certificate</param>
        /// <returns>Ocsp Request to be sent to OCSP responder</returns>
        private BouncyCastleOCSP.OcspReq CreateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber)
        {
            BouncyCastleOCSP.CertificateID certID = new BouncyCastleOCSP.CertificateID(BouncyCastleOCSP.CertificateID.HashSha1, issuerCert, serialNumber);

            BouncyCastleOCSP.OcspReqGenerator ocspRequestGenerator = new BouncyCastleOCSP.OcspReqGenerator();

            ocspRequestGenerator.AddRequest(certID);

            return(ocspRequestGenerator.Generate());
        }
Ejemplo n.º 6
0
        private static BCO.OcspReq GetOcspReqBody(this X509Certificate2 cert, X509Certificate2 issuer)
        {
            var ocspReqGen = new BCO.OcspReqGenerator();

            ocspReqGen.AddRequest(
                new BCO.CertificateID(BCO.CertificateID.HashSha1,
                                      DotNetUtilities.FromX509Certificate(issuer),
                                      DotNetUtilities.FromX509Certificate(cert).SerialNumber));
            return(ocspReqGen.Generate());
        }
        private static byte[] GenerateOcspRequest(BigInteger subjectSerialNumber, X509Certificate issuerCert)
        {
            // We need a request generator.
            var generator = new OcspReqGenerator();

            // Then we add the certificate we're asking about to it.
            generator.AddRequest(new CertificateID(CertificateID.HashSha1, issuerCert, subjectSerialNumber));

            // Then we generate the DER-encoded request.
            var req = generator.Generate();
            return req.GetEncoded();
        }
Ejemplo n.º 8
0
 /**
 * Generates an OCSP request using BouncyCastle.
 * @param issuerCert	certificate of the issues
 * @param serialNumber	serial number
 * @return	an OCSP request
 * @throws OCSPException
 * @throws IOException
 */
 private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) {
     // Generate the id for the certificate we are looking for
     CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber);
     
     // basic request generation with nonce
     OcspReqGenerator gen = new OcspReqGenerator();
     
     gen.AddRequest(id);
     
     // create details for nonce extension
     IDictionary extensions = new Hashtable();
     
     extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded()));
     
     gen.SetRequestExtensions(new X509Extensions(extensions));
     
     return gen.Generate();
 }
        static OcspReqAndId CreateOcspRequest(Asn1OctetString issuerNameHash,
            Asn1OctetString issuerKeyHash, string serialNumber)
        {
            var hashAlgorithm = new AlgorithmIdentifier(X509ObjectIdentifiers.IdSha1, DerNull.Instance);
            var derSerialNumber = new DerInteger(new BigInteger(serialNumber));
            var id = new CertID(hashAlgorithm, issuerNameHash, issuerKeyHash, derSerialNumber);

            var generator = new OcspReqGenerator();
            generator.AddRequest(new CertificateID(id));
            return new OcspReqAndId(generator.Generate(), id);
        }