public virtual byte[] MakeOcspResponse(byte[] requestBytes)
{
OcspReq ocspRequest = new OcspReq(requestBytes);
Req[] requestList = ocspRequest.GetRequestList();
X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce);
if (extNonce != null)
{
// TODO ensure
X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, extNonce }
});
responseBuilder.SetResponseExtensions(responseExtensions);
}
foreach (Req req in requestList)
{
responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null);
}
DateTime time = DateTimeUtil.GetCurrentUtcTime();
BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time);
// return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded();
return(ocspResponse.GetEncoded());
}
/// <summary>
/// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/>
/// </summary>
/// <param name="ocspRequest"></param>
/// <param name="issuerCertificate"></param>
/// <returns></returns>
private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate)
{
var basicResponseGenerator = new BasicOcspRespGenerator(
new RespID(
await OcspResponderRepository.GetResponderPublicKey(issuerCertificate)));
var extensionsGenerator = new X509ExtensionsGenerator();
var nextUpdate = await OcspResponderRepository.GetNextUpdate();
foreach (var request in ocspRequest.GetRequestList())
{
var certificateId = request.GetCertID();
var serialNumber = certificateId.SerialNumber;
CertificateStatus certificateStatus;
CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate);
if (caCompromisedStatus.IsCompromised)
{
// See section 2.7 of RFC 6960
certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise);
}
else
{
// Se section 2.2 of RFC 6960
if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate))
{
var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate);
certificateStatus = status.IsRevoked
? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason)
: CertificateStatus.Good;
}
else
{
certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold);
extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded());
}
}
basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null);
}
SetNonceExtension(ocspRequest, extensionsGenerator);
basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate());
// Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960
const string signatureAlgorithm = "sha256WithRSAEncryption";
var basicOcspResponse = basicResponseGenerator.Generate(
signatureAlgorithm,
await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate),
await OcspResponderRepository.GetChain(issuerCertificate),
nextUpdate.UtcDateTime);
var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse);
return(ocspResponse);
}
public override void Respond(HttpListenerContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var bytes = GetOcspRequest(context);
if (bytes == null)
{
context.Response.StatusCode = 400;
return;
}
var ocspReq = new OcspReq(bytes);
var respId = new RespID(CertificateAuthority.Certificate.SubjectDN);
var basicOcspRespGenerator = new BasicOcspRespGenerator(respId);
var requests = ocspReq.GetRequestList();
var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
if (nonce != null)
{
var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) }
});
basicOcspRespGenerator.SetResponseExtensions(extensions);
}
var now = DateTime.UtcNow;
foreach (var request in requests)
{
var certificateId = request.GetCertID();
var certificateStatus = CertificateAuthority.GetStatus(certificateId);
var thisUpdate = _options.ThisUpdate?.UtcDateTime ?? now;
var nextUpdate = _options.NextUpdate?.UtcDateTime ?? now.AddSeconds(1);
basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate, nextUpdate, singleExtensions: null);
}
var certificateChain = GetCertificateChain();
var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now);
var ocspRespGenerator = new OCSPRespGenerator();
var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp);
bytes = ocspResp.GetEncoded();
context.Response.ContentType = ResponseContentType;
WriteResponseBody(context.Response, bytes);
}
public BasicOcspResp Generate()
{
//append nonce if we have it
if (_nonce != null)
{
_extensions_generator.AddExtension(new DerObjectIdentifier("1.3.6.1.5.5.7.48.1.2"), false, _nonce);
}
//set responseExtensions
_builder.SetResponseExtensions(_extensions_generator.Generate());
var ocsp_resp = _builder.Generate(_algorithm, _token.GetPrivateKey(), new[] { _token.GetOcspSigningCert() }, DateTime.UtcNow.AddMinutes(5));
return(ocsp_resp);
}
public override void Respond(HttpListenerContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var bytes = GetOcspRequest(context);
if (bytes == null)
{
context.Response.StatusCode = 400;
return;
}
var ocspReq = new OcspReq(bytes);
var respId = new RespID(CertificateAuthority.Certificate.SubjectDN);
var basicOcspRespGenerator = new BasicOcspRespGenerator(respId);
var requests = ocspReq.GetRequestList();
var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
if (nonce != null)
{
var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) }
});
basicOcspRespGenerator.SetResponseExtensions(extensions);
}
var now = DateTimeOffset.UtcNow;
foreach (var request in requests)
{
var certificateId = request.GetCertID();
var certificateStatus = CertificateAuthority.GetStatus(certificateId);
var thisUpdate = _options.ThisUpdate ?? now;
//On Windows, if the current time is equal (to the second) to a notAfter time (or nextUpdate time), it's considered valid.
//But OpenSSL considers it already expired (that the expiry happened when the clock changed to this second)
var nextUpdate = _options.NextUpdate ?? now.AddSeconds(2);
_responses.AddOrUpdate(certificateId.SerialNumber.ToString(), nextUpdate, (key, currentNextUpdate) =>
{
if (nextUpdate > currentNextUpdate)
{
return(nextUpdate);
}
return(currentNextUpdate);
});
basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate.UtcDateTime, nextUpdate.UtcDateTime, singleExtensions: null);
}
var certificateChain = GetCertificateChain();
var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now.UtcDateTime);
var ocspRespGenerator = new OCSPRespGenerator();
var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp);
bytes = ocspResp.GetEncoded();
context.Response.ContentType = ResponseContentType;
WriteResponseBody(context.Response, bytes);
}
