/// <summary>Validate the timestamp</summary> /// <param name="timestamp"></param> /// <param name="optionalSource"></param> /// <param name="optionalCRLSource"></param> /// <param name="optionalOCPSSource"></param> /// <exception cref="System.IO.IOException"></exception> public virtual void ValidateTimestamp(TimestampToken timestamp, CertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource) { AddNotYetVerifiedToken(timestamp); Validate(timestamp.GetTimeStamp().TimeStampInfo.GenTime, new CompositeCertificateSource (timestamp.GetWrappedCertificateSource(), optionalSource), optionalCRLSource, optionalOCPSSource ); }
/// <summary> /// The default constructor for ValidationContextV2. /// </summary> /// <param> /// The certificate that will be validated. /// </param> public ValidationContext(X509Certificate certificate, DateTime validationDate, ICAdESLogger cadesLogger, IOcspSource ocspSource, ICrlSource crlSource, ICertificateSource certificateSource, Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> certificateVerifierFactory, Func <CertificateAndContext, CertificateToken> certificateTokenFactory) { this.certificateTokenFactory = certificateTokenFactory; OcspSource = ocspSource; CrlSource = crlSource; TrustedListCertificatesSource = certificateSource; logger = cadesLogger; if (certificate != null) { logger?.Info("New context for " + certificate.SubjectDN); var trustedCert = TrustedListCertificatesSource?.GetCertificateBySubjectName(certificate.SubjectDN)?.FirstOrDefault(); Certificate = certificate; AddNotYetVerifiedToken(certificateTokenFactory(trustedCert ?? new CertificateAndContext(certificate))); } ValidationDate = validationDate; this.certificateVerifierFactory = certificateVerifierFactory; }
/// <summary>Main constructor.</summary> /// <remarks>Main constructor.</remarks> /// <param name="crlSource">the CRL repository used by this CRL trust linker.</param> public CRLCertificateVerifier(ICrlSource crlSource) { this.crlSource = crlSource; }
/// <summary>Set the CRL source for this verifier</summary> /// <param name="crlSource"></param> public virtual void SetCrlSource(ICrlSource crlSource) { this.crlSource = crlSource; }
/// <summary>Build a OCSPAndCRLCertificateVerifier that will use the provided CRLSource and OCSPSource /// </summary> public OCSPAndCRLCertificateVerifier(ICrlSource crlSource, IOcspSource ocspSource) { this.crlSource = crlSource; this.ocspSource = ocspSource; }
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource) { if (optionalCRLSource != null || optionalOCSPSource != null) { logger?.Info(VerifyWithOfflineServiceMessage); var verifier = certificateVerifierFactory(optionalOCSPSource, optionalCRLSource); var status = verifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate); if (status != null) { return(status); } } logger?.Info(VerifyWithOnlineServiceMessage); var onlineVerifier = certificateVerifierFactory(OcspSource, CrlSource); return(onlineVerifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate)); }
/// <summary> /// Build the validation context for the specific date /// </summary> public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { int previousSize = RevocationInfo.Count; int previousVerified = VerifiedTokenCount(); ISignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource); CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate); RevocationData data = null; if (issuer == null) { logger?.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { usedCerts?.Add(issuer); AddNotYetVerifiedToken(certificateTokenFactory(issuer)); if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN)) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); } Validate(trustedToken, noNeedToValidate); } else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { logger?.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new Exception("Not supported token type " + signedToken.GetType().Name); } } } Validate(signedToken, data); logger?.Info(ToString()); int newSize = RevocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts); } } }
/// <summary> /// Validate the timestamp /// </summary> public virtual void ValidateTimestamp(TimestampToken timestamp, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { if (timestamp is null) { throw new ArgumentNullException(nameof(timestamp)); } AddNotYetVerifiedToken(timestamp); Validate( timestamp.GetTimeStamp().TimeStampInfo.GenTime, new CompositeCertificateSource(timestamp.GetWrappedCertificateSource(), optionalSource), optionalCRLSource, optionalOCPSSource, usedCerts); }
public virtual IValidationContext ValidateCertificate( X509Certificate cert, DateTime validationDate, ICertificateSource optionalCertificateSource, IList <CertificateAndContext> usedCerts, ICrlSource optionalCRLSource = null, IOcspSource optionalOCSPSource = null, ICAdESLogger CadesLogger = null) { if (cert == null || validationDate == null) { throw new ArgumentNullException("A validation context must contains a cert and a validation date"); } var alreadyUsed = cache.FirstOrDefault(x => x.Certificate == cert && x.ValidationDate == validationDate); if (alreadyUsed != null) { return(alreadyUsed); } var context = validationContextFactory(cert, validationDate, CadesLogger); context.Validate(validationDate, optionalCertificateSource, optionalCRLSource, optionalOCSPSource, usedCerts); cache.Add(context); return(context); }
/// <exception cref="System.IO.IOException"></exception> public virtual ValidationContext ValidateCertificate(X509Certificate cert, DateTime validationDate, CertificateSource optionalCertificateSource, ICrlSource optionalCRLSource , IOcspSource optionalOCSPSource) { if (cert == null || validationDate == null) { throw new ArgumentNullException("A validation context must contains a cert and a validation date" ); } ValidationContext previous = validationContextThreadLocal.Value; if (previous != null && previous.GetCertificate().Equals(cert) && previous.GetValidationDate ().Equals(validationDate)) { //LOG.Info("We don't need to check twice for the same"); return(previous); } ValidationContext context = new ValidationContext(cert, validationDate); context.SetCrlSource(CrlSource); context.SetOcspSource(OcspSource); context.SetTrustedListCertificatesSource(TrustedListCertificatesSource); context.Validate(validationDate, optionalCertificateSource, optionalCRLSource, optionalOCSPSource ); validationContextThreadLocal.Value = context; return(context); }
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource) { if (optionalCRLSource != null || optionalOCSPSource != null) { LOG.Info("Verify with offline services"); OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier(); verifier.SetCrlSource(optionalCRLSource); verifier.SetOcspSource(optionalOCSPSource); CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer. GetCertificate(), validationDate); if (status != null) { return(status); } } LOG.Info("Verify with online services"); OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier( ); onlineVerifier.SetCrlSource(crlSource); onlineVerifier.SetOcspSource(ocspSource); return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate (), validationDate)); }