/// <summary>
/// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/>
/// </summary>
/// <param name="ocspRequest"></param>
/// <param name="issuerCertificate"></param>
/// <returns></returns>
private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate)
{
var basicResponseGenerator = new BasicOcspRespGenerator(
new RespID(
await OcspResponderRepository.GetResponderPublicKey(issuerCertificate)));
var extensionsGenerator = new X509ExtensionsGenerator();
var nextUpdate = await OcspResponderRepository.GetNextUpdate();
foreach (var request in ocspRequest.GetRequestList())
{
var certificateId = request.GetCertID();
var serialNumber = certificateId.SerialNumber;
CertificateStatus certificateStatus;
CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate);
if (caCompromisedStatus.IsCompromised)
{
// See section 2.7 of RFC 6960
certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise);
}
else
{
// Se section 2.2 of RFC 6960
if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate))
{
var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate);
certificateStatus = status.IsRevoked
? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason)
: CertificateStatus.Good;
}
else
{
certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold);
extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded());
}
}
basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null);
}
SetNonceExtension(ocspRequest, extensionsGenerator);
basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate());
// Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960
const string signatureAlgorithm = "sha256WithRSAEncryption";
var basicOcspResponse = basicResponseGenerator.Generate(
signatureAlgorithm,
await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate),
await OcspResponderRepository.GetChain(issuerCertificate),
nextUpdate.UtcDateTime);
var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse);
return(ocspResponse);
}
/// <inheritdoc />
public async Task <DateTimeOffset> GetNextUpdate()
{
return(await OcspResponderRepository.GetNextUpdate());
}
