Example #1
0
        /// <summary>
        /// Validates the certificate using OCSP server
        /// </summary>
        /// <param name="eecert">End entity certificate to be validated</param>
        /// <param name="issuerCert">Issuer of the end entity certificate to be used in validating</param>
        /// <param name="proxy">Optional if a web proxy is required</param>
        /// <returns>Validation status of the end entity certificate</returns>
        /// <exception cref="OCSPExpection">Thrown when there is no OCSP URL in certificate or the OCSP URL in unreachable<exception>
        public static bool ValidateCertificateWithOCSP(X509Certificate2 eecert, X509Certificate2 issuerCert, WebProxy proxy = null)
        {
            Org.BouncyCastle.X509.X509Certificate bouncyeecert     = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(eecert);
            Org.BouncyCastle.X509.X509Certificate bouncyissuercert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuerCert);

            if (!bouncyeecert.IssuerDN.Equivalent(bouncyissuercert.SubjectDN))
            {
                return(false); //Not the same issuer.
            }
            try
            {
                bouncyeecert.CheckValidity();
                bouncyeecert.Verify(bouncyissuercert.GetPublicKey());
                OCSPVerifier crypto = new OCSPVerifier();

                return(crypto.Query(bouncyeecert, bouncyissuercert, proxy) == OCSPVerifier.CertificateStatus.Good);
            }
            catch (OCSPExpection ocspe)
            {
                throw ocspe;//send to API user.
            }
            catch (WebException webx)
            {
                throw new OCSPExpection("Exception in accessing OCSP web server. Error: " + webx.Message);
            }
            catch (Exception)
            {
                //If any general exception is raised then there is a problem in validation, so return false.
                return(false);
            }
        }
Example #2
0
        /// <summary>
        /// Validates the certificate using CRL
        /// </summary>
        /// <param name="eeCert">End entity certificate to be validated</param>
        /// <param name="issuerCert">Issuer of the end entity certificate to be used in validating</param>
        /// <param name="online">CRL validation should be on-line or by using a file</param>
        /// <param name="CRLfilepath">Optional CRL file path required if the on-line parameters is false</param>
        /// <param name="proxy">Optional if a web proxy is required</param>
        /// <returns>Validation status of the end entity certificate</returns>
        /// <exception cref="CRLExpection">Thrown when there problem with the CRL</exception>
        public static bool ValidateCertificateWithCRL(X509Certificate2 eeCert, X509Certificate2 issuerCert, bool online, string CRLfilepath = null, WebProxy proxy = null)
        {
            Org.BouncyCastle.X509.X509Certificate bouncyeecert     = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(eeCert);
            Org.BouncyCastle.X509.X509Certificate bouncyissuercert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuerCert);

            if (!bouncyeecert.IssuerDN.Equivalent(bouncyissuercert.SubjectDN))
            {
                return(false); //Not the same issuer.
            }
            try
            {
                bouncyeecert.CheckValidity();
                bouncyeecert.Verify(bouncyissuercert.GetPublicKey());
            }
            catch (Exception)
            {
                return(false); /*The issuer public key does not match the signature in the certificate.*/
            }

            try
            {
                CRLVerifier crl = null;
                crlDictionary.TryGetValue(issuerCert.GetCertHashString(), out crl);
                if (crl == null)
                {
                    crl = new CRLVerifier(issuerCert);
                    crlDictionary.Add(issuerCert.GetCertHashString(), crl);
                }

                bool IsInCRL = false;
                if (online)
                {
                    IsInCRL = crl.IsCertificateInOnlineCRL(eeCert, crl.GetBaseCrlUrl(eeCert), proxy);
                }
                else
                {
                    IsInCRL = crl.IsCertificateInCrlFile(eeCert, CRLfilepath);
                }
                return(!IsInCRL);
            }
            catch (CRLExpection crle)
            {
                throw crle;//send to API user.
            }
            catch (WebException webx)
            {
                throw new CRLExpection("Exception in accessing CRL web server. Error: " + webx.Message);
            }
            catch (IOException iox)
            {
                throw new CRLExpection("Exception in accessing CRL file. Error: " + iox.Message);
            }
            catch (Exception)
            {
                return(false);
            }
        }
Example #3
0
        } // End Function GenerateCertificate

        static bool ValidateSelfSignedCert(
            Org.BouncyCastle.X509.X509Certificate cert,
            Org.BouncyCastle.Crypto.ICipherParameters pubKey
            )
        {
            cert.CheckValidity(System.DateTime.UtcNow);
            byte[] tbsCert = cert.GetTbsCertificate(); // (TBS is short for To Be Signed), see RFC5280 for all the gory details.
            byte[] sig     = cert.GetSignature();

            Org.BouncyCastle.Crypto.ISigner signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner(
                cert.SigAlgName
                );

            signer.Init(false, pubKey);
            signer.BlockUpdate(tbsCert, 0, tbsCert.Length);
            return(signer.VerifySignature(sig));
        } // End Function ValidateSelfSignedCert