/// <summary> /// Validates the certificate using OCSP server /// </summary> /// <param name="eecert">End entity certificate to be validated</param> /// <param name="issuerCert">Issuer of the end entity certificate to be used in validating</param> /// <param name="proxy">Optional if a web proxy is required</param> /// <returns>Validation status of the end entity certificate</returns> /// <exception cref="OCSPExpection">Thrown when there is no OCSP URL in certificate or the OCSP URL in unreachable<exception> public static bool ValidateCertificateWithOCSP(X509Certificate2 eecert, X509Certificate2 issuerCert, WebProxy proxy = null) { Org.BouncyCastle.X509.X509Certificate bouncyeecert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(eecert); Org.BouncyCastle.X509.X509Certificate bouncyissuercert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuerCert); if (!bouncyeecert.IssuerDN.Equivalent(bouncyissuercert.SubjectDN)) { return(false); //Not the same issuer. } try { bouncyeecert.CheckValidity(); bouncyeecert.Verify(bouncyissuercert.GetPublicKey()); OCSPVerifier crypto = new OCSPVerifier(); return(crypto.Query(bouncyeecert, bouncyissuercert, proxy) == OCSPVerifier.CertificateStatus.Good); } catch (OCSPExpection ocspe) { throw ocspe;//send to API user. } catch (WebException webx) { throw new OCSPExpection("Exception in accessing OCSP web server. Error: " + webx.Message); } catch (Exception) { //If any general exception is raised then there is a problem in validation, so return false. return(false); } }
/// <summary> /// Validates the certificate using CRL /// </summary> /// <param name="eeCert">End entity certificate to be validated</param> /// <param name="issuerCert">Issuer of the end entity certificate to be used in validating</param> /// <param name="online">CRL validation should be on-line or by using a file</param> /// <param name="CRLfilepath">Optional CRL file path required if the on-line parameters is false</param> /// <param name="proxy">Optional if a web proxy is required</param> /// <returns>Validation status of the end entity certificate</returns> /// <exception cref="CRLExpection">Thrown when there problem with the CRL</exception> public static bool ValidateCertificateWithCRL(X509Certificate2 eeCert, X509Certificate2 issuerCert, bool online, string CRLfilepath = null, WebProxy proxy = null) { Org.BouncyCastle.X509.X509Certificate bouncyeecert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(eeCert); Org.BouncyCastle.X509.X509Certificate bouncyissuercert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuerCert); if (!bouncyeecert.IssuerDN.Equivalent(bouncyissuercert.SubjectDN)) { return(false); //Not the same issuer. } try { bouncyeecert.CheckValidity(); bouncyeecert.Verify(bouncyissuercert.GetPublicKey()); } catch (Exception) { return(false); /*The issuer public key does not match the signature in the certificate.*/ } try { CRLVerifier crl = null; crlDictionary.TryGetValue(issuerCert.GetCertHashString(), out crl); if (crl == null) { crl = new CRLVerifier(issuerCert); crlDictionary.Add(issuerCert.GetCertHashString(), crl); } bool IsInCRL = false; if (online) { IsInCRL = crl.IsCertificateInOnlineCRL(eeCert, crl.GetBaseCrlUrl(eeCert), proxy); } else { IsInCRL = crl.IsCertificateInCrlFile(eeCert, CRLfilepath); } return(!IsInCRL); } catch (CRLExpection crle) { throw crle;//send to API user. } catch (WebException webx) { throw new CRLExpection("Exception in accessing CRL web server. Error: " + webx.Message); } catch (IOException iox) { throw new CRLExpection("Exception in accessing CRL file. Error: " + iox.Message); } catch (Exception) { return(false); } }
} // End Function GenerateCertificate static bool ValidateSelfSignedCert( Org.BouncyCastle.X509.X509Certificate cert, Org.BouncyCastle.Crypto.ICipherParameters pubKey ) { cert.CheckValidity(System.DateTime.UtcNow); byte[] tbsCert = cert.GetTbsCertificate(); // (TBS is short for To Be Signed), see RFC5280 for all the gory details. byte[] sig = cert.GetSignature(); Org.BouncyCastle.Crypto.ISigner signer = Org.BouncyCastle.Security.SignerUtilities.GetSigner( cert.SigAlgName ); signer.Init(false, pubKey); signer.BlockUpdate(tbsCert, 0, tbsCert.Length); return(signer.VerifySignature(sig)); } // End Function ValidateSelfSignedCert