private static OcesEnvironment GetEnvironmentForRoot(Ca ca)
{
if (!ca.IsRoot)
{
return(GetEnvironmentForRoot(ca.IssuingCa));
}
return(RootCertificates.GetEnvironment(ca));
}
public bool IsRevoked(Ca ca)
{
if (ca.IsRoot)
{
return(false);
}
OcesEnvironment environment = RootCertificates.GetEnvironment(ca.IssuingCa);
return(DownloadCrl(ca, environment).IsRevoked(ca) || IsRevoked(ca.IssuingCa));
}
static bool CheckCertificate(IOcesCertificate certificate)
{
var environment = RootCertificates.GetEnvironment(certificate.IssuingCa);
string serverUrl = certificate.OcspUrl;
var reqAndId = RequestGenerator.CreateOcspRequest(certificate);
OcspResp resp = Requester.Send(reqAndId.Request, serverUrl);
return(ResponseParser.CertificateIsValid(reqAndId.Id, resp, certificate));
}
static void AppendRootIfMissing(IList <X509Certificate2> certificates)
{
if (certificates.Count == 0)
{
return;
}
var last = certificates[certificates.Count - 1];
if (!IsSelfSigned(last))
{
certificates.Add(RootCertificates.LookupCertificateBySubjectDn(last.IssuerName));
}
}
/// <summary>
/// The partitioned CRL to check for revocation is retrieved using LDAP.
/// </summary>
public bool IsRevoked(IOcesCertificate certificate)
{
string ldapPath = certificate.PartitionedCrlDistributionPoint;
OcesEnvironment environment = RootCertificates.GetEnvironment(certificate.IssuingCa);
Crl crl = _crlDownloader.Download(environment, ldapPath);
if (!crl.IsPartial())
{
throw new InvalidCrlException("Crl was downloaded successfully, but is not a partial CRL:" + ldapPath);
}
if (!crl.IsCorrectPartialCrl(ldapPath))
{
throw new InvalidCrlException("Crl was downloaded successfully, but is not the correct partitioned crl:" + ldapPath);
}
return(crl.IsRevoked(certificate) || IsRevoked(certificate.IssuingCa));
}
/// <summary>
/// This method is used verify that a connection can be made to the LDAP directory holding
/// the root certificate for all environments begin set using the {@link Environments} class.
/// </summary>
public static void VerifyRootCertificateFromLdap()
{
foreach (var environment in Environments.TrustedEnvironments)
{
using (var connection = LdapFactory.CreateLdapConnection(environment))
{
var ldapRootProp = Properties.Get("ldap.ca.dn.danid." + environment);
var request = new SearchRequest(ldapRootProp, (string)null, SearchScope.Base, LdapFactory.RootCertificateBinary);
var response = (SearchResponse)connection.SendRequest(request);
var bytes = (byte[])response.Entries[0].Attributes[LdapFactory.RootCertificateBinary][0];
var rootCertificateFromLdap = new X509Certificate2(bytes);
var rootCertificate = RootCertificates.LookupCertificate(environment);
if (rootCertificateFromLdap.Equals(rootCertificate))
{
Logger.Info("Root certificate retrieved from LDAP with DN: " + rootCertificateFromLdap.SubjectName);
}
else
{
Logger.Error("ERROR: Could not retrieve root certificate from LDAP for environment " + environment);
}
}
}
}
static bool IsAlive(string ocspUrl)
{
if (Environments.TrustedEnvironments.Contains(OcesEnvironment.OcesIDanidEnvDevelopment))
{
Logger.Info("OCSP checking is not supported in this environment. Assuming certificate is not revoked");
return(false);
}
try
{
var environments = Environments.TrustedEnvironments;
if (environments == null || environments.Count() == 0)
{
throw new InvalidOperationException("No trusted enviroment has been set");
}
Logger.Debug("validate certificate serial number 1 for url: " + ocspUrl);
var rootCertificate = RootCertificates.LookupCertificate(environments.First());
// validate certificate serial number 1
var ocspRequest = RequestGenerator.CreateOcspRequest(rootCertificate, "1");
PostOcspRequest(ocspRequest.Request, rootCertificate, ocspUrl, "1");
return(true);
}
catch (WebException e)
{
throw new ArgumentException("Unknown ocsp url", e);
}
catch (OcspException e)
{
throw new InternalException("Could not ping OCSP responder", e);
}
}
