Example #1
0
 private static OcesEnvironment GetEnvironmentForRoot(Ca ca)
 {
     if (!ca.IsRoot)
     {
         return(GetEnvironmentForRoot(ca.IssuingCa));
     }
     return(RootCertificates.GetEnvironment(ca));
 }
        public bool IsRevoked(Ca ca)
        {
            if (ca.IsRoot)
            {
                return(false);
            }
            OcesEnvironment environment = RootCertificates.GetEnvironment(ca.IssuingCa);

            return(DownloadCrl(ca, environment).IsRevoked(ca) || IsRevoked(ca.IssuingCa));
        }
Example #3
0
        static bool CheckCertificate(IOcesCertificate certificate)
        {
            var    environment = RootCertificates.GetEnvironment(certificate.IssuingCa);
            string serverUrl   = certificate.OcspUrl;

            var      reqAndId = RequestGenerator.CreateOcspRequest(certificate);
            OcspResp resp     = Requester.Send(reqAndId.Request, serverUrl);

            return(ResponseParser.CertificateIsValid(reqAndId.Id, resp, certificate));
        }
Example #4
0
        static void AppendRootIfMissing(IList <X509Certificate2> certificates)
        {
            if (certificates.Count == 0)
            {
                return;
            }
            var last = certificates[certificates.Count - 1];

            if (!IsSelfSigned(last))
            {
                certificates.Add(RootCertificates.LookupCertificateBySubjectDn(last.IssuerName));
            }
        }
        /// <summary>
        /// The partitioned CRL to check for revocation is retrieved using LDAP.
        /// </summary>
        public bool IsRevoked(IOcesCertificate certificate)
        {
            string          ldapPath    = certificate.PartitionedCrlDistributionPoint;
            OcesEnvironment environment = RootCertificates.GetEnvironment(certificate.IssuingCa);

            Crl crl = _crlDownloader.Download(environment, ldapPath);

            if (!crl.IsPartial())
            {
                throw new InvalidCrlException("Crl was downloaded successfully, but is not a partial CRL:" + ldapPath);
            }
            if (!crl.IsCorrectPartialCrl(ldapPath))
            {
                throw new InvalidCrlException("Crl was downloaded successfully, but is not the correct partitioned crl:" + ldapPath);
            }


            return(crl.IsRevoked(certificate) || IsRevoked(certificate.IssuingCa));
        }
Example #6
0
 /// <summary>
 /// This method is used verify that a connection can be made to the LDAP directory holding
 /// the root certificate for all environments begin set using the {@link Environments} class.
 /// </summary>
 public static void VerifyRootCertificateFromLdap()
 {
     foreach (var environment in Environments.TrustedEnvironments)
     {
         using (var connection = LdapFactory.CreateLdapConnection(environment))
         {
             var ldapRootProp            = Properties.Get("ldap.ca.dn.danid." + environment);
             var request                 = new SearchRequest(ldapRootProp, (string)null, SearchScope.Base, LdapFactory.RootCertificateBinary);
             var response                = (SearchResponse)connection.SendRequest(request);
             var bytes                   = (byte[])response.Entries[0].Attributes[LdapFactory.RootCertificateBinary][0];
             var rootCertificateFromLdap = new X509Certificate2(bytes);
             var rootCertificate         = RootCertificates.LookupCertificate(environment);
             if (rootCertificateFromLdap.Equals(rootCertificate))
             {
                 Logger.Info("Root certificate retrieved from LDAP with DN: " + rootCertificateFromLdap.SubjectName);
             }
             else
             {
                 Logger.Error("ERROR: Could not retrieve root certificate from LDAP for environment " + environment);
             }
         }
     }
 }
Example #7
0
        static bool IsAlive(string ocspUrl)
        {
            if (Environments.TrustedEnvironments.Contains(OcesEnvironment.OcesIDanidEnvDevelopment))
            {
                Logger.Info("OCSP checking is not supported in this environment. Assuming certificate is not revoked");
                return(false);
            }

            try
            {
                var environments = Environments.TrustedEnvironments;

                if (environments == null || environments.Count() == 0)
                {
                    throw new InvalidOperationException("No trusted enviroment has been set");
                }

                Logger.Debug("validate certificate serial number 1 for url: " + ocspUrl);


                var rootCertificate = RootCertificates.LookupCertificate(environments.First());

                // validate certificate serial number 1
                var ocspRequest = RequestGenerator.CreateOcspRequest(rootCertificate, "1");
                PostOcspRequest(ocspRequest.Request, rootCertificate, ocspUrl, "1");
                return(true);
            }
            catch (WebException e)
            {
                throw new ArgumentException("Unknown ocsp url", e);
            }
            catch (OcspException e)
            {
                throw new InternalException("Could not ping OCSP responder", e);
            }
        }