/// <param name="cert"></param>
/// <returns></returns>
public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext
cert)
{
if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
{
CertificateStatus status = new CertificateStatus();
status.Validity = CertificateValidity.VALID;
status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST;
status.Certificate = cert.GetCertificate();
return(status);
}
CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);
if (issuer == null)
{
return(null);
}
IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp);
ICrlSource crlSource = new ListCRLSource(neededCRL);
OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
verifier.SetCrlSource(crlSource);
verifier.SetOcspSource(ocspSource);
return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate
()));
}
public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer
, DateTime validationDate)
{
CertificateStatusVerifier ocspVerifier = new OCSPCertificateVerifier(GetOcspSource
());
//LOG.Info("OCSP request for " + cert.SubjectDN);
CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate
);
if (result != null && result.Validity != CertificateValidity.UNKNOWN)
{
//LOG.Info("OCSP validation done, don't need for CRL");
return(result);
}
else
{
//LOG.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN);
CRLCertificateVerifier crlVerifier = new CRLCertificateVerifier(GetCrlSource());
result = crlVerifier.Check(cert, potentialIssuer, validationDate);
if (result != null && result.Validity != CertificateValidity.UNKNOWN)
{
//LOG.Info("CRL check has been performed. Valid or not, the verification is done");
return(result);
}
else
{
//LOG.Info("We had no response from OCSP nor CRL");
return(null);
}
}
}
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext
potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource
optionalOCSPSource)
{
if (optionalCRLSource != null || optionalOCSPSource != null)
{
LOG.Info("Verify with offline services");
OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
verifier.SetCrlSource(optionalCRLSource);
verifier.SetOcspSource(optionalOCSPSource);
CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer.
GetCertificate(), validationDate);
if (status != null)
{
return(status);
}
}
LOG.Info("Verify with online services");
OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier(
);
onlineVerifier.SetCrlSource(crlSource);
onlineVerifier.SetOcspSource(ocspSource);
return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate
(), validationDate));
}
/// <summary>The default constructor for RevocationVerificationResult.</summary>
/// <remarks>The default constructor for RevocationVerificationResult.</remarks>
public RevocationVerificationResult(CertificateStatus certificateStatus)
{
if (certificateStatus != null)
{
this.certificateStatus = certificateStatus;
}
else
{
this.certificateStatus = new CertificateStatus();
this.certificateStatus.Validity = CertificateValidity.UNKNOWN;
}
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate
certificate, DateTime validationDate)
{
try
{
CertificateStatus report = new CertificateStatus();
report.Certificate = childCertificate;
report.ValidationDate = validationDate;
report.IssuerCertificate = certificate;
if (crlSource == null)
{
LOG.Warn("CRLSource null");
return null;
}
X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate);
if (x509crl == null)
{
LOG.Info("No CRL found for certificate " + childCertificate.SubjectDN);
return null;
}
if (!IsCRLValid(x509crl, certificate, validationDate))
{
LOG.Warn("The CRL is not valid !");
return null;
}
report.StatusSource = x509crl;
report.Validity = CertificateValidity.UNKNOWN;
report.Certificate = childCertificate;
report.StatusSourceType = ValidatorSourceType.CRL;
report.ValidationDate = validationDate;
X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber);
if (null == crlEntry)
{
LOG.Info("CRL OK for: " + childCertificate.SubjectDN);
report.Validity = CertificateValidity.VALID;
}
else
{
if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After
{
LOG.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate
);
report.Validity = CertificateValidity.VALID;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
}
else
{
LOG.Info("CRL reports certificate: " + childCertificate.SubjectDN
+ " as revoked since " + crlEntry.RevocationDate);
report.Validity = CertificateValidity.REVOKED;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
report.RevocationDate = crlEntry.RevocationDate;
}
}
return report;
}
catch (IOException e)
{
LOG.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message);
return null;
}
}
/// <param name="status">the status to set</param>
public virtual void SetStatus(CertificateStatus status)
{
this.status = status;
}
/// <summary>Build the validation context for the specific date</summary>
/// <param name="validationDate"></param>
/// <param name="optionalSource"></param>
/// <exception cref="System.IO.IOException"></exception>
public virtual void Validate(DateTime validationDate, CertificateSource optionalSource
, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource)
{
int previousSize = revocationInfo.Count;
int previousVerified = VerifiedTokenCount();
SignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
CertificateSource otherSource = optionalSource;
if (signedToken != null)
{
otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource
(), optionalSource);
}
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate
);
RevocationData data = null;
if (issuer == null)
{
LOG.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
AddNotYetVerifiedToken(new CertificateToken(issuer));
if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate
().IssuerDN))
{
SignedToken trustedToken = new CertificateToken(issuer);
RevocationData noNeedToValidate = new RevocationData();
// noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
{
SignedToken trustedToken = new CertificateToken(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(),
issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
LOG.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new RuntimeException("Not supported token type " + signedToken.GetType().Name
);
}
}
}
Validate(signedToken, data);
LOG.Info(this.ToString());
int newSize = revocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource);
}
}
}
