/// <summary> /// An X509Certificate may contain information about his issuer in the AIA attribute. /// </summary> public virtual ICertificateSource GetWrappedCertificateSource() { if (sourceFactory != null) { ICertificateSource source = sourceFactory.CreateAIACertificateSource(GetCertificate()); return(source); } else { return(null); } }
/// <summary> /// Validate the timestamp /// </summary> public virtual void ValidateTimestamp(TimestampToken timestamp, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { if (timestamp is null) { throw new ArgumentNullException(nameof(timestamp)); } AddNotYetVerifiedToken(timestamp); Validate( timestamp.GetTimeStamp().TimeStampInfo.GenTime, new CompositeCertificateSource(timestamp.GetWrappedCertificateSource(), optionalSource), optionalCRLSource, optionalOCPSSource, usedCerts); }
/// <summary> /// The default constructor for ValidationContextV2. /// </summary> /// <param> /// The certificate that will be validated. /// </param> public ValidationContext(X509Certificate certificate, DateTime validationDate, ICAdESLogger cadesLogger, IOcspSource ocspSource, ICrlSource crlSource, ICertificateSource certificateSource, Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> certificateVerifierFactory, Func <CertificateAndContext, CertificateToken> certificateTokenFactory) { this.certificateTokenFactory = certificateTokenFactory; OcspSource = ocspSource; CrlSource = crlSource; TrustedListCertificatesSource = certificateSource; logger = cadesLogger; if (certificate != null) { logger?.Info("New context for " + certificate.SubjectDN); var trustedCert = TrustedListCertificatesSource?.GetCertificateBySubjectName(certificate.SubjectDN)?.FirstOrDefault(); Certificate = certificate; AddNotYetVerifiedToken(certificateTokenFactory(trustedCert ?? new CertificateAndContext(certificate))); } ValidationDate = validationDate; this.certificateVerifierFactory = certificateVerifierFactory; }
public virtual IValidationContext ValidateCertificate( X509Certificate cert, DateTime validationDate, ICertificateSource optionalCertificateSource, IList <CertificateAndContext> usedCerts, ICrlSource optionalCRLSource = null, IOcspSource optionalOCSPSource = null, ICAdESLogger CadesLogger = null) { if (cert == null || validationDate == null) { throw new ArgumentNullException("A validation context must contains a cert and a validation date"); } var alreadyUsed = cache.FirstOrDefault(x => x.Certificate == cert && x.ValidationDate == validationDate); if (alreadyUsed != null) { return(alreadyUsed); } var context = validationContextFactory(cert, validationDate, CadesLogger); context.Validate(validationDate, optionalCertificateSource, optionalCRLSource, optionalOCSPSource, usedCerts); cache.Add(context); return(context); }
private void CreateCertificate(CertificateTask task, ICertificateSource source, IEnumerable <CertificateFile> files) { var savedFiles = new List <CertificateFile>(); using (var transaction = new TransactionScope(OnDispose.Rollback)) { var certificate = Certificate.Queryable.FirstOrDefault( c => c.CatalogProduct.Id == task.CatalogProduct.Id && c.SerialNumber == task.SerialNumber); if (certificate == null) { certificate = new Certificate { CatalogProduct = task.CatalogProduct, SerialNumber = task.SerialNumber }; _logger.DebugFormat("При обработке задачи {0} будет создан сертификат", task); } else { _logger.DebugFormat("При обработке задачи {0} будет использоваться сертификат c Id:{1}", task, certificate.Id); } foreach (var file in files) { file.CertificateSource = task.CertificateSource; var exist = Find(file) ?? file; certificate.NewFile(exist); if (exist != file) { exist.LocalFile = file.LocalFile; _logger.DebugFormat("При обработке задачи {0} будет использоваться файл сертификата {1}", task, exist); } else { _logger.DebugFormat("При обработке задачи {0} будет создан файл сертификата {1}", task, exist); } savedFiles.Add(exist); } certificate.Save(); task.Delete(); var session = ActiveRecordMediator.GetSessionFactoryHolder().CreateSession(typeof(ActiveRecordBase)); try { session.CreateSQLQuery(@" update documents.Certificates c, catalogs.Products p, documents.DocumentBodies db set db.CertificateId = c.Id where c.Id = :certificateId and p.CatalogId = c.catalogId and db.ProductId is not null and db.SerialNumber is not null and db.ProductId = p.Id and db.SerialNumber = :serialNumber and db.CertificateId is null; " ) .SetParameter("certificateId", certificate.Id) .SetParameter("serialNumber", task.DocumentLine.SerialNumber) .ExecuteUpdate(); } finally { ActiveRecordMediator.GetSessionFactoryHolder().ReleaseSession(session); } transaction.VoteCommit(); } foreach (var file in savedFiles) { var fileName = file.RemoteFile; var fullFileName = Path.Combine(Settings.Default.CertificatePath, fileName); try { if (File.Exists(fullFileName)) { File.Delete(fullFileName); _logger.InfoFormat( "Будет произведено обновление файла сертификата {0} с Id {1} для сертификата {2}", file.LocalFile, file.Id, task); } File.Copy(file.LocalFile, fullFileName); } catch (Exception exception) { _logger.WarnFormat( "При копировании файла {0} для сертификата {1} возникла ошибка: {2}", file.LocalFile, task, exception); } } }
/// <summary> /// Build the validation context for the specific date /// </summary> public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { int previousSize = RevocationInfo.Count; int previousVerified = VerifiedTokenCount(); ISignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource); CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate); RevocationData data = null; if (issuer == null) { logger?.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { usedCerts?.Add(issuer); AddNotYetVerifiedToken(certificateTokenFactory(issuer)); if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN)) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); } Validate(trustedToken, noNeedToValidate); } else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { logger?.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new Exception("Not supported token type " + signedToken.GetType().Name); } } } Validate(signedToken, data); logger?.Info(ToString()); int newSize = RevocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts); } } }
internal virtual CertificateAndContext GetIssuerCertificate(ISignedToken signedToken, ICertificateSource optionalSource, DateTime validationDate) { if (signedToken.GetSignerSubjectName() == null) { return(null); } IList <CertificateAndContext> list = new CompositeCertificateSource(TrustedListCertificatesSource, optionalSource).GetCertificateBySubjectName(signedToken.GetSignerSubjectName()); if (list != null) { foreach (CertificateAndContext cert in list) { logger?.Info(cert.ToString()); if (validationDate != null) { try { cert.Certificate.CheckValidity(validationDate); } catch (CertificateExpiredException) { logger?.Info(WasExpiredMessage); continue; } catch (CertificateNotYetValidException) { logger?.Info(WasNotYetValidMessage); continue; } if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST && cert.Context != null) { ServiceInfo info = (ServiceInfo)cert.Context; if (info.StatusStartingDateAtReferenceTime != null && validationDate.CompareTo( //jbonilla Before info.StatusStartingDateAtReferenceTime) < 0) { logger?.Info(WasNotValidTSLMessage); continue; } else { if (info.StatusEndingDateAtReferenceTime != null && validationDate.CompareTo(info //jbonilla After .StatusEndingDateAtReferenceTime) > 0) { logger?.Info(WasNotValidTSLMessage); continue; } } } } if (signedToken.IsSignedBy(cert.Certificate)) { return(cert); } } } return(null); }
private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs, X509Certificate signingCertificate, SignatureParameters parameters, DateTime signingTime, ICertificateSource optionalCertificateSource) { var usedCerts = new List <CertificateAndContext>(); var validationContext = CertificateVerifier.ValidateCertificate( signingCertificate, signingTime, new CompositeCertificateSource(new ListCertificateSource(parameters.CertificateChain), optionalCertificateSource), usedCerts); var completeCertificateRefs = new List <OtherCertID>(); var completeRevocationRefs = new List <CrlOcspRef>(); foreach (CertificateAndContext c in validationContext.NeededCertificates) { if (!c.Equals(signingCertificate)) { completeCertificateRefs.Add(MakeOtherCertID(c.Certificate)); } List <CrlValidatedID> crlListIdValues = new List <CrlValidatedID>(); List <OcspResponsesID> ocspListIDValues = new List <OcspResponsesID>(); foreach (X509Crl relatedcrl in validationContext.GetRelatedCRLs(c)) { crlListIdValues.Add(MakeCrlValidatedID(relatedcrl)); } foreach (BasicOcspResp relatedocspresp in validationContext.GetRelatedOCSPResp(c)) { ocspListIDValues.Add(MakeOcspResponsesID(relatedocspresp)); } completeRevocationRefs.Add(new CrlOcspRef(new CrlListID(crlListIdValues.ToArray()), new OcspListID(ocspListIDValues.ToArray()), null)); } unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertificateRefs, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertificateRefs, new DerSet(new DerSequence(completeCertificateRefs.ToArray())))); unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationRefs, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationRefs, new DerSet(new DerSequence(completeRevocationRefs.ToArray())))); return(unsignedAttrs); }
private IDictionary ExtendUnsignedAttributes(IDictionary unsignedAttrs, X509Certificate signingCertificate, DateTime signingDate, ICertificateSource optionalCertificateSource) { var validationContext = CertificateVerifier.ValidateCertificate(signingCertificate, signingDate, optionalCertificateSource, null, null); List <X509CertificateStructure> certificateValues = new List <X509CertificateStructure>(); List <CertificateList> crlValues = new List <CertificateList>(); List <BasicOcspResponse> ocspValues = new List <BasicOcspResponse>(); foreach (CertificateAndContext c in validationContext.NeededCertificates) { if (!c.Equals(signingCertificate)) { certificateValues.Add(X509CertificateStructure.GetInstance(((Asn1Sequence)Asn1Object.FromByteArray(c.Certificate.GetEncoded())))); } } foreach (X509Crl relatedcrl in validationContext.NeededCRL) { crlValues.Add(CertificateList.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedcrl.GetEncoded()))); } foreach (BasicOcspResp relatedocspresp in validationContext.NeededOCSPResp) { ocspValues.Add((BasicOcspResponse.GetInstance((Asn1Sequence)Asn1Object.FromByteArray(relatedocspresp.GetEncoded())))); } RevocationValues revocationValues = new RevocationValues(crlValues.ToArray(), ocspValues.ToArray(), null); unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsRevocationValues, new DerSet(revocationValues))); unsignedAttrs.Add(PkcsObjectIdentifiers.IdAAEtsCertValues, new BcCms.Attribute(PkcsObjectIdentifiers.IdAAEtsCertValues, new DerSet(new DerSequence(certificateValues.ToArray())))); return(unsignedAttrs); }