/// <exception cref="System.IO.IOException"></exception>
public virtual ValidationContext ValidateCertificate(X509Certificate cert, DateTime
validationDate, CertificateSource optionalCertificateSource, ICrlSource optionalCRLSource
, IOcspSource optionalOCSPSource)
{
if (cert == null || validationDate == null)
{
throw new ArgumentNullException("A validation context must contains a cert and a validation date"
);
}
ValidationContext previous = validationContextThreadLocal.Value;
if (previous != null && previous.GetCertificate().Equals(cert) && previous.GetValidationDate
().Equals(validationDate))
{
//LOG.Info("We don't need to check twice for the same");
return(previous);
}
ValidationContext context = new ValidationContext(cert, validationDate);
context.SetCrlSource(CrlSource);
context.SetOcspSource(OcspSource);
context.SetTrustedListCertificatesSource(TrustedListCertificatesSource);
context.Validate(validationDate, optionalCertificateSource, optionalCRLSource, optionalOCSPSource
);
validationContextThreadLocal.Value = context;
return(context);
}
/// <summary>
/// The default constructor for ValidationContextV2.
/// </summary>
/// <param>
/// The certificate that will be validated.
/// </param>
public ValidationContext(X509Certificate certificate, DateTime validationDate, ICAdESLogger cadesLogger, IOcspSource ocspSource, ICrlSource crlSource, ICertificateSource certificateSource, Func <IOcspSource, ICrlSource, ICertificateStatusVerifier> certificateVerifierFactory, Func <CertificateAndContext, CertificateToken> certificateTokenFactory)
{
this.certificateTokenFactory = certificateTokenFactory;
OcspSource = ocspSource;
CrlSource = crlSource;
TrustedListCertificatesSource = certificateSource;
logger = cadesLogger;
if (certificate != null)
{
logger?.Info("New context for " + certificate.SubjectDN);
var trustedCert = TrustedListCertificatesSource?.GetCertificateBySubjectName(certificate.SubjectDN)?.FirstOrDefault();
Certificate = certificate;
AddNotYetVerifiedToken(certificateTokenFactory(trustedCert ?? new CertificateAndContext(certificate)));
}
ValidationDate = validationDate;
this.certificateVerifierFactory = certificateVerifierFactory;
}
/// <summary>
/// Create a CertificateVerifier that will use the OCSP Source for checking revocation data.
/// </summary>
/// <remarks>
/// Create a CertificateVerifier that will use the OCSP Source for checking revocation data. The default constructor
/// for OCSPCertificateVerifier.
/// </remarks>
public OCSPCertificateVerifier(IOcspSource ocspSource)
{
this.ocspSource = ocspSource;
}
/// <summary>Set the OCSP source for this verifier</summary>
/// <param name="ocspSource"></param>
public virtual void SetOcspSource(IOcspSource ocspSource)
{
this.ocspSource = ocspSource;
}
/// <summary>Build a OCSPAndCRLCertificateVerifier that will use the provided CRLSource and OCSPSource
/// </summary>
public OCSPAndCRLCertificateVerifier(ICrlSource crlSource, IOcspSource ocspSource)
{
this.crlSource = crlSource;
this.ocspSource = ocspSource;
}
/// <summary>Set the OCSP source for this verifier</summary>
/// <param name="ocspSource"></param>
public virtual void SetOcspSource(IOcspSource ocspSource)
{
this.ocspSource = ocspSource;
}
/// <summary>Build a OCSPAndCRLCertificateVerifier that will use the provided CRLSource and OCSPSource
/// </summary>
public OCSPAndCRLCertificateVerifier(ICrlSource crlSource, IOcspSource ocspSource)
{
this.crlSource = crlSource;
this.ocspSource = ocspSource;
}
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource)
{
if (optionalCRLSource != null || optionalOCSPSource != null)
{
logger?.Info(VerifyWithOfflineServiceMessage);
var verifier = certificateVerifierFactory(optionalOCSPSource, optionalCRLSource);
var status = verifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate);
if (status != null)
{
return(status);
}
}
logger?.Info(VerifyWithOnlineServiceMessage);
var onlineVerifier = certificateVerifierFactory(OcspSource, CrlSource);
return(onlineVerifier.Check(cert.Certificate, potentialIssuer.Certificate, validationDate));
}
/// <summary>
/// Build the validation context for the specific date
/// </summary>
public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
{
int previousSize = RevocationInfo.Count;
int previousVerified = VerifiedTokenCount();
ISignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource);
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate);
RevocationData data = null;
if (issuer == null)
{
logger?.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
usedCerts?.Add(issuer);
AddNotYetVerifiedToken(certificateTokenFactory(issuer));
if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN))
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
}
Validate(trustedToken, noNeedToValidate);
}
else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
logger?.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new Exception("Not supported token type " + signedToken.GetType().Name);
}
}
}
Validate(signedToken, data);
logger?.Info(ToString());
int newSize = RevocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts);
}
}
}
/// <summary>
/// Validate the timestamp
/// </summary>
public virtual void ValidateTimestamp(TimestampToken timestamp, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
{
if (timestamp is null)
{
throw new ArgumentNullException(nameof(timestamp));
}
AddNotYetVerifiedToken(timestamp);
Validate(
timestamp.GetTimeStamp().TimeStampInfo.GenTime,
new CompositeCertificateSource(timestamp.GetWrappedCertificateSource(), optionalSource),
optionalCRLSource,
optionalOCPSSource,
usedCerts);
}
/// <summary>Create a CertificateVerifier that will use the OCSP Source for checking revocation data.
/// </summary>
/// <remarks>
/// Create a CertificateVerifier that will use the OCSP Source for checking revocation data. The default constructor
/// for OCSPCertificateVerifier.
/// </remarks>
/// <param name="ocspSource"></param>
public OCSPCertificateVerifier(IOcspSource ocspSource)
{
//jbonilla
//Security.AddProvider(new BouncyCastleProvider());
this.ocspSource = ocspSource;
}
/// <summary>Create a CertificateVerifier that will use the OCSP Source for checking revocation data.
/// </summary>
/// <remarks>
/// Create a CertificateVerifier that will use the OCSP Source for checking revocation data. The default constructor
/// for OCSPCertificateVerifier.
/// </remarks>
/// <param name="ocspSource"></param>
public OCSPCertificateVerifier(IOcspSource ocspSource)
{
//jbonilla
//Security.AddProvider(new BouncyCastleProvider());
this.ocspSource = ocspSource;
}
public virtual IValidationContext ValidateCertificate(
X509Certificate cert, DateTime validationDate, ICertificateSource optionalCertificateSource, IList <CertificateAndContext> usedCerts, ICrlSource optionalCRLSource = null, IOcspSource optionalOCSPSource = null, ICAdESLogger CadesLogger = null)
{
if (cert == null || validationDate == null)
{
throw new ArgumentNullException("A validation context must contains a cert and a validation date");
}
var alreadyUsed = cache.FirstOrDefault(x => x.Certificate == cert && x.ValidationDate == validationDate);
if (alreadyUsed != null)
{
return(alreadyUsed);
}
var context = validationContextFactory(cert, validationDate, CadesLogger);
context.Validate(validationDate, optionalCertificateSource, optionalCRLSource, optionalOCSPSource, usedCerts);
cache.Add(context);
return(context);
}
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext
potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource
optionalOCSPSource)
{
if (optionalCRLSource != null || optionalOCSPSource != null)
{
LOG.Info("Verify with offline services");
OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
verifier.SetCrlSource(optionalCRLSource);
verifier.SetOcspSource(optionalOCSPSource);
CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer.
GetCertificate(), validationDate);
if (status != null)
{
return(status);
}
}
LOG.Info("Verify with online services");
OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier(
);
onlineVerifier.SetCrlSource(crlSource);
onlineVerifier.SetOcspSource(ocspSource);
return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate
(), validationDate));
}
/// <summary>Validate the timestamp</summary>
/// <param name="timestamp"></param>
/// <param name="optionalSource"></param>
/// <param name="optionalCRLSource"></param>
/// <param name="optionalOCPSSource"></param>
/// <exception cref="System.IO.IOException"></exception>
public virtual void ValidateTimestamp(TimestampToken timestamp, CertificateSource
optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource)
{
AddNotYetVerifiedToken(timestamp);
Validate(timestamp.GetTimeStamp().TimeStampInfo.GenTime, new CompositeCertificateSource
(timestamp.GetWrappedCertificateSource(), optionalSource), optionalCRLSource, optionalOCPSSource
);
}
