private void SetAttributesForMocesOrPoces(OcesCertificate certificate)
{
if (certificate is PocesCertificate)
{
Session.Add(KeyType, "POCES");
Session.Add(KeyPid, ((PocesCertificate)certificate).Pid);
}
else
{
Session.Add(KeyType, "MOCES");
Session.Add(KeyRid, ((MocesCertificate)certificate).Rid);
Session.Add(KeyCvr, ((MocesCertificate)certificate).Cvr);
}
}
public CertificateIsRevokedException(OcesCertificate certificate)
: base("Certificate " + certificate.SubjectDistinguishedName + "is revoked")
{
}
/// <summary>
/// Checks that a full CRL can be retrieved and is valid. Expects that an environment has been set up.
/// </summary>
/// <returns><code>true</code> if the CRL is retrieved or else false</returns>
public static bool VerifyFullCrl(OcesCertificate ocesCertificate)
{
Crl crl = CertificateRevocationHandler.RetrieveFullCrl(ocesCertificate);
return(crl != null && crl.IsValid);
}
public CertificateAndStatus(OcesCertificate certificate,
CertificateStatus certificateStatus)
{
Certificate = certificate;
CertificateStatus = certificateStatus;
}
/// <summary>
/// This method verifies a certificate by calling the OCSP used in current Environment
/// </summary>
/// <param name="certificate">certificate to verify</param>
/// <returns>true if certificate is revoked else false</returns>
public static bool VerifyCertificateWithOcsp(OcesCertificate certificate)
{
var engine = new OcspCertificateRevocationChecker();
return(engine.IsRevoked(certificate));
}
/// <summary>
/// Retrieves the full CRL for the given certificate
/// </summary>
/// <param name="certificate">to retrieve full CRL for</param>
/// <returns>full CRL for the given certificate</returns>
public static Crl RetrieveFullCrl(OcesCertificate certificate)
{
return(FullCrlRevocationChecker.Instance.DownloadCrl(certificate));
}
public TrustCouldNotBeVerifiedException(OcesCertificate ocesCertificate,
IEnumerable <OcesEnvironment> environments) : base("Could not verify trust")
{
OcesCertificate = ocesCertificate;
TrustedEnvironments = environments;
}
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca)
{
DateTime nowInGmt = DateTime.Now.ToUniversalTime();
/* check condition:
* The certificate identified in a received response corresponds to
* that which was identified in the corresponding request;
*/
SingleResp[] responses = basicResp.Responses;
if (responses.Length != 1)
{
throw new OcspException("unexpected number of responses received");
}
if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber))
{
throw new OcspException("Serial number mismatch problem");
}
/* check condition
* The signature on the response is valid;
*/
try
{
ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca);
}
catch (ChainVerificationException e)
{
throw new OcspException("OCSP response certificate chain is invalid", e);
}
/* check the signature on the ocsp response */
var ocspBcCertificate =
new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData);
if (!basicResp.Verify(ocspBcCertificate.GetPublicKey()))
{
throw new OcspException("signature validation failed for ocsp response");
}
if (!CanSignOcspResponses(ocspBcCertificate))
{
throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing");
}
/* check expiry of the signing certificate */
if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid)
{
throw new OcspException("OCSP certificate expired or not yet valid");
}
/* check condition
* The time at which the status being indicated is known to be
* correct (thisUpdate) is sufficiently recent.
*/
SingleResp response = responses[0];
var diff = response.ThisUpdate - nowInGmt;
if (diff > new TimeSpan(0, 1, 0))
{
throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: "
+ response.ThisUpdate);
}
if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt)
{
throw new OcspException("OCSP response is no longer valid");
}
}
