protected void ValidateEndpointCertificate(OcesX509Certificate endpointOcesCertificate)
{
RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory();
IRevocationLookup ocspClient = ocspLookupFactory.CreateRevocationLookupClient();
RevocationResponse ocspStatus = endpointOcesCertificate.CheckRevocationStatus(ocspClient);
switch (ocspStatus.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all okay
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
throw new Exception("Certificate validation error - CertificateRevoked");
//break;
}
case RevocationCheckStatus.NotChecked:
{
throw new Exception("Certificate validation error - NotChecked");
//break;
}
case RevocationCheckStatus.UnknownIssue:
{
throw new Exception("Certificate validation error - UnknownIssue");
// break;
}
default:
{
throw new Exception("Certificate validation error");
// break;
}
}
}
/* /// <summary>
* /// Overrides the method to validate the binding element order.
* /// </summary>
* /// <typeparam name="TChannel"></typeparam>
* /// <param name="context"></param>
* /// <returns></returns>
* public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
* {
* BindingElementCollection bindingElements = context.Binding.Elements;
* this.stackCheck.Check(bindingElements);
* return base.BuildChannelListener<TChannel>(context);
* }*/
/// <summary>
/// Intercept requests and creates the proof of validation interception before
/// attaching it to the message.
/// </summary>
/// <param name="interceptorMessage"></param>
public override void InterceptRequest(InterceptorMessage interceptorMessage)
{
this.logger.Trace("Security validate the foces certificate.");
try
{
Headers headers = new Headers(interceptorMessage);
if (interceptorMessage.IsFault)
{
// do nothing
}
else if (headers.IsCreateSequence)
{
// do nothing
}
else if (headers.SequenceHeader == null)
{
// do nothing
}
else if (headers.SequenceHeader.IsLastMessage)
{
// do nothing
}
else
{
// Get the certificate from the message
X509Certificate2 certificate;
try
{
certificate = interceptorMessage.Certificate;
}
catch
{
throw new FailedToGetCertificateSubjectException(interceptorMessage);
}
// now we must revocate check the certificate
OcesX509Certificate ocesCertificate = new OcesX509Certificate(certificate);
RevocationResponse response = ocesCertificate.CheckRevocationStatus(revocationLookup);
if (response.Exception != null)
{
string msg;
try
{
msg = response.Exception.Message;
}
catch (Exception ex)
{
this.logger.Debug("Error finding the correct error message.", ex);
msg = "unknown";
}
this.logger.Warn(string.Format("The certificate '{0}' revocation check failed. Reason is: ", ocesCertificate.Certificate.SubjectName.Name, msg));
// some error checking the certificate
// make sure the error is of the correct type, and throw it
// note - if the original exception was not a communikation exception, it is wraped in a communikation exception
if (response.Exception is CertificateRevokedTimeoutException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CertificateRevokedException)
{
throw response.Exception;
}
else if (response.Exception is CertificateRevokedValidationFailedException)
{
throw response.Exception;
}
else if (response.Exception is CheckCertificateOcspUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else if (response.Exception is CheckCertificateRevokedUnexpectedException)
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
else
{
throw new CertificateRevokedValidationFailedException(response.Exception);
}
}
else
{
// no exception - all good so far
switch (response.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all good
this.logger.Debug(string.Format("Certificate '{0}' has parsed the revocation validate.", certificate.SubjectName.Name));
SignatureValidationProof signatureValidationProof = new SignatureValidationProof(certificate.Subject);
interceptorMessage.AddProperty(ServerSignatureValidationProofBindingExtensionElement.SignatureValidationProofKey, signatureValidationProof);
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
this.logger.Warn(string.Format("The certificate '{0}' is revoked.", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedException();
//break;
}
default:
{
this.logger.Warn(string.Format("The certificate '{0}' failed in revocation check - reason unknown", ocesCertificate.Certificate.SubjectName.Name));
throw new CertificateRevokedValidationFailedException("The certificate failed in revocation check - reason unknown.");
//break;
}
}
}
}
}
catch (FailedToGetCertificateSubjectException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CertificateRevokedTimeoutException e)
* {
* // exception is of the correct type - rethrowing it
* throw new CertificateRevokedValidationFailedException(e);
* }*/
catch (CertificateRevokedException)
{
// exception is of the correct type - rethrowing it
throw;
}
catch (CertificateRevokedValidationFailedException)
{
// exception is of the correct type - rethrowing it
throw;
}
/* catch (CheckCertificateOcspUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
/* catch (CheckCertificateRevokedUnexpectedException)
* {
* // exception is of the correct type - rethrowing it
* throw;
* }*/
catch (Exception ex)
{
this.logger.Debug("Security validate the foces certificate", ex);
throw new CertificateRevokedValidationFailedException(ex);
}
this.logger.Trace("Security validate the foces certificate - Finish.");
}
