public static byte[] SendOcspResponse(HttpListenerRequest http_request)
{
OcspReq ocsp_req = RequestUtilities.GetRequestFromHttp(http_request);
OcspResp ocsp_resp = CreateResponseForRequest(ocsp_req);
return(ocsp_resp.GetEncoded());
}
public static OcspResp Send(OcspReq ocspRequest, string url)
{
HttpWebRequest request = CreateWebRequest(url, ocspRequest);
HttpWebResponse response = GetWebResponse(request);
return(ExtractOcspResponseFromWebResponse(response));
}
/// <summary>
/// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/>
/// </summary>
/// <param name="ocspRequest"></param>
/// <param name="issuerCertificate"></param>
/// <returns></returns>
private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate)
{
var basicResponseGenerator = new BasicOcspRespGenerator(
new RespID(
await OcspResponderRepository.GetResponderPublicKey(issuerCertificate)));
var extensionsGenerator = new X509ExtensionsGenerator();
var nextUpdate = await OcspResponderRepository.GetNextUpdate();
foreach (var request in ocspRequest.GetRequestList())
{
var certificateId = request.GetCertID();
var serialNumber = certificateId.SerialNumber;
CertificateStatus certificateStatus;
CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate);
if (caCompromisedStatus.IsCompromised)
{
// See section 2.7 of RFC 6960
certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise);
}
else
{
// Se section 2.2 of RFC 6960
if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate))
{
var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate);
certificateStatus = status.IsRevoked
? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason)
: CertificateStatus.Good;
}
else
{
certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold);
extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded());
}
}
basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null);
}
SetNonceExtension(ocspRequest, extensionsGenerator);
basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate());
// Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960
const string signatureAlgorithm = "sha256WithRSAEncryption";
var basicOcspResponse = basicResponseGenerator.Generate(
signatureAlgorithm,
await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate),
await OcspResponderRepository.GetChain(issuerCertificate),
nextUpdate.UtcDateTime);
var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse);
return(ocspResponse);
}
public BasicOcspResp GetOcspStatus(OcspReq ocspRequest)
{
byte[] reqArray = ocspRequest.GetEncoded();
var uris = GetOcspUris();
OcspResp resp;
try
{
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uris[0]);
request.Method = "POST";
var requestStream = request.GetRequestStream();
request.ContentLength = reqArray.Length;
request.ContentType = "application/ocsp-request";
request.Accept = "application/ocsp-response";
requestStream.Write(reqArray, 0, reqArray.Length);
using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
using (Stream stream = response.GetResponseStream())
{
resp = new OcspResp(stream);
}
return((BasicOcspResp)resp.GetResponseObject());
}
catch
{
return(null);
}
}
private static byte[] CreateOcspPackage(X509Certificate cert, X509Certificate cacert)
{
var gen = new OcspReqGenerator();
try
{
var certId = new CertificateID(CertificateID.HashSha1, cacert, cert.SerialNumber);
gen.AddRequest(certId);
gen.SetRequestExtensions(CreateExtension());
OcspReq req = gen.Generate();
return(req.GetEncoded());
}
catch (OcspException e)
{
Debug.WriteLine(e.StackTrace);
}
catch (IOException e)
{
Debug.WriteLine(e.StackTrace);
}
return(null);
}
public static IToken GetTokenForRequest(OcspReq ocsp_req)
{
//TODO: Leverage RequestUtilities.RespondersMatch method to perform the token comparison
Req[] request_list = null;
try{
request_list = ocsp_req.GetRequestList();
}catch (System.NullReferenceException) {
throw new OcspMalformedRequestException("Unknown error parsing the request :(");
}
if (request_list.Length <= 0)
{
throw new OcspMalformedRequestException("Empty request list.");
}
//get first singleRequest
Req first_single_req = request_list[0];
IToken _token_a = GetIssuerForSingleRequest(first_single_req).caToken;
//if we got only one single_req just return this issuer
if (request_list.Length == 1)
{
return(_token_a);
}
//check if request contains requests for different responders
foreach (Req single_req in request_list)
{
IToken _token_b = GetIssuerForSingleRequest(single_req).caToken;
if (_token_a != _token_b)
{
throw new OcspMalformedRequestException("Multiple responderIDs in request!");
}
}
return(_token_a);
}
public virtual byte[] MakeOcspResponse(byte[] requestBytes)
{
OcspReq ocspRequest = new OcspReq(requestBytes);
Req[] requestList = ocspRequest.GetRequestList();
X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce);
if (extNonce != null)
{
// TODO ensure
X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, extNonce }
});
responseBuilder.SetResponseExtensions(responseExtensions);
}
foreach (Req req in requestList)
{
responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null);
}
DateTime time = DateTimeUtil.GetCurrentUtcTime();
BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time);
// return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded();
return(ocspResponse.GetEncoded());
}
static void WriteOcspRequest(WebRequest request, OcspReq ocspRequest)
{
using (var requestStream = request.GetRequestStream())
{
byte[] encodedRequest = ocspRequest.GetEncoded();
requestStream.Write(encodedRequest, 0, encodedRequest.Length);
}
}
/// <summary>
/// Método que comprueba el estado de un certificado
/// </summary>
/// <param name="eeCert"></param>
/// <param name="issuerCert"></param>
/// <param name="url"></param>
/// <returns></returns>
public byte[] QueryBinary(Org.BouncyCastle.X509.X509Certificate eeCert, Org.BouncyCastle.X509.X509Certificate issuerCert, string url, bool addNonce, GeneralName requestorName = null, System.Security.Cryptography.X509Certificates.X509Certificate2 signCertificate = null)
{
OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber, requestorName, signCertificate, addNonce);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(binaryResp);
}
public CertificateStatus ValidaOscp(X509Certificate eeCert, X509Certificate issuerCert)
{
string url = "https://cfdi.sat.gob.mx/edofiel";
OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(ProcessOcspResponse(eeCert, issuerCert, binaryResp));
}
/// <summary>
/// Método que comprueba el estado de un certificado
/// </summary>
/// <param name="eeCert"></param>
/// <param name="issuerCert"></param>
/// <param name="url"></param>
/// <returns></returns>
public byte[] QueryBinary(X509Certificate eeCert, X509Certificate issuerCert, string url)
{
OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(binaryResp);
}
/// <summary>
/// Add nonce extension if it exists in the request
/// </summary>
/// <param name="ocspRequest">ocsp request</param>
/// <param name="extensionsGenerator">extensions generator</param>
private void SetNonceExtension(OcspReq ocspRequest, X509ExtensionsGenerator extensionsGenerator)
{
var nonce = ocspRequest.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
if (nonce != null)
{
extensionsGenerator.AddExtension(OcspObjectIdentifiers.PkixOcspNonce, false, nonce.GetOctets());
}
}
private void doTestIrregularVersionReq()
{
OcspReq ocspRequest = new OcspReq(irregReq);
X509Certificate cert = ocspRequest.GetCerts()[0];
if (!ocspRequest.Verify(cert.GetPublicKey()))
{
Fail("extra version encoding test failed");
}
}
public CertificateStatus validateOcsp(X509Certificate clientCert, X509Certificate issuerCert, out string respMsg)
{
string url = "http://www.sat.gob.mx/OCSP";
OcspReq req = generateOcspRequest(issuerCert, clientCert.SerialNumber);
byte[] binaryResp = IoUtils.PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(processOcspResponse(clientCert, issuerCert, binaryResp, out respMsg));
}
/**
* @return a byte array
* @see com.lowagie.text.pdf.OcspClient#getEncoded()
*/
public byte[] GetEncoded()
{
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
if (ocspResponse.Status != 0)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status));
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
return(null);
}
static void PostOcspRequest(OcspReq request,
X509Certificate2 rootCertificate, string responderUrl, string serialNumber)
{
var response = Requester.Send(request, responderUrl);
if (response.Status != OcspRespStatus.Successful)
{
throw new OcspException("OCSP response is not successful");
}
}
public override void Respond(HttpListenerContext context)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var bytes = GetOcspRequest(context);
if (bytes == null)
{
context.Response.StatusCode = 400;
return;
}
var ocspReq = new OcspReq(bytes);
var respId = new RespID(CertificateAuthority.Certificate.SubjectDN);
var basicOcspRespGenerator = new BasicOcspRespGenerator(respId);
var requests = ocspReq.GetRequestList();
var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
if (nonce != null)
{
var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>()
{
{ OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) }
});
basicOcspRespGenerator.SetResponseExtensions(extensions);
}
var now = DateTime.UtcNow;
foreach (var request in requests)
{
var certificateId = request.GetCertID();
var certificateStatus = CertificateAuthority.GetStatus(certificateId);
var thisUpdate = _options.ThisUpdate?.UtcDateTime ?? now;
var nextUpdate = _options.NextUpdate?.UtcDateTime ?? now.AddSeconds(1);
basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate, nextUpdate, singleExtensions: null);
}
var certificateChain = GetCertificateChain();
var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now);
var ocspRespGenerator = new OCSPRespGenerator();
var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp);
bytes = ocspResp.GetEncoded();
context.Response.ContentType = ResponseContentType;
WriteResponseBody(context.Response, bytes);
}
public static OcspReq GetRequestFromHttp(HttpListenerRequest http_request)
{
OcspReq ocsp_req;
try{
//check if mime-type is application/ocsp-request
if (http_request.Headers["Content-Type"] != "application/ocsp-request")
{
SharpOCSP.log.Warn("MIME type of request not application/ocsp-request.");
}
switch (http_request.HttpMethod)
{
case "GET":
try{
var get_request = http_request.Url.PathAndQuery.Remove(0, 1);
byte[] decoded_ocsp_request;
StringBuilder request_sb;
//Tolerate ocsp requestors that don't URL Encode the base64 string and/or don't pad the base64 representation
try{
var urld_get_request = WebUtility.UrlDecode(get_request);
request_sb = new StringBuilder(urld_get_request);
//append ='s until string is multiple of 4
request_sb.Append('=', (4 - (urld_get_request.Length % 4)) % 4);
decoded_ocsp_request = System.Convert.FromBase64String(request_sb.ToString());
}catch (System.FormatException) {
request_sb = new StringBuilder(get_request);
//append ='s until string is multiple of 4
request_sb.Append('=', (4 - (get_request.Length % 4)) % 4);
decoded_ocsp_request = System.Convert.FromBase64String(request_sb.ToString());
}
ocsp_req = new OcspReq(decoded_ocsp_request);
}catch {
throw new OcspMalformedRequestException();
}
break;
case "POST":
try{
ocsp_req = new OcspReq(http_request.InputStream);
}catch {
throw new OcspMalformedRequestException();
}
break;
default:
ocsp_req = null;
SharpOCSP.log.Warn("Unsupported Request method: " + http_request.HttpMethod);
break;
}
}catch (OcspMalformedRequestException) {
ocsp_req = null;
SharpOCSP.log.Warn("Could not parse " + http_request.HttpMethod + " request.");
}
return(ocsp_req);
}
/// <summary>
/// @see com.lowagie.text.pdf.OcspClient#getEncoded()
/// </summary>
/// <returns> a byte array</returns>
public byte[] GetEncoded()
{
OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url);
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStreamAsync().Result;
outp.Write(array, 0, array.Length);
outp.Dispose();
HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result;
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}");
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Dispose();
response.Dispose();
if (ocspResponse.Status != 0)
{
throw new IOException("Invalid status: " + ocspResponse.Status);
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is RevokedStatus)
{
throw new IOException("OCSP Status is revoked!");
}
else
{
throw new IOException("OCSP Status is unknown!");
}
}
}
return(null);
}
static HttpWebRequest CreateWebRequest(string url, OcspReq ocspRequest)
{
var request = (HttpWebRequest)WebRequest.Create(url);
request.KeepAlive = false;
request.Method = "POST";
request.ContentType = "application/ocsp-request";
request.ContentLength = ocspRequest.GetEncoded().Length;
WriteOcspRequest(request, ocspRequest);
return(request);
}
public ValidationResponse ValidateCertificate(string serialNumber, X509Certificate2 issuer, String urlOCSP)
{
try
{
OcspReqGenerator ocspReqGenerator = new OcspReqGenerator();
ocspReqGenerator.AddRequest(new CertificateID(CertificateID.HashSha1,
Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuer),
new BigInteger(serialNumber, 16)));
// Extensions
IList oidList = new ArrayList();
IList valueList = new ArrayList();
// nonce
byte[] nonce = new byte[16];
Random rand = new Random();
rand.NextBytes(nonce);
oidList.Add(OcspObjectIdentifiers.PkixOcspNonce);
valueList.Add(new Org.BouncyCastle.Asn1.X509.X509Extension(false, new DerOctetString(nonce)));
ocspReqGenerator.SetRequestExtensions(new X509Extensions(oidList, valueList));
// requestor name
ocspReqGenerator.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name(issuer.Subject)));
OcspReq ocspReq = ocspReqGenerator.Generate();
OcspResp ocspResponse = new OcspResp(transferHttpDataService.SendOcspRequest(urlOCSP, ocspReq.GetEncoded()));
if (ocspResponse.Status == OcspResponseStatus.Successful)
{
BasicOcspResp ocspBasicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (ocspBasicResponse.Responses[0].GetCertStatus() == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.VALID));
}
else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(RevokedStatus))
{
return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.REVOKED));
}
// Default case
//else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(UnknownStatus))
//{ }
}
}
catch (System.Exception) { }
return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.UNKNOWN));
}
// Query the OCSP server and return the certificate status. A proxy can be optionally used.
public CertificateStatus Query(X509Certificate eeCert, X509Certificate issuerCert, WebProxy proxy = null)
{
// Query the first OCSP URL found in certificate
List <string> urls = GetAuthorityInformationAccessOcspUrl(eeCert);
if (urls.Count == 0)
{
throw new OCSPExpection("No OCSP URL found in EE certificate.");
}
string url = urls[0];
OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response", proxy);
return(ProcessOcspResponse(eeCert, issuerCert, binaryResp));
}
public CertificateStatus ConsultarEstadoDeCertificado(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor)
{
List <string> urls = GetAuthorityInformationAccessOcspUrl(in_Certificado);
if (urls.Count == 0)
{
throw new Exception("No se encontro ningun OCSP url en el certificado.");
}
string url = urls[0];
Console.WriteLine("Consultando '" + url + "'...");
OcspReq req = GenerarRequestOCSP(in_CertificadoEmisor, in_Certificado.SerialNumber);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(ProcesarRespuestaOcsp(in_Certificado, in_CertificadoEmisor, binaryResp));
}
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url)
{
if (checkCert == null || rootCert == null)
{
return(null);
}
if (url == null)
{
url = CertificateUtil.GetOCSPURL(checkCert);
}
if (url == null)
{
return(null);
}
LOGGER.Info("Getting OCSP from " + url);
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
return(ocspResponse);
}
internal static OCSPStatus CheckOCSP(X509Certificate eeCert, X509Certificate issuerCert)
{
//var a = eeCert.Issu
// Query the first Ocsp Url found in certificate
List <string> urls = GetAuthorityInformationAccessOcspUrl(eeCert);
if (urls.Count == 0)
{
throw new Exception("No OCSP url found in ee certificate.");
}
string url = urls[0];
Console.WriteLine("Querying '" + url + "'...");
OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber);
byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response");
return(ProcessOcspResponse(eeCert,
issuerCert,
binaryResp));
}
/// <exception cref="System.IO.IOException"></exception>
public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate)
{
try
{
this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod);
LOG.Info("OCSP URI: " + this.OcspUri);
if (this.OcspUri == null)
{
return(null);
}
OcspReqGenerator ocspReqGenerator = new OcspReqGenerator();
CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate
, certificate.SerialNumber);
ocspReqGenerator.AddRequest(certId);
OcspReq ocspReq = ocspReqGenerator.Generate();
byte[] ocspReqData = ocspReq.GetEncoded();
OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream
(ocspReqData)));
try
{
return((BasicOcspResp)ocspResp.GetResponseObject());
}
catch (ArgumentNullException)
{
// Encountered a case when the OCSPResp is initialized with a null OCSP response...
// (and there are no nullity checks in the OCSPResp implementation)
return(null);
}
}
catch (CannotFetchDataException)
{
return(null);
}
catch (OcspException e)
{
LOG.Error("OCSP error: " + e.Message);
return(null);
}
}
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url)
{
if (checkCert == null || rootCert == null)
{
return(null);
}
if (url == null)
{
url = CertificateUtil.GetOCSPURL(checkCert);
}
if (url == null)
{
return(null);
}
LOGGER.Info("Getting OCSP from " + url);
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
Uri urlt = new Uri(url);
Stream @in = SignUtils.GetHttpResponseForOcspRequest(array, urlt);
return(new OcspResp(StreamUtil.InputStreamToArray(@in)));
}
public byte[] GetEncoded()
{
ocspRequest = GenerateOCSPRequest(signerCert, checkerCert, issuerCert, checkerKey);
byte[] array = ocspRequest.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
this.lastError = "Invalid HTTP response: " + (int)response.StatusCode;
return(null);
}
Stream inp = response.GetResponseStream();
ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
int verify = VerifyOCSPResponse();
if (verify != (int)CertStatus.GOOD)
{
return(null);
}
return(((BasicOcspResp)ocspResponse.GetResponseObject()).GetEncoded());
}
private OcspReq GenerateOcspRequest(CertificateID id)
{
OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator();
ocspRequestGenerator.AddRequest(id);
BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks);
ArrayList oids = new ArrayList();
Hashtable values = new Hashtable();
oids.Add(OcspObjectIdentifiers.PkixOcsp);
Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 }));
values.Add(OcspObjectIdentifiers.PkixOcsp, new Org.BouncyCastle.Asn1.X509.X509Extension(false, asn1));
X509Extensions x509Extensions = new X509Extensions(oids, values);
ocspRequestGenerator.SetRequestExtensions(x509Extensions);
OcspReq ocspReq = ocspRequestGenerator.Generate();
return(ocspRequestGenerator.Generate());
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString)extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
private void doTestIrregularVersionReq()
{
OcspReq ocspRequest = new OcspReq(irregReq);
X509Certificate cert = ocspRequest.GetCerts()[0];
if (!ocspRequest.Verify(cert.GetPublicKey()))
{
Fail("extra version encoding test failed");
}
}
private void doTestECDsa()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeECKeyPair();
X509Certificate testCert = OcspTestUtil.MakeECDsaCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !certs[0].Equals(testCert))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Encodable extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
if (!AreEqual(((Asn1OctetString)extObj).GetOctets(), sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response generation
//
BasicOcspRespGenerator respGen = new BasicOcspRespGenerator(signKP.Public);
respGen.AddResponse(id, CertificateStatus.Good);
respGen.Generate("SHA1withECDSA", signKP.Private, chain, DateTime.UtcNow);
}
