public static byte[] SendOcspResponse(HttpListenerRequest http_request) { OcspReq ocsp_req = RequestUtilities.GetRequestFromHttp(http_request); OcspResp ocsp_resp = CreateResponseForRequest(ocsp_req); return(ocsp_resp.GetEncoded()); }
public static OcspResp Send(OcspReq ocspRequest, string url) { HttpWebRequest request = CreateWebRequest(url, ocspRequest); HttpWebResponse response = GetWebResponse(request); return(ExtractOcspResponseFromWebResponse(response)); }
/// <summary> /// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/> /// </summary> /// <param name="ocspRequest"></param> /// <param name="issuerCertificate"></param> /// <returns></returns> private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate) { var basicResponseGenerator = new BasicOcspRespGenerator( new RespID( await OcspResponderRepository.GetResponderPublicKey(issuerCertificate))); var extensionsGenerator = new X509ExtensionsGenerator(); var nextUpdate = await OcspResponderRepository.GetNextUpdate(); foreach (var request in ocspRequest.GetRequestList()) { var certificateId = request.GetCertID(); var serialNumber = certificateId.SerialNumber; CertificateStatus certificateStatus; CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate); if (caCompromisedStatus.IsCompromised) { // See section 2.7 of RFC 6960 certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise); } else { // Se section 2.2 of RFC 6960 if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate)) { var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate); certificateStatus = status.IsRevoked ? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason) : CertificateStatus.Good; } else { certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold); extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded()); } } basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null); } SetNonceExtension(ocspRequest, extensionsGenerator); basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate()); // Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960 const string signatureAlgorithm = "sha256WithRSAEncryption"; var basicOcspResponse = basicResponseGenerator.Generate( signatureAlgorithm, await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate), await OcspResponderRepository.GetChain(issuerCertificate), nextUpdate.UtcDateTime); var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse); return(ocspResponse); }
public BasicOcspResp GetOcspStatus(OcspReq ocspRequest) { byte[] reqArray = ocspRequest.GetEncoded(); var uris = GetOcspUris(); OcspResp resp; try { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uris[0]); request.Method = "POST"; var requestStream = request.GetRequestStream(); request.ContentLength = reqArray.Length; request.ContentType = "application/ocsp-request"; request.Accept = "application/ocsp-response"; requestStream.Write(reqArray, 0, reqArray.Length); using (HttpWebResponse response = (HttpWebResponse)request.GetResponse()) using (Stream stream = response.GetResponseStream()) { resp = new OcspResp(stream); } return((BasicOcspResp)resp.GetResponseObject()); } catch { return(null); } }
private static byte[] CreateOcspPackage(X509Certificate cert, X509Certificate cacert) { var gen = new OcspReqGenerator(); try { var certId = new CertificateID(CertificateID.HashSha1, cacert, cert.SerialNumber); gen.AddRequest(certId); gen.SetRequestExtensions(CreateExtension()); OcspReq req = gen.Generate(); return(req.GetEncoded()); } catch (OcspException e) { Debug.WriteLine(e.StackTrace); } catch (IOException e) { Debug.WriteLine(e.StackTrace); } return(null); }
public static IToken GetTokenForRequest(OcspReq ocsp_req) { //TODO: Leverage RequestUtilities.RespondersMatch method to perform the token comparison Req[] request_list = null; try{ request_list = ocsp_req.GetRequestList(); }catch (System.NullReferenceException) { throw new OcspMalformedRequestException("Unknown error parsing the request :("); } if (request_list.Length <= 0) { throw new OcspMalformedRequestException("Empty request list."); } //get first singleRequest Req first_single_req = request_list[0]; IToken _token_a = GetIssuerForSingleRequest(first_single_req).caToken; //if we got only one single_req just return this issuer if (request_list.Length == 1) { return(_token_a); } //check if request contains requests for different responders foreach (Req single_req in request_list) { IToken _token_b = GetIssuerForSingleRequest(single_req).caToken; if (_token_a != _token_b) { throw new OcspMalformedRequestException("Multiple responderIDs in request!"); } } return(_token_a); }
public virtual byte[] MakeOcspResponse(byte[] requestBytes) { OcspReq ocspRequest = new OcspReq(requestBytes); Req[] requestList = ocspRequest.GetRequestList(); X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce); if (extNonce != null) { // TODO ensure X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, extNonce } }); responseBuilder.SetResponseExtensions(responseExtensions); } foreach (Req req in requestList) { responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null); } DateTime time = DateTimeUtil.GetCurrentUtcTime(); BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time); // return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded(); return(ocspResponse.GetEncoded()); }
static void WriteOcspRequest(WebRequest request, OcspReq ocspRequest) { using (var requestStream = request.GetRequestStream()) { byte[] encodedRequest = ocspRequest.GetEncoded(); requestStream.Write(encodedRequest, 0, encodedRequest.Length); } }
/// <summary> /// Método que comprueba el estado de un certificado /// </summary> /// <param name="eeCert"></param> /// <param name="issuerCert"></param> /// <param name="url"></param> /// <returns></returns> public byte[] QueryBinary(Org.BouncyCastle.X509.X509Certificate eeCert, Org.BouncyCastle.X509.X509Certificate issuerCert, string url, bool addNonce, GeneralName requestorName = null, System.Security.Cryptography.X509Certificates.X509Certificate2 signCertificate = null) { OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber, requestorName, signCertificate, addNonce); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(binaryResp); }
public CertificateStatus ValidaOscp(X509Certificate eeCert, X509Certificate issuerCert) { string url = "https://cfdi.sat.gob.mx/edofiel"; OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(ProcessOcspResponse(eeCert, issuerCert, binaryResp)); }
/// <summary> /// Método que comprueba el estado de un certificado /// </summary> /// <param name="eeCert"></param> /// <param name="issuerCert"></param> /// <param name="url"></param> /// <returns></returns> public byte[] QueryBinary(X509Certificate eeCert, X509Certificate issuerCert, string url) { OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(binaryResp); }
/// <summary> /// Add nonce extension if it exists in the request /// </summary> /// <param name="ocspRequest">ocsp request</param> /// <param name="extensionsGenerator">extensions generator</param> private void SetNonceExtension(OcspReq ocspRequest, X509ExtensionsGenerator extensionsGenerator) { var nonce = ocspRequest.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); if (nonce != null) { extensionsGenerator.AddExtension(OcspObjectIdentifiers.PkixOcspNonce, false, nonce.GetOctets()); } }
private void doTestIrregularVersionReq() { OcspReq ocspRequest = new OcspReq(irregReq); X509Certificate cert = ocspRequest.GetCerts()[0]; if (!ocspRequest.Verify(cert.GetPublicKey())) { Fail("extra version encoding test failed"); } }
public CertificateStatus validateOcsp(X509Certificate clientCert, X509Certificate issuerCert, out string respMsg) { string url = "http://www.sat.gob.mx/OCSP"; OcspReq req = generateOcspRequest(issuerCert, clientCert.SerialNumber); byte[] binaryResp = IoUtils.PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(processOcspResponse(clientCert, issuerCert, binaryResp, out respMsg)); }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public byte[] GetEncoded() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } return(null); }
static void PostOcspRequest(OcspReq request, X509Certificate2 rootCertificate, string responderUrl, string serialNumber) { var response = Requester.Send(request, responderUrl); if (response.Status != OcspRespStatus.Successful) { throw new OcspException("OCSP response is not successful"); } }
public override void Respond(HttpListenerContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var bytes = GetOcspRequest(context); if (bytes == null) { context.Response.StatusCode = 400; return; } var ocspReq = new OcspReq(bytes); var respId = new RespID(CertificateAuthority.Certificate.SubjectDN); var basicOcspRespGenerator = new BasicOcspRespGenerator(respId); var requests = ocspReq.GetRequestList(); var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); if (nonce != null) { var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) } }); basicOcspRespGenerator.SetResponseExtensions(extensions); } var now = DateTime.UtcNow; foreach (var request in requests) { var certificateId = request.GetCertID(); var certificateStatus = CertificateAuthority.GetStatus(certificateId); var thisUpdate = _options.ThisUpdate?.UtcDateTime ?? now; var nextUpdate = _options.NextUpdate?.UtcDateTime ?? now.AddSeconds(1); basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate, nextUpdate, singleExtensions: null); } var certificateChain = GetCertificateChain(); var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now); var ocspRespGenerator = new OCSPRespGenerator(); var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp); bytes = ocspResp.GetEncoded(); context.Response.ContentType = ResponseContentType; WriteResponseBody(context.Response, bytes); }
public static OcspReq GetRequestFromHttp(HttpListenerRequest http_request) { OcspReq ocsp_req; try{ //check if mime-type is application/ocsp-request if (http_request.Headers["Content-Type"] != "application/ocsp-request") { SharpOCSP.log.Warn("MIME type of request not application/ocsp-request."); } switch (http_request.HttpMethod) { case "GET": try{ var get_request = http_request.Url.PathAndQuery.Remove(0, 1); byte[] decoded_ocsp_request; StringBuilder request_sb; //Tolerate ocsp requestors that don't URL Encode the base64 string and/or don't pad the base64 representation try{ var urld_get_request = WebUtility.UrlDecode(get_request); request_sb = new StringBuilder(urld_get_request); //append ='s until string is multiple of 4 request_sb.Append('=', (4 - (urld_get_request.Length % 4)) % 4); decoded_ocsp_request = System.Convert.FromBase64String(request_sb.ToString()); }catch (System.FormatException) { request_sb = new StringBuilder(get_request); //append ='s until string is multiple of 4 request_sb.Append('=', (4 - (get_request.Length % 4)) % 4); decoded_ocsp_request = System.Convert.FromBase64String(request_sb.ToString()); } ocsp_req = new OcspReq(decoded_ocsp_request); }catch { throw new OcspMalformedRequestException(); } break; case "POST": try{ ocsp_req = new OcspReq(http_request.InputStream); }catch { throw new OcspMalformedRequestException(); } break; default: ocsp_req = null; SharpOCSP.log.Warn("Unsupported Request method: " + http_request.HttpMethod); break; } }catch (OcspMalformedRequestException) { ocsp_req = null; SharpOCSP.log.Warn("Could not parse " + http_request.HttpMethod + " request."); } return(ocsp_req); }
/// <summary> /// @see com.lowagie.text.pdf.OcspClient#getEncoded() /// </summary> /// <returns> a byte array</returns> public byte[] GetEncoded() { OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url); con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStreamAsync().Result; outp.Write(array, 0, array.Length); outp.Dispose(); HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result; if (response.StatusCode != HttpStatusCode.OK) { throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}"); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Dispose(); response.Dispose(); if (ocspResponse.Status != 0) { throw new IOException("Invalid status: " + ocspResponse.Status); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is RevokedStatus) { throw new IOException("OCSP Status is revoked!"); } else { throw new IOException("OCSP Status is unknown!"); } } } return(null); }
static HttpWebRequest CreateWebRequest(string url, OcspReq ocspRequest) { var request = (HttpWebRequest)WebRequest.Create(url); request.KeepAlive = false; request.Method = "POST"; request.ContentType = "application/ocsp-request"; request.ContentLength = ocspRequest.GetEncoded().Length; WriteOcspRequest(request, ocspRequest); return(request); }
public ValidationResponse ValidateCertificate(string serialNumber, X509Certificate2 issuer, String urlOCSP) { try { OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); ocspReqGenerator.AddRequest(new CertificateID(CertificateID.HashSha1, Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(issuer), new BigInteger(serialNumber, 16))); // Extensions IList oidList = new ArrayList(); IList valueList = new ArrayList(); // nonce byte[] nonce = new byte[16]; Random rand = new Random(); rand.NextBytes(nonce); oidList.Add(OcspObjectIdentifiers.PkixOcspNonce); valueList.Add(new Org.BouncyCastle.Asn1.X509.X509Extension(false, new DerOctetString(nonce))); ocspReqGenerator.SetRequestExtensions(new X509Extensions(oidList, valueList)); // requestor name ocspReqGenerator.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name(issuer.Subject))); OcspReq ocspReq = ocspReqGenerator.Generate(); OcspResp ocspResponse = new OcspResp(transferHttpDataService.SendOcspRequest(urlOCSP, ocspReq.GetEncoded())); if (ocspResponse.Status == OcspResponseStatus.Successful) { BasicOcspResp ocspBasicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (ocspBasicResponse.Responses[0].GetCertStatus() == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.VALID)); } else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(RevokedStatus)) { return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.REVOKED)); } // Default case //else if (ocspBasicResponse.Responses[0].GetCertStatus().GetType() == typeof(UnknownStatus)) //{ } } } catch (System.Exception) { } return(new ValidationResponse(ValidationExtensions.Enums.CertificateStatus.UNKNOWN)); }
// Query the OCSP server and return the certificate status. A proxy can be optionally used. public CertificateStatus Query(X509Certificate eeCert, X509Certificate issuerCert, WebProxy proxy = null) { // Query the first OCSP URL found in certificate List <string> urls = GetAuthorityInformationAccessOcspUrl(eeCert); if (urls.Count == 0) { throw new OCSPExpection("No OCSP URL found in EE certificate."); } string url = urls[0]; OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response", proxy); return(ProcessOcspResponse(eeCert, issuerCert, binaryResp)); }
public CertificateStatus ConsultarEstadoDeCertificado(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor) { List <string> urls = GetAuthorityInformationAccessOcspUrl(in_Certificado); if (urls.Count == 0) { throw new Exception("No se encontro ningun OCSP url en el certificado."); } string url = urls[0]; Console.WriteLine("Consultando '" + url + "'..."); OcspReq req = GenerarRequestOCSP(in_CertificadoEmisor, in_Certificado.SerialNumber); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(ProcesarRespuestaOcsp(in_Certificado, in_CertificadoEmisor, binaryResp)); }
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url) { if (checkCert == null || rootCert == null) { return(null); } if (url == null) { url = CertificateUtil.GetOCSPURL(checkCert); } if (url == null) { return(null); } LOGGER.Info("Getting OCSP from " + url); OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); return(ocspResponse); }
internal static OCSPStatus CheckOCSP(X509Certificate eeCert, X509Certificate issuerCert) { //var a = eeCert.Issu // Query the first Ocsp Url found in certificate List <string> urls = GetAuthorityInformationAccessOcspUrl(eeCert); if (urls.Count == 0) { throw new Exception("No OCSP url found in ee certificate."); } string url = urls[0]; Console.WriteLine("Querying '" + url + "'..."); OcspReq req = GenerateOcspRequest(issuerCert, eeCert.SerialNumber); byte[] binaryResp = PostData(url, req.GetEncoded(), "application/ocsp-request", "application/ocsp-response"); return(ProcessOcspResponse(eeCert, issuerCert, binaryResp)); }
/// <exception cref="System.IO.IOException"></exception> public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate) { try { this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod); LOG.Info("OCSP URI: " + this.OcspUri); if (this.OcspUri == null) { return(null); } OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate , certificate.SerialNumber); ocspReqGenerator.AddRequest(certId); OcspReq ocspReq = ocspReqGenerator.Generate(); byte[] ocspReqData = ocspReq.GetEncoded(); OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream (ocspReqData))); try { return((BasicOcspResp)ocspResp.GetResponseObject()); } catch (ArgumentNullException) { // Encountered a case when the OCSPResp is initialized with a null OCSP response... // (and there are no nullity checks in the OCSPResp implementation) return(null); } } catch (CannotFetchDataException) { return(null); } catch (OcspException e) { LOG.Error("OCSP error: " + e.Message); return(null); } }
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url) { if (checkCert == null || rootCert == null) { return(null); } if (url == null) { url = CertificateUtil.GetOCSPURL(checkCert); } if (url == null) { return(null); } LOGGER.Info("Getting OCSP from " + url); OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); Uri urlt = new Uri(url); Stream @in = SignUtils.GetHttpResponseForOcspRequest(array, urlt); return(new OcspResp(StreamUtil.InputStreamToArray(@in))); }
public byte[] GetEncoded() { ocspRequest = GenerateOCSPRequest(signerCert, checkerCert, issuerCert, checkerKey); byte[] array = ocspRequest.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { this.lastError = "Invalid HTTP response: " + (int)response.StatusCode; return(null); } Stream inp = response.GetResponseStream(); ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); int verify = VerifyOCSPResponse(); if (verify != (int)CertStatus.GOOD) { return(null); } return(((BasicOcspResp)ocspResponse.GetResponseObject()).GetEncoded()); }
private OcspReq GenerateOcspRequest(CertificateID id) { OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator(); ocspRequestGenerator.AddRequest(id); BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks); ArrayList oids = new ArrayList(); Hashtable values = new Hashtable(); oids.Add(OcspObjectIdentifiers.PkixOcsp); Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 })); values.Add(OcspObjectIdentifiers.PkixOcsp, new Org.BouncyCastle.Asn1.X509.X509Extension(false, asn1)); X509Extensions x509Extensions = new X509Extensions(oids, values); ocspRequestGenerator.SetRequestExtensions(x509Extensions); OcspReq ocspReq = ocspRequestGenerator.Generate(); return(ocspRequestGenerator.Generate()); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString)extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
private void doTestECDsa() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeECKeyPair(); X509Certificate testCert = OcspTestUtil.MakeECDsaCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest(id); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withECDSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !certs[0].Equals(testCert)) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withECDSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Encodable extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } if (!AreEqual(((Asn1OctetString)extObj).GetOctets(), sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response generation // BasicOcspRespGenerator respGen = new BasicOcspRespGenerator(signKP.Public); respGen.AddResponse(id, CertificateStatus.Good); respGen.Generate("SHA1withECDSA", signKP.Private, chain, DateTime.UtcNow); }