private X509Crl GetCertificateCRL(X509Certificate2 cert, String crlsPath)
{
DirectoryInfo di = new DirectoryInfo(crlsPath);
FileInfo[] files = di.GetFiles();
for (int i = 0; i < files.Length; i++)
{
try
{
FileStream fs = new FileStream(files[i].FullName, FileMode.Open, FileAccess.Read);
X509Crl crl = new Org.BouncyCastle.X509.X509CrlParser().ReadCrl(fs);
fs.Close();
X500DistinguishedName crlIssuer = new X500DistinguishedName(crl.IssuerDN.GetEncoded());
if (crlIssuer.Name.Equals(cert.Issuer))
{
return(crl);
}
}
catch (Exception ex)
{
continue;
}
}
return(null);
}
private void baseTest()
{
// CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.getInstance("Collection", ccsp, "BC");
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime();
//Searching for rootCert by subjectDN without CRL
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC");
PkixCertPathBuilder cpb = new PkixCertPathBuilder();
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = finalCert.SubjectDN;
PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints);
// parameters.addCertStore(store);
parameters.AddStore(x509CertStore);
parameters.AddStore(x509CrlStore);
parameters.Date = new DateTimeObject(validDate);
PkixCertPathBuilderResult result = cpb.Build(parameters);
PkixCertPath path = result.CertPath;
if (path.Certificates.Count != 2)
{
Fail("wrong number of certs in baseTest path");
}
}
/// <summary>
/// Finds the specified certificate revocation list.
/// </summary>
/// <remarks>
/// Searches the database for the specified CRL, returning the matching record with
/// the desired fields populated.
/// </remarks>
/// <returns>The matching record if found; otherwise <c>null</c>.</returns>
/// <param name="crl">The certificate revocation list.</param>
/// <param name="fields">The desired fields.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="crl"/> is <c>null</c>.
/// </exception>
public X509CrlRecord Find (X509Crl crl, X509CrlRecordFields fields)
{
if (crl == null)
throw new ArgumentNullException ("crl");
using (var command = GetSelectCommand (crl, fields)) {
var reader = command.ExecuteReader ();
try {
if (reader.Read ()) {
var parser = new X509CrlParser ();
var buffer = new byte[4096];
return LoadCrlRecord (reader, parser, ref buffer);
}
} finally {
reader.Close ();
}
}
return null;
}
/// <summary>
/// Finds the CRL records for the specified issuer.
/// </summary>
/// <remarks>
/// Searches the database for CRL records matching the specified issuer, returning
/// all matching records populated with the desired fields.
/// </remarks>
/// <returns>The matching CRL records populated with the desired fields.</returns>
/// <param name="issuer">The issuer.</param>
/// <param name="fields">The desired fields.</param>
/// <exception cref="System.ArgumentNullException">
/// <paramref name="issuer"/> is <c>null</c>.
/// </exception>
public IEnumerable<X509CrlRecord> Find (X509Name issuer, X509CrlRecordFields fields)
{
if (issuer == null)
throw new ArgumentNullException ("issuer");
using (var command = GetSelectCommand (issuer, fields)) {
var reader = command.ExecuteReader ();
try {
var parser = new X509CrlParser ();
var buffer = new byte[4096];
while (reader.Read ()) {
yield return LoadCrlRecord (reader, parser, ref buffer);
}
} finally {
reader.Close ();
}
}
yield break;
}
private void checkCrl(
int id,
byte[] bytes)
{
string dump = "";
try
{
X509Crl cert = new X509CrlParser().ReadCrl(bytes);
// Console.WriteLine(cert);
}
catch (Exception e)
{
Fail(dump + SimpleTest.NewLine + Name + ": "+ id + " failed - exception " + e.Message, e);
}
}
private void pemTest()
{
X509Certificate cert = readPemCert(PemData.CERTIFICATE_1);
if (cert == null)
{
Fail("PEM cert not read");
}
cert = readPemCert("-----BEGIN CERTIFICATE-----" + PemData.CERTIFICATE_2);
if (cert == null)
{
Fail("PEM cert with extraneous header not read");
}
X509Crl crl = new X509CrlParser().ReadCrl(Encoding.ASCII.GetBytes(PemData.CRL_1));
if (crl == null)
{
Fail("PEM crl not read");
}
ArrayList col = new ArrayList(
new X509CertificateParser().ReadCertificates(Encoding.ASCII.GetBytes(PemData.CERTIFICATE_2)));
if (col.Count != 1 || !col.Contains(cert))
{
Fail("PEM cert collection not right");
}
col = new ArrayList(
new X509CrlParser().ReadCrls(Encoding.ASCII.GetBytes(PemData.CRL_2)));
if (col.Count != 1 || !col.Contains(crl))
{
Fail("PEM crl collection not right");
}
}
private X509Crl LoadCrl(
string crlName)
//throws Exception
{
X509Crl crl = (X509Crl)certs[crlName];
if (crl != null)
{
return crl;
}
Stream fs = null;
try
{
fs = SimpleTest.GetTestDataAsStream("PKITS.crls." + crlName + ".crl");
crl = new X509CrlParser().ReadCrl(fs);
crls[crlName] = crl;
return crl;
}
catch (Exception)
{
throw new InvalidOperationException("exception loading CRL: " + crlName);
}
finally
{
fs.Close();
}
}
/**
* Gets a list of X509CRL objects from a Document Security Store.
* @return a list of CRLs
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public List<X509Crl> GetCRLsFromDSS() {
List<X509Crl> crls = new List<X509Crl>();
if (dss == null)
return crls;
PdfArray crlarray = dss.GetAsArray(PdfName.CRLS);
if (crlarray == null)
return crls;
X509CrlParser crlParser = new X509CrlParser();
for (int i = 0; i < crlarray.Size; ++i) {
PRStream stream = (PRStream) crlarray.GetAsStream(i);
X509Crl crl = crlParser.ReadCrl(new MemoryStream(PdfReader.GetStreamBytes(stream)));
crls.Add(crl);
}
return crls;
}
/// <summary>
/// Initializes a new instance of the <see cref="MimeKit.Cryptography.DefaultSecureMimeContext"/> class.
/// </summary>
/// <param name="revokedFileName">The path to the revoked certificate lists.</param>
/// <param name="addressbookFileName">The path to the addressbook certificates.</param>
/// <param name="rootFileName">The path to the root certificates.</param>
/// <param name="userFileName">The path to the pkcs12-formatted user certificates.</param>
/// <param name="password">The password for the pkcs12 user certificates file.</param>
/// <exception cref="System.ArgumentNullException">
/// <para><paramref name="addressbookFileName"/> is <c>null</c>.</para>
/// <para>-or-</para>
/// <para><paramref name="rootFileName"/> is <c>null</c>.</para>
/// <para>-or-</para>
/// <para><paramref name="userFileName"/> is <c>null</c>.</para>
/// <para>-or-</para>
/// <para><paramref name="password"/> is <c>null</c>.</para>
/// </exception>
/// <exception cref="System.IO.IOException">
/// An error occurred while reading the file.
/// </exception>
protected DefaultSecureMimeContext(string revokedFileName, string addressbookFileName, string rootFileName, string userFileName, string password)
{
addressbook = new X509CertificateStore ();
store = new X509CertificateStore ();
root = new X509CertificateStore ();
crls = new HashSet<X509Crl> ();
try {
using (var file = File.OpenRead (revokedFileName)) {
var parser = new X509CrlParser ();
foreach (X509Crl crl in parser.ReadCrls (file))
crls.Add (crl);
}
} catch (FileNotFoundException) {
}
try {
addressbook.Import (addressbookFileName);
} catch (FileNotFoundException) {
}
try {
store.Import (userFileName, password);
} catch (FileNotFoundException) {
}
try {
root.Import (rootFileName);
} catch (FileNotFoundException) {
}
this.addressbookFileName = addressbookFileName;
this.revokedFileName = revokedFileName;
this.userFileName = userFileName;
this.password = password;
}
/// <exception cref="System.IO.IOException"></exception>
public virtual X509Crl FindCrl(X509Certificate certificate, X509Certificate issuerCertificate)
{
OnlineCrlSource source = this.CachedSource ?? new OnlineCrlSource();
string crlUrl = source.GetCrlUri(certificate);
if (crlUrl != null)
{
try
{
CachedCRL cachedCrl = null;
string key = Hex.ToHexString(
DigestUtilities.CalculateDigest(DigestAlgorithm.SHA1.GetOid()
, Sharpen.Runtime.GetBytesForString(crlUrl)));
string pathCrl = Path.Combine("CRL", key);
DirectoryInfo dirCrl = new DirectoryInfo("CRL");
if (dirCrl.Exists)
{
FileInfo[] archivosCrl = dirCrl.GetFiles();
foreach (FileInfo a in archivosCrl)
{
if (a.Extension.Equals(".txt"))
continue;
if (a.Name.Equals(key))
{
cachedCrl = new CachedCRL()
{
Crl = File.ReadAllBytes(a.FullName),
Key = key
};
break;
}
}
}
else
{
dirCrl.Create();
}
if (cachedCrl == null)
{
LOG.Info("CRL not in cache");
return FindAndCacheCrlOnline(certificate, issuerCertificate, pathCrl);
}
X509CrlParser parser = new X509CrlParser();
X509Crl x509crl = parser.ReadCrl(cachedCrl.Crl);
if (x509crl.NextUpdate.Value.CompareTo(DateTime.Now) > 0)
{
LOG.Info("CRL in cache");
return x509crl;
}
else
{
LOG.Info("CRL expired");
return FindAndCacheCrlOnline(certificate, issuerCertificate, pathCrl);
}
}
catch (NoSuchAlgorithmException)
{
LOG.Info("Cannot instantiate digest for algorithm SHA1 !?");
}
catch (CrlException)
{
LOG.Info("Cannot serialize CRL");
}
catch (CertificateException)
{
LOG.Info("Cannot instanciate X509 Factory");
}
catch (WebException)
{
LOG.Info("Cannot connect to CRL URL");
}
}
return null;
}
/// <exception cref="Sharpen.CertificateException"></exception>
/// <exception cref="Sharpen.CRLException"></exception>
/// <exception cref="Sharpen.NoSuchProviderException"></exception>
/// <exception cref="Org.BouncyCastle.X509.NoSuchParserException"></exception>
/// <exception cref="Org.BouncyCastle.X509.Util.StreamParsingException"></exception>
private X509Crl GetCrl(string downloadUrl)
{
if (downloadUrl != null)
{
try
{
InputStream input = UrlDataLoader.Get(downloadUrl);
X509CrlParser parser = new X509CrlParser();
X509Crl crl = parser.ReadCrl(input);
LOG.Info("CRL size: " + crl.GetEncoded().Length + " bytes");
return crl;
}
catch (CannotFetchDataException)
{
return null;
}
}
else
{
return null;
}
}
public override void PerformTest()
{
try
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
X509Certificate rootCert = certParser.ReadCertificate(rootCertBin);
X509Certificate userCert1 = certParser.ReadCertificate(userCert1Bin);
X509Certificate userCert2 = certParser.ReadCertificate(userCert2Bin);
X509Crl crl = crlParser.ReadCrl(crlBin);
rootCert.Verify(rootCert.GetPublicKey());
userCert1.Verify(rootCert.GetPublicKey());
crl.Verify(rootCert.GetPublicKey());
if (!crl.IsRevoked(userCert1))
{
Fail(this.Name + ": usercert1 not revoked.");
}
if (crl.IsRevoked(userCert2))
{
Fail(this.Name + ": usercert2 revoked.");
}
}
catch (Exception e)
{
Fail(this.Name + ": exception - " + e.ToString());
}
}
/**
* Verifies if an OCSP response is genuine
* If it doesn't verify against the issuer certificate and response's certificates, it may verify
* using a trusted anchor or cert.
* @param ocspResp the OCSP response
* @param issuerCert the issuer certificate
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) {
//OCSP response might be signed by the issuer certificate or
//the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension
X509Certificate responderCert = null;
//first check if the issuer certificate signed the response
//since it is expected to be the most common case
if (IsSignatureValid(ocspResp, issuerCert)) {
responderCert = issuerCert;
}
//if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses
// from properties or from certificate chain received with response
if (responderCert == null) {
if (ocspResp.GetCerts() != null) {
//look for existence of Authorized OCSP responder inside the cert chain in ocsp response
X509Certificate[] certs = ocspResp.GetCerts();
foreach (X509Certificate cert in certs) {
X509Certificate tempCert;
try {
tempCert = cert;
} catch (Exception ex) {
continue;
}
IList keyPurposes = null;
try {
keyPurposes = tempCert.GetExtendedKeyUsage();
if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) {
responderCert = tempCert;
break;
}
} catch (CertificateParsingException ignored) {
}
}
// Certificate signing the ocsp response is not found in ocsp response's certificate chain received
// and is not signed by the issuer certificate.
if (responderCert == null) {
throw new VerificationException(issuerCert, "OCSP response could not be verified");
}
} else {
//certificate chain is not present in response received
//try to verify using rootStore
if (certificates != null) {
foreach (X509Certificate anchor in certificates) {
try {
if (IsSignatureValid(ocspResp, anchor)) {
responderCert = anchor;
break;
}
} catch (GeneralSecurityException ignored) {
}
}
}
// OCSP Response does not contain certificate chain, and response is not signed by any
// of the rootStore or the issuer certificate.
if (responderCert == null) {
throw new VerificationException(issuerCert, "OCSP response could not be verified");
}
}
}
//check "This certificate MUST be issued directly by the CA that issued the certificate in question".
responderCert.Verify(issuerCert.GetPublicKey());
// validating ocsp signers certificate
// Check if responders certificate has id-pkix-ocsp-nocheck extension,
// in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) {
X509Crl crl;
try {
X509CrlParser crlParser = new X509CrlParser();
// Creates the CRL
Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream();
crl = crlParser.ReadCrl(url);
} catch (Exception ignored) {
crl = null;
}
if (crl != null) {
CrlVerifier crlVerifier = new CrlVerifier(null, null);
crlVerifier.Certificates = certificates;
crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed;
crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow);
return;
}
}
//check if lifetime of certificate is ok
responderCert.CheckValidity();
}
/// <summary>
/// Gets a certificate revocation list store.
/// </summary>
/// <remarks>
/// Gets a certificate revocation list store.
/// </remarks>
/// <returns>A certificate recovation list store.</returns>
public IX509Store GetCrlStore ()
{
var crls = new List<X509Crl> ();
using (var command = GetSelectAllCrlsCommand ()) {
var reader = command.ExecuteReader ();
try {
var parser = new X509CrlParser ();
var buffer = new byte[4096];
while (reader.Read ()) {
var record = LoadCrlRecord (reader, parser, ref buffer);
crls.Add (record.Crl);
}
} finally {
reader.Close ();
}
}
return X509StoreFactory.Create ("Crl/Collection", new X509CollectionStoreParameters (crls));
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
// Testing CollectionCertStore generation from List
IList certList = new ArrayList();
certList.Add(rootCert);
certList.Add(interCert);
certList.Add(finalCert);
IX509Store certStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(certList));
// set default to be the same as for SUN X500 name
X509Name.DefaultReverse = true;
// Searching for rootCert by subjectDN
X509CertStoreSelector targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert);
IList certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by subjectDN");
}
// Searching for rootCert by subjectDN encoded as byte
targetConstraints = new X509CertStoreSelector();
targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert);
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by encoded subjectDN");
}
X509Name.DefaultReverse = false;
// Searching for rootCert by public key encoded as byte
targetConstraints = new X509CertStoreSelector();
targetConstraints.SubjectPublicKey =
SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(rootCert.GetPublicKey());
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 1 || !certs.Contains(rootCert))
{
Fail("rootCert not found by encoded public key");
}
// Searching for interCert by issuerDN
targetConstraints = new X509CertStoreSelector();
targetConstraints.Issuer = PrincipalUtilities.GetSubjectX509Principal(rootCert);
certs = new ArrayList(certStore.GetMatches(targetConstraints));
if (certs.Count != 2)
{
Fail("did not found 2 certs");
}
if (!certs.Contains(rootCert))
{
Fail("rootCert not found");
}
if (!certs.Contains(interCert))
{
Fail("interCert not found");
}
// Searching for rootCrl by issuerDN
IList crlList = new ArrayList();
crlList.Add(rootCrl);
crlList.Add(interCrl);
IX509Store store = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(crlList));
X509CrlStoreSelector targetConstraintsCRL = new X509CrlStoreSelector();
ArrayList issuers = new ArrayList();
issuers.Add(rootCrl.IssuerDN);
targetConstraintsCRL.Issuers = issuers;
IList crls = new ArrayList(store.GetMatches(targetConstraintsCRL));
if (crls.Count != 1 || !crls.Contains(rootCrl))
{
Fail("rootCrl not found");
}
crls = new ArrayList(certStore.GetMatches(targetConstraintsCRL));
if (crls.Count != 0)
{
Fail("error using wrong selector (CRL)");
}
certs = new ArrayList(store.GetMatches(targetConstraints));
if (certs.Count != 0)
{
Fail("error using wrong selector (certs)");
}
// Searching for attribute certificates
X509V2AttributeCertificate attrCert = new X509V2AttributeCertificate(AttrCertTest.attrCert);
IX509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(AttrCertTest.certWithBaseCertificateID);
IList attrList = new ArrayList();
attrList.Add(attrCert);
attrList.Add(attrCert2);
store = X509StoreFactory.Create(
"AttributeCertificate/Collection",
new X509CollectionStoreParameters(attrList));
X509AttrCertStoreSelector attrSelector = new X509AttrCertStoreSelector();
attrSelector.Holder = attrCert.Holder;
if (!attrSelector.Holder.Equals(attrCert.Holder))
{
Fail("holder get not correct");
}
IList attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on holder");
}
attrSelector.Holder = attrCert2.Holder;
if (attrSelector.Holder.Equals(attrCert.Holder))
{
Fail("holder get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert2))
{
Fail("attrCert2 not found on holder");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.Issuer = attrCert.Issuer;
if (!attrSelector.Issuer.Equals(attrCert.Issuer))
{
Fail("issuer get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on issuer");
}
attrSelector.Issuer = attrCert2.Issuer;
if (attrSelector.Issuer.Equals(attrCert.Issuer))
{
Fail("issuer get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert2))
{
Fail("attrCert2 not found on issuer");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCert = attrCert;
if (!attrSelector.AttributeCert.Equals(attrCert))
{
Fail("attrCert get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on attrCert");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.SerialNumber = attrCert.SerialNumber;
if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber))
{
Fail("serial number get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on serial number");
}
attrSelector = (X509AttrCertStoreSelector)attrSelector.Clone();
if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber))
{
Fail("serial number get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on serial number");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore);
if (attrSelector.AttributeCertificateValid.Value != attrCert.NotBefore)
{
Fail("valid get not correct");
}
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 1 || !attrs.Contains(attrCert))
{
Fail("attrCert not found on valid");
}
attrSelector = new X509AttrCertStoreSelector();
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore.AddMilliseconds(-100));
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on before");
}
attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotAfter.AddMilliseconds(100));
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on after");
}
attrSelector.SerialNumber = BigInteger.ValueOf(10000);
attrs = new ArrayList(store.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("attrCert found on wrong serial number");
}
attrSelector.AttributeCert = null;
attrSelector.AttributeCertificateValid = null;
attrSelector.Holder = null;
attrSelector.Issuer = null;
attrSelector.SerialNumber = null;
if (attrSelector.AttributeCert != null)
{
Fail("null attrCert");
}
if (attrSelector.AttributeCertificateValid != null)
{
Fail("null attrCertValid");
}
if (attrSelector.Holder != null)
{
Fail("null attrCert holder");
}
if (attrSelector.Issuer != null)
{
Fail("null attrCert issuer");
}
if (attrSelector.SerialNumber != null)
{
Fail("null attrCert serial");
}
attrs = new ArrayList(certStore.GetMatches(attrSelector));
if (attrs.Count != 0)
{
Fail("error using wrong selector (attrs)");
}
certPairTest();
}
/**
* Helper method that tries to construct the CRLs.
*/
private void FindCRL(Asn1Sequence seq)
{
crls = new List<X509Crl>();
for (int k = 0; k < seq.Count; ++k) {
X509CrlParser pp = new X509CrlParser();
X509Crl crl = pp.ReadCrl(seq[k].GetDerEncoded());
crls.Add(crl);
}
}
public override void PerformTest()
{
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
// initialise CertStore
X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin);
X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin);
X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin);
X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin);
X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin);
IList x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
IList x509Crls = new ArrayList();
x509Crls.Add(rootCrl);
x509Crls.Add(interCrl);
// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
// CertStore store = CertStore.GetInstance("Collection", ccsp);
// X509CollectionStoreParameters ccsp = new X509CollectionStoreParameters(list);
IX509Store x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
IX509Store x509CrlStore = X509StoreFactory.Create(
"CRL/Collection",
new X509CollectionStoreParameters(x509Crls));
// NB: Month is 1-based in .NET
//DateTime validDate = new DateTime(2008,9,4,14,49,10).ToUniversalTime();
DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);
//validating path
IList certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// CertPath cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
PkixCertPath cp = new PkixCertPath(certchain);
ISet trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// CertPathValidator cpv = CertPathValidator.GetInstance("PKIX");
PkixCertPathValidator cpv = new PkixCertPathValidator();
PkixParameters param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.AddStore(x509CrlStore);
param.Date = new DateTimeObject(validDate);
MyChecker checker = new MyChecker();
param.AddCertPathChecker(checker);
PkixCertPathValidatorResult result = (PkixCertPathValidatorResult) cpv.Validate(cp, param);
PkixPolicyNode policyTree = result.PolicyTree;
AsymmetricKeyParameter subjectPublicKey = result.SubjectPublicKey;
if (checker.GetCount() != 2)
{
Fail("checker not evaluated for each certificate");
}
if (!subjectPublicKey.Equals(finalCert.GetPublicKey()))
{
Fail("wrong public key returned");
}
//
// invalid path containing a valid one test
//
try
{
// initialise CertStore
rootCert = certParser.ReadCertificate(AC_RAIZ_ICPBRASIL);
interCert = certParser.ReadCertificate(AC_PR);
finalCert = certParser.ReadCertificate(schefer);
x509Certs = new ArrayList();
x509Certs.Add(rootCert);
x509Certs.Add(interCert);
x509Certs.Add(finalCert);
// ccsp = new CollectionCertStoreParameters(list);
// store = CertStore.GetInstance("Collection", ccsp);
// ccsp = new X509CollectionStoreParameters(list);
x509CertStore = X509StoreFactory.Create(
"Certificate/Collection",
new X509CollectionStoreParameters(x509Certs));
// NB: Month is 1-based in .NET
validDate = new DateTime(2004,3,21,2,21,10).ToUniversalTime();
//validating path
certchain = new ArrayList();
certchain.Add(finalCert);
certchain.Add(interCert);
// cp = CertificateFactory.GetInstance("X.509").GenerateCertPath(certchain);
cp = new PkixCertPath(certchain);
trust = new HashSet();
trust.Add(new TrustAnchor(rootCert, null));
// cpv = CertPathValidator.GetInstance("PKIX");
cpv = new PkixCertPathValidator();
param = new PkixParameters(trust);
param.AddStore(x509CertStore);
param.IsRevocationEnabled = false;
param.Date = new DateTimeObject(validDate);
result =(PkixCertPathValidatorResult) cpv.Validate(cp, param);
policyTree = result.PolicyTree;
subjectPublicKey = result.SubjectPublicKey;
Fail("Invalid path validated");
}
catch (Exception e)
{
if (e is PkixCertPathValidatorException
&& e.Message.StartsWith("Could not validate certificate signature."))
{
return;
}
Fail("unexpected exception", e);
}
}
/**
* Fetches a CRL for a specific certificate online (without further checking).
* @param signCert the certificate
* @param issuerCert its issuer
* @return an X509CRL object
*/
public X509Crl GetCrl(X509Certificate signCert, X509Certificate issuerCert)
{
try {
// gets the URL from the certificate
String crlurl = CertificateUtil.GetCRLURL(signCert);
if (crlurl == null)
return null;
LOGGER.Info("Getting CRL from " + crlurl);
X509CrlParser crlParser = new X509CrlParser();
// Creates the CRL
Stream url = WebRequest.Create(crlurl).GetResponse().GetResponseStream();
return crlParser.ReadCrl(url);
}
catch (IOException) {
return null;
}
catch (GeneralSecurityException) {
return null;
}
}
private void AddCrlsFromSet(
IList crls,
Asn1Set crlSet)
{
X509CrlParser cf = new X509CrlParser();
foreach (Asn1Encodable ae in crlSet)
{
try
{
// TODO Build CRL directly from ae.ToAsn1Object()?
crls.Add(cf.ReadCrl(ae.GetEncoded()));
}
catch (Exception ex)
{
throw new CmsException("can't re-encode CRL!", ex);
}
}
}
private void checkCrlCreation3()
{
IAsymmetricCipherKeyPairGenerator kpGen = GeneratorUtilities.GetKeyPairGenerator("RSA");
kpGen.Init(
new RsaKeyGenerationParameters(
BigInteger.ValueOf(0x10001), new SecureRandom(), 768, 25));
X509V2CrlGenerator crlGen = new X509V2CrlGenerator();
DateTime now = DateTime.UtcNow;
AsymmetricCipherKeyPair pair = kpGen.GenerateKeyPair();
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
IList extOids = new ArrayList();
IList extValues = new ArrayList();
CrlReason crlReason = new CrlReason(CrlReason.PrivilegeWithdrawn);
try
{
extOids.Add(X509Extensions.ReasonCode);
extValues.Add(new X509Extension(false, new DerOctetString(crlReason.GetEncoded())));
}
catch (IOException e)
{
throw new ArgumentException("error encoding reason: " + e);
}
X509Extensions entryExtensions = new X509Extensions(extOids, extValues);
crlGen.AddCrlEntry(BigInteger.One, now, entryExtensions);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
X509Crl crl = crlGen.Generate(pair.Private);
if (!crl.IssuerDN.Equivalent(new X509Name("CN=Test CA"), true))
{
Fail("failed CRL issuer test");
}
Asn1OctetString authExt = crl.GetExtensionValue(X509Extensions.AuthorityKeyIdentifier);
if (authExt == null)
{
Fail("failed to find CRL extension");
}
AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
X509CrlEntry entry = crl.GetRevokedCertificate(BigInteger.One);
if (entry == null)
{
Fail("failed to find CRL entry");
}
if (!entry.SerialNumber.Equals(BigInteger.One))
{
Fail("CRL cert serial number does not match");
}
if (!entry.HasExtensions)
{
Fail("CRL entry extension not found");
}
Asn1OctetString ext = entry.GetExtensionValue(X509Extensions.ReasonCode);
if (ext != null)
{
DerEnumerated reasonCode = (DerEnumerated)X509ExtensionUtilities.FromExtensionValue(ext);
if (reasonCode.Value.IntValue != CrlReason.PrivilegeWithdrawn)
{
Fail("CRL entry reasonCode wrong");
}
}
else
{
Fail("CRL entry reasonCode not found");
}
//
// check loading of existing CRL
//
crlGen = new X509V2CrlGenerator();
now = DateTime.UtcNow;
crlGen.SetIssuerDN(new X509Name("CN=Test CA"));
crlGen.SetThisUpdate(now);
crlGen.SetNextUpdate(now.AddSeconds(100));
crlGen.SetSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.AddCrl(crl);
crlGen.AddCrlEntry(BigInteger.Two, now, entryExtensions);
crlGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.Public));
X509Crl newCrl = crlGen.Generate(pair.Private);
int count = 0;
bool oneFound = false;
bool twoFound = false;
foreach (X509CrlEntry crlEnt in newCrl.GetRevokedCertificates())
{
if (crlEnt.SerialNumber.IntValue == 1)
{
oneFound = true;
}
else if (crlEnt.SerialNumber.IntValue == 2)
{
twoFound = true;
}
count++;
}
if (count != 2)
{
Fail("wrong number of CRLs found");
}
if (!oneFound || !twoFound)
{
Fail("wrong CRLs found in copied list");
}
//
// check factory read back
//
X509Crl readCrl = new X509CrlParser().ReadCrl(newCrl.GetEncoded());
if (readCrl == null)
{
Fail("crl not returned!");
}
// ICollection col = cFact.generateCRLs(new ByteArrayInputStream(newCrl.getEncoded()));
ICollection col = new X509CrlParser().ReadCrls(newCrl.GetEncoded());
if (col.Count != 1)
{
Fail("wrong number of CRLs found in collection");
}
}
static X509Crl DecodeX509Crl (IDataRecord reader, X509CrlParser parser, int column, ref byte[] buffer)
{
int nread = ReadBinaryBlob (reader, column, ref buffer);
using (var memory = new MemoryStream (buffer, 0, nread, false)) {
return parser.ReadCrl (memory);
}
}
private void pkcs7Test()
{
Asn1Encodable rootCert = Asn1Object.FromByteArray(CertPathTest.rootCertBin);
Asn1Encodable rootCrl = Asn1Object.FromByteArray(CertPathTest.rootCrlBin);
X509CertificateParser certParser = new X509CertificateParser();
X509CrlParser crlParser = new X509CrlParser();
SignedData sigData = new SignedData(
DerSet.Empty,
new ContentInfo(CmsObjectIdentifiers.Data, null),
new DerSet(
rootCert,
new DerTaggedObject(false, 2, Asn1Object.FromByteArray(AttrCertTest.attrCert))),
new DerSet(rootCrl),
DerSet.Empty);
ContentInfo info = new ContentInfo(CmsObjectIdentifiers.SignedData, sigData);
X509Certificate cert = certParser.ReadCertificate(info.GetEncoded());
if (cert == null || !AreEqual(cert.GetEncoded(), rootCert.ToAsn1Object().GetEncoded()))
{
Fail("PKCS7 cert not read");
}
X509Crl crl = crlParser.ReadCrl(info.GetEncoded());
if (crl == null || !AreEqual(crl.GetEncoded(), rootCrl.ToAsn1Object().GetEncoded()))
{
Fail("PKCS7 crl not read");
}
ArrayList col = new ArrayList(certParser.ReadCertificates(info.GetEncoded()));
if (col.Count != 1 || !col.Contains(cert))
{
Fail("PKCS7 cert collection not right");
}
col = new ArrayList(crlParser.ReadCrls(info.GetEncoded()));
if (col.Count != 1 || !col.Contains(crl))
{
Fail("PKCS7 crl collection not right");
}
// data with no certificates or CRLs
sigData = new SignedData(DerSet.Empty, new ContentInfo(CmsObjectIdentifiers.Data, null), DerSet.Empty, DerSet.Empty, DerSet.Empty);
info = new ContentInfo(CmsObjectIdentifiers.SignedData, sigData);
cert = certParser.ReadCertificate(info.GetEncoded());
if (cert != null)
{
Fail("PKCS7 cert present");
}
crl = crlParser.ReadCrl(info.GetEncoded());
if (crl != null)
{
Fail("PKCS7 crl present");
}
// data with absent certificates and CRLS
sigData = new SignedData(DerSet.Empty, new ContentInfo(CmsObjectIdentifiers.Data, null), null, null, DerSet.Empty);
info = new ContentInfo(CmsObjectIdentifiers.SignedData, sigData);
cert = certParser.ReadCertificate(info.GetEncoded());
if (cert != null)
{
Fail("PKCS7 cert present");
}
crl = crlParser.ReadCrl(info.GetEncoded());
if (crl != null)
{
Fail("PKCS7 crl present");
}
//
// sample message
//
ICollection certCol = certParser.ReadCertificates(pkcs7CrlProblem);
ICollection crlCol = crlParser.ReadCrls(pkcs7CrlProblem);
if (crlCol.Count != 0)
{
Fail("wrong number of CRLs: " + crlCol.Count);
}
if (certCol.Count != 4)
{
Fail("wrong number of Certs: " + certCol.Count);
}
}
X509CrlRecord LoadCrlRecord (IDataRecord reader, X509CrlParser parser, ref byte[] buffer)
{
var record = new X509CrlRecord ();
for (int i = 0; i < reader.FieldCount; i++) {
switch (reader.GetName (i).ToUpperInvariant ()) {
case "CRL":
record.Crl = DecodeX509Crl (reader, parser, i, ref buffer);
break;
case "THISUPDATE":
record.ThisUpdate = reader.GetDateTime (i);
break;
case "NEXTUPDATE":
record.NextUpdate = reader.GetDateTime (i);
break;
case "DELTA":
record.IsDelta = reader.GetBoolean (i);
break;
case "ID":
record.Id = reader.GetInt32 (i);
break;
}
}
return record;
}
public void TestDirectCrl()
{
X509Crl crl = new X509CrlParser().ReadCrl(directCrl);
foreach (X509CrlEntry crlEntry in crl.GetRevokedCertificates())
{
if (crlEntry.GetCertificateIssuer() != null)
{
Fail("certificate issuer CRL entry extension is not null");
}
}
}
/// <summary>
/// Zertifikatsperrliste vom OSTC-Server laden
/// </summary>
/// <param name="certType">Art des Zertifikats (SHA1 oder SHA256)</param>
/// <param name="preferFtp">FTP-Server-Download bevorzugen?</param>
/// <returns>Zertifikatsperrliste</returns>
public async Task<X509Crl> DownloadCrlAsync(OstcCertificateType certType, bool preferFtp = true)
{
Uri downloadUrl = null;
if ((certType & OstcCertificateType.Sha1) == OstcCertificateType.Sha1)
downloadUrl = new Uri("ftp://trustcenter-ftp.itsg.de/agv/sperrliste-ag.crl");
else if ((certType & OstcCertificateType.Sha256) == OstcCertificateType.Sha256)
downloadUrl = new Uri("ftp://trustcenter-ftp.itsg.de/agv/sperrliste-ag-sha256.crl");
Debug.Assert(downloadUrl != null);
var data = await DownloadAsync(downloadUrl);
var crlParser = new X509CrlParser();
var crl = crlParser.ReadCrl(data);
return crl;
}