Inheritance: RootStoreVerifier
CrlVerifier Class Documentation
Exemple #1
0
 public static int CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
 {
     List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
     if (pkcs7.Ocsp != null)
         ocsps.Add(pkcs7.Ocsp);
     OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
     List<VerificationOK> verification =
         ocspVerifier.Verify(signCert, issuerCert, date);
     if (verification.Count == 0)
     {
         List<X509Crl> crls = new List<X509Crl>();
         if (pkcs7.CRLs != null)
             foreach (X509Crl crl in pkcs7.CRLs)
                 crls.Add(crl);
         CrlVerifier crlVerifier = new CrlVerifier(null, crls);
         verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
     }
     if (verification.Count == 0)
     {
         Console.WriteLine("No se pudo verificar estado de revocación del certificado por CRL ni OCSP");
         return CER_STATUS_NOT_VERIFIED;
     }
     else
     {
         foreach (VerificationOK v in verification)
             Console.WriteLine(v);
         return 0;
     }
 }
Exemple #2
0
        /**
         * Verifies certificates against a list of CRLs and OCSP responses.
         * @param signingCert
         * @param issuerCert
         * @return a list of <code>VerificationOK</code> objects.
         * The list will be empty if the certificate couldn't be verified.
         * @throws GeneralSecurityException
         * @throws IOException
         * @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate)
         */
        override public List <VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime sigDate)
        {
            // we'll verify agains the rootstore (if present)
            RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(verifier);

            rootStoreVerifier.Certificates = certificates;
            // We'll verify against a list of CRLs
            CrlVerifier crlVerifier = new CrlVerifier(rootStoreVerifier, GetCRLsFromDSS());

            crlVerifier.Certificates          = certificates;
            crlVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed;
            // We'll verify against a list of OCSPs
            OcspVerifier ocspVerifier = new OcspVerifier(crlVerifier, GetOCSPResponsesFromDSS());

            ocspVerifier.Certificates          = certificates;
            ocspVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed;
            // We verify the chain
            return(ocspVerifier.Verify(signCert, issuerCert, sigDate));
        }
Exemple #3
0
	    public static void CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date) {
		    List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
		    if (pkcs7.Ocsp != null)
			    ocsps.Add(pkcs7.Ocsp);
		    OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
		    List<VerificationOK> verification =
			    ocspVerifier.Verify(signCert, issuerCert, date);
		    if (verification.Count == 0) {
			    List<X509Crl> crls = new List<X509Crl>();
			    if (pkcs7.CRLs != null)
				    foreach (X509Crl crl in pkcs7.CRLs)
					    crls.Add(crl);
			    CrlVerifier crlVerifier = new CrlVerifier(null, crls);
			    verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
		    }
		    if (verification.Count == 0)
			    Console.WriteLine("The signing certificate couldn't be verified");
		    else
			    foreach (VerificationOK v in verification)
				    Console.WriteLine(v);
	    }
Exemple #4
0
        /**
         * Verifies if an OCSP response is genuine
         *  If it doesn't verify against the issuer certificate and response's certificates, it may verify
         * using a trusted anchor or cert.
         * @param ocspResp	the OCSP response
         * @param issuerCert	the issuer certificate
         * @throws GeneralSecurityException
         * @throws IOException
         */
        virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert)
        {
            //OCSP response might be signed by the issuer certificate or
            //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension
            X509Certificate responderCert = null;

            //first check if the issuer certificate signed the response
            //since it is expected to be the most common case
            if (IsSignatureValid(ocspResp, issuerCert))
            {
                responderCert = issuerCert;
            }

            //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses
            // from properties or from certificate chain received with response
            if (responderCert == null)
            {
                if (ocspResp.GetCerts() != null)
                {
                    //look for existence of Authorized OCSP responder inside the cert chain in ocsp response
                    X509Certificate[] certs = ocspResp.GetCerts();
                    foreach (X509Certificate cert in certs)
                    {
                        X509Certificate tempCert;
                        try {
                            tempCert = cert;
                        } catch (Exception ex) {
                            continue;
                        }
                        IList keyPurposes = null;
                        try {
                            keyPurposes = tempCert.GetExtendedKeyUsage();
                            if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert))
                            {
                                responderCert = tempCert;
                                break;
                            }
                        } catch (CertificateParsingException ignored) {
                        }
                    }
                    // Certificate signing the ocsp response is not found in ocsp response's certificate chain received
                    // and is not signed by the issuer certificate.
                    if (responderCert == null)
                    {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                }
                else
                {
                    //certificate chain is not present in response received
                    //try to verify using rootStore
                    if (certificates != null)
                    {
                        foreach (X509Certificate anchor in certificates)
                        {
                            try {
                                if (IsSignatureValid(ocspResp, anchor))
                                {
                                    responderCert = anchor;
                                    break;
                                }
                            } catch (GeneralSecurityException ignored) {
                            }
                        }
                    }

                    // OCSP Response does not contain certificate chain, and response is not signed by any
                    // of the rootStore or the issuer certificate.
                    if (responderCert == null)
                    {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                }
            }

            //check "This certificate MUST be issued directly by the CA that issued the certificate in question".
            responderCert.Verify(issuerCert.GetPublicKey());

            // validating ocsp signers certificate
            // Check if responders certificate has id-pkix-ocsp-nocheck extension,
            // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
            if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null)
            {
                X509Crl crl;
                try {
                    X509CrlParser crlParser = new X509CrlParser();
                    // Creates the CRL
                    Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream();
                    crl = crlParser.ReadCrl(url);
                } catch (Exception ignored) {
                    crl = null;
                }
                if (crl != null)
                {
                    CrlVerifier crlVerifier = new CrlVerifier(null, null);
                    crlVerifier.Certificates          = certificates;
                    crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed;
                    crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow);
                    return;
                }
            }

            //check if lifetime of certificate is ok
            responderCert.CheckValidity();
        }
Exemple #5
0
	    /**
	     * Verifies certificates against a list of CRLs and OCSP responses.
	     * @param signingCert
	     * @param issuerCert
	     * @return a list of <code>VerificationOK</code> objects.
	     * The list will be empty if the certificate couldn't be verified.
	     * @throws GeneralSecurityException
	     * @throws IOException
	     * @see com.itextpdf.text.pdf.security.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate)
	     */
	    override public List<VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime sigDate) {
		    // we'll verify agains the rootstore (if present)
		    RootStoreVerifier rootStoreVerifier = new RootStoreVerifier(verifier);
		    rootStoreVerifier.Certificates = certificates;
		    // We'll verify against a list of CRLs
		    CrlVerifier crlVerifier = new CrlVerifier(rootStoreVerifier, GetCRLsFromDSS());
		    crlVerifier.Certificates = certificates;
		    crlVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed;
		    // We'll verify against a list of OCSPs
		    OcspVerifier ocspVerifier = new OcspVerifier(crlVerifier, GetOCSPResponsesFromDSS());
		    ocspVerifier.Certificates = certificates;
		    ocspVerifier.OnlineCheckingAllowed = latestRevision || onlineCheckingAllowed;
		    // We verify the chain
		    return ocspVerifier.Verify(signCert, issuerCert, sigDate);
	    }
Exemple #6
0
        private static bool CheckRevocation(PdfPKCS7 pkcs7, X509Certificate signCert, X509Certificate issuerCert, DateTime date)
        {
            List<BasicOcspResp> ocsps = new List<BasicOcspResp>();
            if (pkcs7.Ocsp != null)
                ocsps.Add(pkcs7.Ocsp);
            OcspVerifier ocspVerifier = new OcspVerifier(null, ocsps);
            List<VerificationOK> verification =
                ocspVerifier.Verify(signCert, issuerCert, date);
            if (verification.Count == 0)
            {
                List<X509Crl> crls = new List<X509Crl>();
                if (pkcs7.CRLs != null)
                    foreach (X509Crl crl in pkcs7.CRLs)
                        crls.Add(crl);

                if (crls.Count > 0)
                {
                    CrlVerifier crlVerifier = new CrlVerifier(null, crls);
                    verification.AddRange(crlVerifier.Verify(signCert, issuerCert, date));
                }

            }
            if (verification.Count == 0)
                return false;
            else
                foreach (VerificationOK v in verification)
                    Console.WriteLine(v);

            return (verification.Count > 0);
        }
Exemple #7
0
        /**
         * Verifies if an OCSP response is genuine
         *  If it doesn't verify against the issuer certificate and response's certificates, it may verify
         * using a trusted anchor or cert.
         * @param ocspResp	the OCSP response
         * @param issuerCert	the issuer certificate
         * @throws GeneralSecurityException
         * @throws IOException
         */
        virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) {
            //OCSP response might be signed by the issuer certificate or
            //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension
            X509Certificate responderCert = null;

            //first check if the issuer certificate signed the response
            //since it is expected to be the most common case
            if (IsSignatureValid(ocspResp, issuerCert)) {
                responderCert = issuerCert;
            }

            //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses
            // from properties or from certificate chain received with response
            if (responderCert == null) {
                if (ocspResp.GetCerts() != null) {
                    //look for existence of Authorized OCSP responder inside the cert chain in ocsp response
                    X509Certificate[] certs = ocspResp.GetCerts();
                    foreach (X509Certificate cert in certs) {
                        X509Certificate tempCert;
                        try {
                            tempCert = cert;
                        } catch (Exception ex) {
                            continue;
                        }
                        IList keyPurposes = null;
                        try {
                            keyPurposes = tempCert.GetExtendedKeyUsage();
                            if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) {
                                responderCert = tempCert;
                                break;
                            }
                        } catch (CertificateParsingException ignored) {
                        }
                    }
                    // Certificate signing the ocsp response is not found in ocsp response's certificate chain received
                    // and is not signed by the issuer certificate.
                    if (responderCert == null) {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                } else {
                    //certificate chain is not present in response received
                    //try to verify using rootStore
                    if (certificates != null) {
                        foreach (X509Certificate anchor in certificates) {
                            try {
                                if (IsSignatureValid(ocspResp, anchor)) {
                                    responderCert = anchor;
                                    break;
                                }
                            } catch (GeneralSecurityException ignored) {
                            }
                        }
                    }

                    // OCSP Response does not contain certificate chain, and response is not signed by any
                    // of the rootStore or the issuer certificate.
                    if (responderCert == null) {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                }
            }

            //check "This certificate MUST be issued directly by the CA that issued the certificate in question".
            responderCert.Verify(issuerCert.GetPublicKey());

            // validating ocsp signers certificate
            // Check if responders certificate has id-pkix-ocsp-nocheck extension,
            // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
            if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) {
                X509Crl crl;
                try {
                    X509CrlParser crlParser = new X509CrlParser();
			        // Creates the CRL
		            Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream();
			        crl = crlParser.ReadCrl(url);
                } catch (Exception ignored) {
                    crl = null;
                }
                if (crl != null) {
                    CrlVerifier crlVerifier = new CrlVerifier(null, null);
                    crlVerifier.Certificates = certificates;
                    crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed;
                    crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow);
                    return;
                }
            }

            //check if lifetime of certificate is ok
            responderCert.CheckValidity();
	    }