private void doTestECDsa() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeECKeyPair(); X509Certificate testCert = OcspTestUtil.MakeECDsaCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest(id); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withECDSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !certs[0].Equals(testCert)) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withECDSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Encodable extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } if (!AreEqual(((Asn1OctetString)extObj).GetOctets(), sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response generation // BasicOcspRespGenerator respGen = new BasicOcspRespGenerator(signKP.Public); respGen.AddResponse(id, CertificateStatus.Good); respGen.Generate("SHA1withECDSA", signKP.Private, chain, DateTime.UtcNow); }
public override void PerformTest() { string signDN = "O=Bouncy Castle, C=AU"; AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair(); X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN); string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU"; GeneralName origName = new GeneralName(new X509Name(origDN)); // // general id value for our test issuer cert and a serial number. // CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One); // // basic request generation // OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); OcspReq req = gen.Generate(); if (req.IsSigned) { Fail("signed but shouldn't be"); } X509Certificate[] certs = req.GetCerts(); if (certs != null) { Fail("null certs expected, but not found"); } Req[] requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // request generation with signing // X509Certificate[] chain = new X509Certificate[1]; gen = new OcspReqGenerator(); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } certs = req.GetCerts(); if (certs == null) { Fail("null certs found"); } if (certs.Length != 1 || !testCert.Equals(certs[0])) { Fail("incorrect certs found in request"); } // // encoding test // byte[] reqEnc = req.GetEncoded(); OcspReq newReq = new OcspReq(reqEnc); if (!newReq.Verify(signKP.Public)) { Fail("newReq signature failed to Verify"); } // // request generation with signing and nonce // chain = new X509Certificate[1]; gen = new OcspReqGenerator(); IList oids = new ArrayList(); IList values = new ArrayList(); byte[] sampleNonce = new byte[16]; Random rand = new Random(); rand.NextBytes(sampleNonce); gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred"))); oids.Add(OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce)))); gen.SetRequestExtensions(new X509Extensions(oids, values)); gen.AddRequest( new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One)); chain[0] = testCert; req = gen.Generate("SHA1withRSA", signKP.Private, chain); if (!req.IsSigned) { Fail("not signed but should be"); } if (!req.Verify(signKP.Public)) { Fail("signature failed to Verify"); } // // extension check. // ISet extOids = req.GetCriticalExtensionOids(); if (extOids.Count != 0) { Fail("wrong number of critical extensions in OCSP request."); } extOids = req.GetNonCriticalExtensionOids(); if (extOids.Count != 1) { Fail("wrong number of non-critical extensions in OCSP request."); } Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue); if (!(extObj is Asn1OctetString)) { Fail("wrong extension type found."); } byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets(); if (!AreEqual(compareNonce, sampleNonce)) { Fail("wrong extension value found."); } // // request list check // requests = req.GetRequestList(); if (!requests[0].GetCertID().Equals(id)) { Fail("Failed isFor test"); } // // response parsing - test 1 // OcspResp response = new OcspResp(testResp1); if (response.Status != 0) { Fail("response status not zero."); } BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 1 failed to Verify."); } // // test 2 // SingleResp[] singleResp = brep.Responses; response = new OcspResp(testResp2); if (response.Status != 0) { Fail("response status not zero."); } brep = (BasicOcspResp)response.GetResponseObject(); chain = brep.GetCerts(); if (!brep.Verify(chain[0].GetPublicKey())) { Fail("response 2 failed to Verify."); } singleResp = brep.Responses; // // simple response generation // OCSPRespGenerator respGen = new OCSPRespGenerator(); OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject()); if (!resp.GetResponseObject().Equals(response.GetResponseObject())) { Fail("response fails to match"); } doTestECDsa(); doTestRsa(); doTestIrregularVersionReq(); }
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate) { CertificateStatus status = new CertificateStatus(); status.Certificate = childCertificate; status.ValidationDate = validationDate; status.IssuerCertificate = certificate; if (ocspSource == null) { LOG.Warn("OCSPSource null"); return(null); } try { BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate ); if (null == ocspResp) { LOG.Info("OCSP response not found"); return(null); } BasicOcspResp basicOCSPResp = (BasicOcspResp)ocspResp; CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate , childCertificate.SerialNumber); SingleResp[] singleResps = basicOCSPResp.Responses; foreach (SingleResp singleResp in singleResps) { CertificateID responseCertificateId = singleResp.GetCertID(); if (false == certificateId.Equals(responseCertificateId)) { continue; } DateTime thisUpdate = singleResp.ThisUpdate; LOG.Info("OCSP thisUpdate: " + thisUpdate); LOG.Info("OCSP nextUpdate: " + singleResp.NextUpdate); status.StatusSourceType = ValidatorSourceType.OCSP; status.StatusSource = ocspResp; status.RevocationObjectIssuingTime = ocspResp.ProducedAt; if (null == singleResp.GetCertStatus()) { LOG.Info("OCSP OK for: " + childCertificate.SubjectDN); status.Validity = CertificateValidity.VALID; } else { LOG.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName ); if (singleResp.GetCertStatus() is RevokedStatus) { LOG.Info("OCSP status revoked"); if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0) //jbonilla - Before { LOG.Info("OCSP revocation time after the validation date, the certificate was valid at " + validationDate); status.Validity = CertificateValidity.VALID; } else { status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime; status.Validity = CertificateValidity.REVOKED; } } else { if (singleResp.GetCertStatus() is UnknownStatus) { LOG.Info("OCSP status unknown"); status.Validity = CertificateValidity.UNKNOWN; } } } return(status); } LOG.Info("no matching OCSP response entry"); return(null); } catch (IOException ex) { LOG.Error("OCSP exception: " + ex.Message); return(null); } catch (OcspException ex) { LOG.Error("OCSP exception: " + ex.Message); throw new RuntimeException(ex); } }
/// <summary> /// Verifies the certificate chain via OCSP /// </summary> /// <returns> /// <c>true</c>, if certificate is revoked, <c>false</c> otherwise. /// </returns> /// <param name='chain'> /// The certificate chain. /// </param> private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain) { List <X509Certificate> certsList = new List <X509Certificate> (); List <Uri> certsUrls = new List <Uri> (); bool bCertificateIsRevoked = false; try { //Get the OCSP URLS to be validated for each certificate. foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) { X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(cert.Certificate); if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) { X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.AuthorityInfoAccess); if (ext != null) { AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance(ext).GetAccessDescriptions(); Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString().StartsWith("http://")) ? new Uri(certUrls [0].AccessLocation.Name.ToString()) : null; certsList.Add(BCCert); if (!certsUrls.Contains(url)) { certsUrls.Add(url); } } } } if (certsUrls.Count > 0) { //create requests for each cert List <OcspReq> RequestList = new List <OcspReq>(); OcspReqGenerator OCSPRequestGenerator; for (int i = 0; i < (certsList.Count - 1); i++) { OCSPRequestGenerator = new OcspReqGenerator(); BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks); List <DerObjectIdentifier> oids = new List <DerObjectIdentifier> (); oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce); List <X509Extension> values = new List <X509Extension> (); values.Add(new X509Extension(false, new DerOctetString(nonce.ToByteArray()))); OCSPRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values)); CertificateID ID = new CertificateID(CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber); OCSPRequestGenerator.AddRequest(ID); RequestList.Add(OCSPRequestGenerator.Generate()); } //send requests to the OCSP server and read the response for (int i = 0; i < certsUrls.Count && !bCertificateIsRevoked; i++) { for (int j = 0; j < RequestList.Count && !bCertificateIsRevoked; j++) { HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create(certsUrls [i]); requestToOCSPServer.Method = "POST"; requestToOCSPServer.ContentType = "application/ocsp-request"; requestToOCSPServer.Accept = "application/ocsp-response"; requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response byte[] bRequestBytes = RequestList[j].GetEncoded(); using (Stream requestStream = requestToOCSPServer.GetRequestStream()) { requestStream.Write(bRequestBytes, 0, bRequestBytes.Length); requestStream.Flush(); } HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse(); OcspResp OCSPResponse = new OcspResp(serverResponse.GetResponseStream()); BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject(); //get the status from the response if (basicOCSPResponse != null) { foreach (SingleResp singleResponse in basicOCSPResponse.Responses) { object certStatus = singleResponse.GetCertStatus(); if (certStatus is RevokedStatus) { bCertificateIsRevoked = true; } } } } } } else { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation."); } } catch (Exception e) { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message); bCertificateIsRevoked = true; } if (bCertificateIsRevoked) { SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked"); } return(bCertificateIsRevoked); }
public void AddRequest(CertificateID certId) { list.Add(new RequestObject(certId, null)); }
internal static bool CheckIfIssuersMatch(CertificateID certID, X509Certificate issuerCert) { return(certID.MatchesIssuer(issuerCert)); }
public void AddCaCompromisedResponse(CertificateID cert_id) { var status = new RevokedStatus(DateTime.UtcNow, (int)CrlReason.caCompromise); _builder.AddResponse(cert_id, status); }
private OcspReq GenerarRequestOCSP(X509Certificate in_CertificadoEmisor, BigInteger in_NumeroSerie) { CertificateID id = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_NumeroSerie); return(GenerarRequestOCSP(id)); }
//1. The certificate identified in a received response corresponds to //that which was identified in the corresponding request; private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId) { CertificateID expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber); if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber)) { throw new OCSPExpection("Invalid certificate ID in response"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash())) { throw new OCSPExpection("Invalid certificate Issuer in response"); } }
private void ValidarCertificateId(X509Certificate in_CertificadoEmisor, X509Certificate in_Certificado, CertificateID in_IDCertificado) { CertificateID idEsperado = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_Certificado.SerialNumber); if (!idEsperado.SerialNumber.Equals(in_IDCertificado.SerialNumber)) { throw new Exception("ID de Certificado invalido"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(idEsperado.GetIssuerNameHash(), in_IDCertificado.GetIssuerNameHash())) { throw new Exception("Certificado Emisor invalido"); } }
/// <summary> /// The certificate response matches the request /// </summary> /// <param name="issuerCert"></param> /// <param name="eeCert"></param> /// <param name="certificateId"></param> private static bool IsValidCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId) { var expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber); if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber)) { // Invalid certificate ID in response return(false); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash())) { // Invalid certificate Issuer in response return(false); } return(true); }
public void AddRequest(CertificateID certId, X509Extensions singleRequestExtensions) { list.Add(new RequestObject(certId, singleRequestExtensions)); }
public void AddGoodResponse(CertificateID cert_id) { _builder.AddResponse(cert_id, CertificateStatus.Good, DateTime.UtcNow.AddMinutes(_nextupdate), null); }
private OcspReq GenerateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) { CertificateID id = new CertificateID("1.3.14.3.2.26", issuerCert, serialNumber); return(GenerateOcspRequest(id)); }
public void AddUnknownResponse(CertificateID cert_id) { _builder.AddResponse(cert_id, new UnknownStatus(), DateTime.UtcNow.AddMinutes(_nextupdate), null); }
/* private OcspReq GenerateOcspRequest(X509Certificate2 rootX509Certificate2, BigInteger serialNumber) * { * X509Certificate rootX509Certificate = rootX509Certificate2.Export(X509ContentType.Cert); * return this.GenerateOcspRequest(rootX509Certificate, serialNumber); * }*/ /* private OcspReq GenerateOcspRequest(X509Certificate rootX509Certificate, byte serialNumber) * { * BigInteger serialNumberBigInteger = new BigInteger(serialNumber); * return this.GenerateOcspRequest(rootX509Certificate, serialNumberBigInteger); * }*/ private OcspReq GenerateOcspRequest(Org.BouncyCastle.X509.X509Certificate rootX509Certificate, BigInteger serialNumber) { CertificateID certificateID = new CertificateID(CertificateID.HashSha1, rootX509Certificate, serialNumber); return(this.GenerateOcspRequest(certificateID)); }
private OcspReq GenerateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) { CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber); return(GenerateOcspRequest(id)); }
//1. The certificate identified in a received response corresponds to //that which was identified in the corresponding request; private void ValidateCertificateId(Org.BouncyCastle.X509.X509Certificate serverX509Certificate, Org.BouncyCastle.X509.X509Certificate rootX509Certificate, CertificateID certificateId) { CertificateID expectedId = new CertificateID(CertificateID.HashSha1, rootX509Certificate, serverX509Certificate.SerialNumber); if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber)) { throw new CheckCertificateOcspUnexpectedException("Invalid certificate ID in response"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash())) { throw new CheckCertificateOcspUnexpectedException("Invalid certificate Issuer in response"); } }
public RequestObject(CertificateID certId, X509Extensions extensions) { this.certId = certId; this.extensions = extensions; }