private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod) { bool byKey = false; List <string> list = new List <string>(); Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); OcspClient ocspClient = new OcspClient(); string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate); if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl)) { list.Add(authorityInformationAccessOcspUrl); } foreach (string ocspServer in ocspServers) { list.Add(ocspServer); } foreach (string item in list) { byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item); switch (ocspClient.ProcessOcspResponse(array)) { case FirmaXades.Clients.CertificateStatus.Revoked: throw new Exception("Certificado revocado"); case FirmaXades.Clients.CertificateStatus.Good: { OcspResp ocspResp = new OcspResp(array); byte[] encoded = ocspResp.GetEncoded(); BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); string str = Guid.NewGuid().ToString(); OCSPRef oCSPRef = new OCSPRef(); oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str; DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest); ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object(); string responderName = GetResponderName(responderId, ref byKey); if (!byKey) { oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName); } else { oCSPRef.OCSPIdentifier.ResponderID = responderName; oCSPRef.OCSPIdentifier.ByKey = true; } oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef); OCSPValue oCSPValue = new OCSPValue(); oCSPValue.PkiData = encoded; oCSPValue.Id = "OcspValue" + str; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue); return((from cert in basicOcspResp.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } } throw new Exception("El certificado no ha podido ser validado"); }
/// <summary> /// For level -XL or C, every BasicOcspResponse values contained in the IValidationContext must be in the /// RevocationValues or the RevocationRef of the signature /// </summary> /// <param name="ctx"></param> /// <param name="refs"></param> /// <param name="signingCert"></param> /// <returns></returns> protected internal virtual bool EveryOCSPValueOrRefAreThere <_T0>(IValidationContext ctx, IList <_T0> ocspValuesOrRef, ICAdESLogger logger) { if (ctx is null) { throw new ArgumentNullException(nameof(ctx)); } if (ocspValuesOrRef is null) { throw new ArgumentNullException(nameof(ocspValuesOrRef)); } foreach (BasicOcspResp ocspResp in ctx.NeededOCSPResp) { logger.Info("Looking for the OcspResp produced at " + ocspResp.ProducedAt); bool found = false; foreach (object valueOrRef in ocspValuesOrRef) { if (valueOrRef is BasicOcspResp) { BasicOcspResp sigResp = (BasicOcspResp)valueOrRef; if (sigResp.Equals(ocspResp)) { found = true; break; } } if (valueOrRef is OCSPRef) { OCSPRef @ref = (OCSPRef)valueOrRef; if (@ref.Match(ocspResp)) { found = true; break; } } } logger.Info("Ref " + (found ? " found" : " not found")); if (!found) { return(false); } } return(true); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl) { bool byKey = false; List <OcspServer> finalOcspServers = new List <OcspServer>(); Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate(); OcspClient ocsp = new OcspClient(); if (addCertificateOcspUrl) { string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { finalOcspServers.Add(new OcspServer(certOcspUrl)); } } foreach (var ocspServer in ocspServers) { finalOcspServers.Add(ocspServer); } foreach (var ocspServer in finalOcspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, ocspServer.RequestorName, ocspServer.SignCertificate); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest); ResponderID rpId = or.ResponderId.ToAsn1Object(); ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey); ocspRef.OCSPIdentifier.ByKey = byKey; ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("El certificado no ha podido ser validado"); }