public OcspResponse ParseOcspResponse(BasicOcspResp brep)
{
SingleResp singleResp = brep.Responses.Single();
var itstatus = singleResp.GetCertStatus();
var status = new OcspResponse()
{
ProducedAt = brep.ProducedAt,
ThisUpdate = singleResp.ThisUpdate,
NextUpdate = singleResp.NextUpdate.Value
};
if (itstatus == CertificateStatus.Good)
{
status.Status = OcspRevocationStatus.Good;
}
else if (itstatus is RevokedStatus revokedStatus)
{
status.Status = OcspRevocationStatus.Revoked;
status.RevocationTime = revokedStatus.RevocationTime;
try
{
status.RevocationReason = revokedStatus.RevocationReason;
}
catch (InvalidOperationException)
{
status.RevocationReason = -1;
}
}
else
{
status.Status = OcspRevocationStatus.Unknown;
}
return(status);
}
private async Task <OcspResponse> SendOcspRequests(Ocsp ocsp, IList <Uri> uris, OcspResponse response)
{
foreach (var uri in uris)
{
try
{
HttpWebRequest request = CreateOcspRequest(ocsp, uri);
response = await SendOcspRequest(request);
if (response != null)
{
break;
}
}
catch (Exception ex)
{
Log.Error(ex, $"Cannot connect to ocsp server for {uri}.");
if (response == null)
{
response = new OcspResponse();
}
response.Status = OcspRevocationStatus.Error;
}
}
return(response);
}
private ITestResult Response()
{
try
{
OcspResponse resp = OcspResponse.GetInstance(
Asn1Object.FromByteArray(_response));
ResponseBytes rBytes = ResponseBytes.GetInstance(resp.ResponseBytes);
BasicOcspResponse bResp = BasicOcspResponse.GetInstance(
Asn1Object.FromByteArray(rBytes.Response.GetOctets()));
resp = new OcspResponse(
resp.ResponseStatus,
new ResponseBytes(
rBytes.ResponseType,
new DerOctetString(bResp.GetEncoded())));
if (!Arrays.AreEqual(resp.GetEncoded(), _response))
{
return(new SimpleTestResult(false, Name + ": Ocsp response failed to re-encode"));
}
return(new SimpleTestResult(true, Name + ": Okay"));
}
catch (Exception e)
{
return(new SimpleTestResult(false, Name + ": failed response exception - " + e.ToString(), e));
}
}
public void GetOCSPOfRootCa_NA()
{
var target = new X509Certificate2(@"files/belgiumrca4.crt");
OcspResponse result = target.GetOcspResponse(target);
Assert.Null(result);
}
/// <summary>
/// Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL).
/// </summary>
public static OcspResp FromBasicToResp(byte[] basicOCSPResp)
{
OcspResponse response = new OcspResponse(new OcspResponseStatus(OcspResponseStatus
.Successful), new ResponseBytes(OcspObjectIdentifiers.PkixOcspBasic, new DerOctetString
(basicOCSPResp)));
OcspResp resp = new OcspResp(response);
return(resp);
}
public static CertificateStatus Parse(Stream input)
{
byte statusType = TlsUtilities.ReadUint8(input);
if (statusType != 1)
{
throw new TlsFatalAlert(50);
}
return(new CertificateStatus(statusType, OcspResponse.GetInstance(TlsUtilities.ReadDerObject(TlsUtilities.ReadOpaque24(input)))));
}
/// <exception cref="System.IO.IOException"/>
private static byte[] BuildOCSPResponse(byte[] basicOcspResponse)
{
DerOctetString doctet = new DerOctetString(basicOcspResponse);
OcspResponseStatus respStatus = new OcspResponseStatus(Org.BouncyCastle.Asn1.Ocsp.OcspResponseStatus.Successful
);
ResponseBytes responseBytes = new ResponseBytes(OcspObjectIdentifiers.PkixOcspBasic, doctet);
OcspResponse ocspResponse = new OcspResponse(respStatus, responseBytes);
return(new OcspResp(ocspResponse).GetEncoded());
}
private OcspResp(Asn1InputStream aIn)
{
try
{
this.resp = OcspResponse.GetInstance(aIn.ReadObject());
}
catch (Exception ex)
{
throw new IOException("malformed response: " + ex.Message, ex);
}
}
private OcspResp(Asn1InputStream aIn)
{
//IL_002b: Unknown result type (might be due to invalid IL or missing references)
try
{
resp = OcspResponse.GetInstance(aIn.ReadObject());
}
catch (global::System.Exception ex)
{
throw new IOException("malformed response: " + ex.get_Message(), ex);
}
}
public void GetOCSPOfNewEid_Downloaded()
{
var target = newEid;
var issuer = newEidIssuer;
OcspResponse result = target.GetOcspResponse(issuer);
BasicOcspResponse resultDetail = BasicOcspResponse.GetInstance(Asn1Object.FromByteArray(result.ResponseBytes.Response.GetOctets()));
Assert.NotNull(result);
Assert.Equal(0, result.ResponseStatus.IntValueExact);
Assert.Equal(resultDetail.TbsResponseData.ProducedAt.ToDateTime().Floor(), DateTime.UtcNow.Floor());
}
public void GetOCSPOfEgelke_Downloaded()
{
var target = new X509Certificate2(@"files/egelke.crt");
var issuer = new X509Certificate2(@"files/sentigoCA.cer");
OcspResponse result = target.GetOcspResponse(issuer);
BasicOcspResponse resultDetail = BasicOcspResponse.GetInstance(Asn1Object.FromByteArray(result.ResponseBytes.Response.GetOctets()));
Assert.NotNull(result);
Assert.Equal(0, result.ResponseStatus.IntValueExact);
Assert.True(resultDetail.TbsResponseData.ProducedAt.ToDateTime() <= DateTime.UtcNow);
}
public async Task GetOCSPOfNewEid_DownloadedAsync()
{
var target = newEid;
var issuer = newEidIssuer;
OcspResponse result = await target.GetOcspResponseAsync(issuer);
BasicOcspResponse resultDetail = BasicOcspResponse.GetInstance(Asn1Object.FromByteArray(result.ResponseBytes.Response.GetOctets()));
Assert.IsNotNull(result);
Assert.AreEqual(0, result.ResponseStatus.IntValueExact);
Assert.IsTrue(resultDetail.TbsResponseData.ProducedAt.ToDateTime() <= DateTime.UtcNow);
}
public static CertificateStatus Parse(Stream input)
{
byte b = TlsUtilities.ReadUint8(input);
byte b2 = b;
if (b2 == 1)
{
byte[] encoding = TlsUtilities.ReadOpaque24(input);
object instance = OcspResponse.GetInstance(TlsUtilities.ReadDerObject(encoding));
return(new CertificateStatus(b, instance));
}
throw new TlsFatalAlert(50);
}
public X509CertificateHelperTest()
{
newEid = new X509Certificate2(@"files/eid79021802145-2027.crt");
newEidIssuer = new X509Certificate2(@"files/Citizen201709.crt");
OcspResponse ocspMsg = OcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes(@"files/eid79021802145-2027.ocsp-rsp")));
newEidOcsp = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(ocspMsg.ResponseBytes.Response.GetOctets()));
oldEid = new X509Certificate2(@"files/eid79021802145.crt");
oldEidIssuer = new X509Certificate2(@"files/Citizen201204.crt");
oldEidOcsp = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes(@"files/eid79021802145.ocsp")));
oldEidOcsp2 = BasicOcspResponse.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes(@"files/eid79021802145-2.ocsp")));
oldEidCrl = CertificateList.GetInstance(Asn1Sequence.GetInstance(File.ReadAllBytes(@"files/eid79021802145.crl")));
}
public void Test_OcspWorker_Scan_OneInvalidThenValidOcspResponse()
{
// Arrange
var certificate = CreationHelpers.CreateCertificate();
var bcCertificate = CreationHelpers.CreateBCCertificate();
var issuer = CreationHelpers.CreateIntermediate();
var bcIssuer = CreationHelpers.CreateBCIntermediate();
var uri = new Uri("https://google.com");
var bingUri = new Uri("https://bing.com");
HttpWebRequest bingWebRequest = (HttpWebRequest)WebRequest.Create(bingUri);
HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(uri);
var ocspResponse = new OcspResponse()
{
Status = 0
};
var workerInformation = MockWorkerInformation(hostname: "google.com", certificate: certificate, issuer: issuer);
var ocsp = MockOcsp(certificate: bcCertificate, issuer: bcIssuer, ocspUris: new[] { uri, bingUri });
var previousWorker = new Mock <IAsyncWorker>();
previousWorker.Setup(x => x.Scan(workerInformation)).ReturnsAsync(new List <ScanResult>());
var workerMock = new Mock <OcspWorker>(previousWorker.Object)
{
CallBase = true
};
workerMock.Setup(x => x.CreateOcsp(bcCertificate, bcIssuer)).Returns(ocsp);
workerMock.Setup(x => x.CreateOcspRequest(ocsp, uri)).Returns(webRequest);
workerMock.Setup(x => x.CreateOcspRequest(ocsp, bingUri)).Returns(bingWebRequest);
workerMock.Setup(x => x.SendOcspRequest(webRequest)).ThrowsAsync(new Exception());
workerMock.Setup(x => x.SendOcspRequest(bingWebRequest)).ReturnsAsync(ocspResponse);
// Act
var worker = workerMock.Object;
var response = worker.Scan(workerInformation);
response.Wait();
// Assert
var result = response.Result.Single() as OcspResponse;
Mock.VerifyAll();
Assert.AreEqual(Enums.OcspRevocationStatus.Good, result.Status);
Assert.IsNull(result.RevocationReason);
}
public void VerifyOCSPOfNewEid_LiveRetrieval()
{
var target = newEid;
var issuer = newEidIssuer;
OcspResponse ocspMsg = target.GetOcspResponse(issuer);
BasicOcspResponse liveOcsp = BasicOcspResponse.GetInstance(Asn1Object.FromByteArray(ocspMsg.ResponseBytes.Response.GetOctets()));
var revocationInfo = new List <BasicOcspResponse>();
revocationInfo.Add(liveOcsp);
revocationInfo.Add(newEidOcsp);
BasicOcspResponse result = target.Verify(issuer, DateTime.UtcNow, revocationInfo);
Assert.NotNull(result);
Assert.Equal(DateTime.UtcNow.Floor(), result.TbsResponseData.ProducedAt.ToDateTime().Floor());
}
/**
* Parse a {@link CertificateStatus} from a {@link Stream}.
*
* @param input
* the {@link Stream} to parse from.
* @return a {@link CertificateStatus} object.
* @throws IOException
*/
public static CertificateStatus Parse(Stream input)
{
byte status_type = TlsUtilities.ReadUint8(input);
object response;
switch (status_type)
{
case CertificateStatusType.ocsp:
{
byte[] derEncoding = TlsUtilities.ReadOpaque24(input);
response = OcspResponse.GetInstance(TlsUtilities.ReadDerObject(derEncoding));
break;
}
default:
throw new TlsFatalAlert(AlertDescription.decode_error);
}
return(new CertificateStatus(status_type, response));
}
public async Task <List <ScanResult> > Scan(WorkerInformation workerInformation)
{
var previousResults = await this._PreviousWorker.Scan(workerInformation);
if (workerInformation.Certificate == null)
{
return(previousResults);
}
var cert = DotNetUtilities.FromX509Certificate(workerInformation.Certificate);
var issuer = DotNetUtilities.FromX509Certificate(workerInformation.Issuer);
var ocsp = CreateOcsp(cert, issuer);
var uris = ocsp.GetOcspUris();
OcspResponse response = new OcspResponse()
{
Status = OcspRevocationStatus.Unknown
};
response = await SendOcspRequests(ocsp, uris, response);
previousResults.Add(response);
return(previousResults);
}
public OcspResp(
OcspResponse resp)
{
this.resp = resp;
}
