Esempio n. 1
0
        public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert)
        {
            if (cert is null)
            {
                throw new ArgumentNullException(nameof(cert));
            }

            if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST)
            {
                CertificateStatus status = new CertificateStatus
                {
                    Validity         = CertificateValidity.VALID,
                    StatusSourceType = ValidatorSourceType.TRUSTED_LIST,
                    Certificate      = cert.Certificate
                };
                return(status);
            }
            CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);

            if (issuer == null)
            {
                return(null);
            }
            IOcspSource ocspSource = new ListOCSPSource(NeededOCSPResp);
            ICrlSource  crlSource  = new ListCRLSource(NeededCRL);
            var         verifier   = certificateVerifierFactory(ocspSource, crlSource);

            return(verifier.Check(cert.Certificate, issuer.Certificate, ValidationDate));
        }
Esempio n. 2
0
        public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer, DateTime validationDate)
        {
            if (cert is null)
            {
                throw new ArgumentNullException(nameof(cert));
            }

            logger.Info("OCSP request for " + cert.SubjectDN);
            CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate);

            if (result != null && result.Validity != CertificateValidity.UNKNOWN)
            {
                logger.Info(OCSPDoneMessage);
                return(result);
            }
            else
            {
                logger.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN);
                result = crlVerifier.Check(cert, potentialIssuer, validationDate);
                if (result != null && result.Validity != CertificateValidity.UNKNOWN)
                {
                    logger.Info(CLRDoneMessage);
                    return(result);
                }
                else
                {
                    logger.Info(NoResponceMessage);
                    return(null);
                }
            }
        }
        public CertificateVerification(CertificateAndContext cert, IValidationContext ctx)
        {
            if (ctx is null)
            {
                throw new System.ArgumentNullException(nameof(ctx));
            }

            CertificateAndContext = cert;
            if (cert != null)
            {
                try
                {
                    cert.Certificate.CheckValidity(ctx.ValidationDate);
                    validityPeriodVerification = new Result(ResultStatus.VALID, null);
                }
                catch (CertificateExpiredException)
                {
                    validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateExpired");
                }
                catch (CertificateNotYetValidException)
                {
                    validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateNotYetValid");
                }
                CertificateStatus status = ctx.GetCertificateStatusFromContext(cert);
                if (status != null)
                {
                    certificateStatus = new RevocationVerificationResult(status);
                }

                Summary.SetStatus(ResultStatus.VALID, null);
                if (ValidityPeriodVerification.IsInvalid)
                {
                    Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateIsNotValid");
                }
                if (CertificateStatus != null)
                {
                    if (CertificateStatus.Status == CertificateValidity.REVOKED)
                    {
                        Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateRevoked");
                    }
                    else
                    {
                        if (CertificateStatus.Status == CertificateValidity.UNKNOWN)
                        {
                            Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_RevocationUnknown");
                        }
                    }
                }
                else if (!ValidityPeriodVerification.IsInvalid)
                {
                    Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_NoRevocationData");
                }
            }
        }
 public RevocationVerificationResult(CertificateStatus certificateStatus)
 {
     if (certificateStatus != null)
     {
         this.certificateStatus = certificateStatus;
     }
     else
     {
         this.certificateStatus = new CertificateStatus
         {
             Validity = CertificateValidity.UNKNOWN
         };
     }
 }
        public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate)
        {
            CertificateStatus status = new CertificateStatus
            {
                Certificate       = childCertificate,
                ValidationDate    = validationDate,
                IssuerCertificate = certificate
            };

            if (ocspSource == null)
            {
                logger.Warn("OCSPSource null");
                return(null);
            }
            try
            {
                BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate);
                if (null == ocspResp)
                {
                    logger.Info("OCSP response not found");
                    return(null);
                }
                BasicOcspResp basicOCSPResp = ocspResp;
                CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate, childCertificate.SerialNumber);
                SingleResp[]  singleResps   = basicOCSPResp.Responses;
                foreach (SingleResp singleResp in singleResps)
                {
                    CertificateID responseCertificateId = singleResp.GetCertID();
                    if (!certificateId.Equals(responseCertificateId))
                    {
                        continue;
                    }
                    DateTime thisUpdate = singleResp.ThisUpdate;
                    logger.Info("OCSP thisUpdate: " + thisUpdate);
                    logger.Info("OCSP nextUpdate: " + singleResp.NextUpdate);
                    status.StatusSourceType            = ValidatorSourceType.OCSP;
                    status.StatusSource                = ocspResp;
                    status.RevocationObjectIssuingTime = ocspResp.ProducedAt;
                    if (null == singleResp.GetCertStatus())
                    {
                        logger.Info("OCSP OK for: " + childCertificate.SubjectDN);
                        status.Validity = CertificateValidity.VALID;
                    }
                    else
                    {
                        logger.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName);
                        if (singleResp.GetCertStatus() is RevokedStatus)
                        {
                            logger.Info("OCSP status revoked");
                            if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0)
                            {
                                logger.Info("OCSP revocation time after the validation date, the certificate was valid at "
                                            + validationDate);
                                status.Validity = CertificateValidity.VALID;
                            }
                            else
                            {
                                status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime;
                                status.Validity       = CertificateValidity.REVOKED;
                            }
                        }
                        else
                        {
                            if (singleResp.GetCertStatus() is UnknownStatus)
                            {
                                logger.Info("OCSP status unknown");
                                status.Validity = CertificateValidity.UNKNOWN;
                            }
                        }
                    }
                    return(status);
                }
                logger.Info("no matching OCSP response entry");
                return(null);
            }
            catch (IOException ex)
            {
                logger.Error("OCSP exception: " + ex.Message);
                return(null);
            }
            catch (OcspException ex)
            {
                logger.Error("OCSP exception: " + ex.Message);
                throw;
            }
        }
Esempio n. 6
0
 /// <param>
 /// the status to set
 /// </param>
 public virtual void SetStatus(CertificateStatus status)
 {
     this.status = status;
 }
Esempio n. 7
0
        /// <summary>
        /// Build the validation context for the specific date
        /// </summary>
        public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
        {
            int          previousSize     = RevocationInfo.Count;
            int          previousVerified = VerifiedTokenCount();
            ISignedToken signedToken      = GetOneNotYetVerifiedToken();

            if (signedToken != null)
            {
                ICertificateSource    otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource);
                CertificateAndContext issuer      = GetIssuerCertificate(signedToken, otherSource, validationDate);
                RevocationData        data        = null;
                if (issuer == null)
                {
                    logger?.Warn("Don't found any issuer for token " + signedToken);
                    data = new RevocationData(signedToken);
                }
                else
                {
                    usedCerts?.Add(issuer);
                    AddNotYetVerifiedToken(certificateTokenFactory(issuer));
                    if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN))
                    {
                        ISignedToken   trustedToken     = certificateTokenFactory(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
                        {
                            noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
                        }
                        Validate(trustedToken, noNeedToValidate);
                    }
                    else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
                    {
                        ISignedToken   trustedToken     = certificateTokenFactory(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
                        Validate(trustedToken, noNeedToValidate);
                    }
                    if (signedToken is CertificateToken)
                    {
                        CertificateToken  ct     = (CertificateToken)signedToken;
                        CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource);
                        data = new RevocationData(signedToken);
                        if (status != null)
                        {
                            data.SetRevocationData(status.StatusSource);
                            if (status.StatusSource is X509Crl)
                            {
                                AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
                            }
                            else
                            {
                                if (status.StatusSource is BasicOcspResp)
                                {
                                    AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
                                }
                            }
                        }
                        else
                        {
                            logger?.Warn("No status for " + signedToken);
                        }
                    }
                    else
                    {
                        if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
                        {
                            data = new RevocationData(signedToken);
                            data.SetRevocationData(issuer);
                        }
                        else
                        {
                            throw new Exception("Not supported token type " + signedToken.GetType().Name);
                        }
                    }
                }
                Validate(signedToken, data);
                logger?.Info(ToString());
                int newSize     = RevocationInfo.Count;
                int newVerified = VerifiedTokenCount();
                if (newSize != previousSize || newVerified != previousVerified)
                {
                    Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts);
                }
            }
        }
 public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate)
 {
     try
     {
         CertificateStatus report = new CertificateStatus
         {
             Certificate       = childCertificate,
             ValidationDate    = validationDate,
             IssuerCertificate = certificate
         };
         if (crlSource == null)
         {
             logger.Warn("CRLSource null");
             return(null);
         }
         X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate);
         if (x509crl == null)
         {
             logger.Info("No CRL found for certificate " + childCertificate.SubjectDN);
             return(null);
         }
         if (!IsCRLValid(x509crl, certificate, validationDate))
         {
             logger.Warn("The CRL is not valid !");
             return(null);
         }
         report.StatusSource     = x509crl;
         report.Validity         = CertificateValidity.UNKNOWN;
         report.Certificate      = childCertificate;
         report.StatusSourceType = ValidatorSourceType.CRL;
         report.ValidationDate   = validationDate;
         X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber);
         if (null == crlEntry)
         {
             logger.Info("CRL OK for: " + childCertificate.SubjectDN);
             report.Validity = CertificateValidity.VALID;
         }
         else
         {
             if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After
             {
                 logger.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate);
                 report.Validity = CertificateValidity.VALID;
                 report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
             }
             else
             {
                 logger.Info("CRL reports certificate: " + childCertificate.SubjectDN
                             + " as revoked since " + crlEntry.RevocationDate);
                 report.Validity = CertificateValidity.REVOKED;
                 report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
                 report.RevocationDate = crlEntry.RevocationDate;
             }
         }
         return(report);
     }
     catch (IOException e)
     {
         logger.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message);
         return(null);
     }
 }