/// <param name="cert"></param> /// <returns></returns> public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert) { if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST) { CertificateStatus status = new CertificateStatus(); status.Validity = CertificateValidity.VALID; status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST; status.Certificate = cert.GetCertificate(); return(status); } CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert); if (issuer == null) { return(null); } IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp); ICrlSource crlSource = new ListCRLSource(neededCRL); OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier(); verifier.SetCrlSource(crlSource); verifier.SetOcspSource(ocspSource); return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate ())); }
public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer , DateTime validationDate) { CertificateStatusVerifier ocspVerifier = new OCSPCertificateVerifier(GetOcspSource ()); //LOG.Info("OCSP request for " + cert.SubjectDN); CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate ); if (result != null && result.Validity != CertificateValidity.UNKNOWN) { //LOG.Info("OCSP validation done, don't need for CRL"); return(result); } else { //LOG.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN); CRLCertificateVerifier crlVerifier = new CRLCertificateVerifier(GetCrlSource()); result = crlVerifier.Check(cert, potentialIssuer, validationDate); if (result != null && result.Validity != CertificateValidity.UNKNOWN) { //LOG.Info("CRL check has been performed. Valid or not, the verification is done"); return(result); } else { //LOG.Info("We had no response from OCSP nor CRL"); return(null); } } }
private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource optionalOCSPSource) { if (optionalCRLSource != null || optionalOCSPSource != null) { LOG.Info("Verify with offline services"); OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier(); verifier.SetCrlSource(optionalCRLSource); verifier.SetOcspSource(optionalOCSPSource); CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer. GetCertificate(), validationDate); if (status != null) { return(status); } } LOG.Info("Verify with online services"); OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier( ); onlineVerifier.SetCrlSource(crlSource); onlineVerifier.SetOcspSource(ocspSource); return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate (), validationDate)); }
/// <summary>The default constructor for RevocationVerificationResult.</summary> /// <remarks>The default constructor for RevocationVerificationResult.</remarks> public RevocationVerificationResult(CertificateStatus certificateStatus) { if (certificateStatus != null) { this.certificateStatus = certificateStatus; } else { this.certificateStatus = new CertificateStatus(); this.certificateStatus.Validity = CertificateValidity.UNKNOWN; } }
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate) { try { CertificateStatus report = new CertificateStatus(); report.Certificate = childCertificate; report.ValidationDate = validationDate; report.IssuerCertificate = certificate; if (crlSource == null) { LOG.Warn("CRLSource null"); return null; } X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate); if (x509crl == null) { LOG.Info("No CRL found for certificate " + childCertificate.SubjectDN); return null; } if (!IsCRLValid(x509crl, certificate, validationDate)) { LOG.Warn("The CRL is not valid !"); return null; } report.StatusSource = x509crl; report.Validity = CertificateValidity.UNKNOWN; report.Certificate = childCertificate; report.StatusSourceType = ValidatorSourceType.CRL; report.ValidationDate = validationDate; X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber); if (null == crlEntry) { LOG.Info("CRL OK for: " + childCertificate.SubjectDN); report.Validity = CertificateValidity.VALID; } else { if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After { LOG.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate ); report.Validity = CertificateValidity.VALID; report.RevocationObjectIssuingTime = x509crl.ThisUpdate; } else { LOG.Info("CRL reports certificate: " + childCertificate.SubjectDN + " as revoked since " + crlEntry.RevocationDate); report.Validity = CertificateValidity.REVOKED; report.RevocationObjectIssuingTime = x509crl.ThisUpdate; report.RevocationDate = crlEntry.RevocationDate; } } return report; } catch (IOException e) { LOG.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message); return null; } }
/// <param name="status">the status to set</param> public virtual void SetStatus(CertificateStatus status) { this.status = status; }
/// <summary>Build the validation context for the specific date</summary> /// <param name="validationDate"></param> /// <param name="optionalSource"></param> /// <exception cref="System.IO.IOException"></exception> public virtual void Validate(DateTime validationDate, CertificateSource optionalSource , ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource) { int previousSize = revocationInfo.Count; int previousVerified = VerifiedTokenCount(); SignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { CertificateSource otherSource = optionalSource; if (signedToken != null) { otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource (), optionalSource); } CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate ); RevocationData data = null; if (issuer == null) { LOG.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { AddNotYetVerifiedToken(new CertificateToken(issuer)); if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate ().IssuerDN)) { SignedToken trustedToken = new CertificateToken(issuer); RevocationData noNeedToValidate = new RevocationData(); // noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST) { SignedToken trustedToken = new CertificateToken(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { LOG.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new RuntimeException("Not supported token type " + signedToken.GetType().Name ); } } } Validate(signedToken, data); LOG.Info(this.ToString()); int newSize = revocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource); } } }