Esempio n. 1
0
        /// <param name="cert"></param>
        /// <returns></returns>
        public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext
                                                                         cert)
        {
            if (cert.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
            {
                CertificateStatus status = new CertificateStatus();
                status.Validity         = CertificateValidity.VALID;
                status.StatusSourceType = ValidatorSourceType.TRUSTED_LIST;
                status.Certificate      = cert.GetCertificate();
                return(status);
            }
            CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);

            if (issuer == null)
            {
                return(null);
            }
            IOcspSource ocspSource = new ListOCSPSource(neededOCSPResp);
            ICrlSource  crlSource  = new ListCRLSource(neededCRL);
            OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();

            verifier.SetCrlSource(crlSource);
            verifier.SetOcspSource(ocspSource);
            return(verifier.Check(cert.GetCertificate(), issuer.GetCertificate(), GetValidationDate
                                      ()));
        }
Esempio n. 2
0
        public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer
                                               , DateTime validationDate)
        {
            CertificateStatusVerifier ocspVerifier = new OCSPCertificateVerifier(GetOcspSource
                                                                                     ());
            //LOG.Info("OCSP request for " + cert.SubjectDN);
            CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate
                                                          );

            if (result != null && result.Validity != CertificateValidity.UNKNOWN)
            {
                //LOG.Info("OCSP validation done, don't need for CRL");
                return(result);
            }
            else
            {
                //LOG.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN);
                CRLCertificateVerifier crlVerifier = new CRLCertificateVerifier(GetCrlSource());
                result = crlVerifier.Check(cert, potentialIssuer, validationDate);
                if (result != null && result.Validity != CertificateValidity.UNKNOWN)
                {
                    //LOG.Info("CRL check has been performed. Valid or not, the verification is done");
                    return(result);
                }
                else
                {
                    //LOG.Info("We had no response from OCSP nor CRL");
                    return(null);
                }
            }
        }
Esempio n. 3
0
        private CertificateStatus GetCertificateValidity(CertificateAndContext cert, CertificateAndContext
                                                         potentialIssuer, DateTime validationDate, ICrlSource optionalCRLSource, IOcspSource
                                                         optionalOCSPSource)
        {
            if (optionalCRLSource != null || optionalOCSPSource != null)
            {
                LOG.Info("Verify with offline services");
                OCSPAndCRLCertificateVerifier verifier = new OCSPAndCRLCertificateVerifier();
                verifier.SetCrlSource(optionalCRLSource);
                verifier.SetOcspSource(optionalOCSPSource);
                CertificateStatus status = verifier.Check(cert.GetCertificate(), potentialIssuer.
                                                          GetCertificate(), validationDate);
                if (status != null)
                {
                    return(status);
                }
            }
            LOG.Info("Verify with online services");
            OCSPAndCRLCertificateVerifier onlineVerifier = new OCSPAndCRLCertificateVerifier(
                );

            onlineVerifier.SetCrlSource(crlSource);
            onlineVerifier.SetOcspSource(ocspSource);
            return(onlineVerifier.Check(cert.GetCertificate(), potentialIssuer.GetCertificate
                                            (), validationDate));
        }
		/// <summary>The default constructor for RevocationVerificationResult.</summary>
		/// <remarks>The default constructor for RevocationVerificationResult.</remarks>
		public RevocationVerificationResult(CertificateStatus certificateStatus)
		{
			if (certificateStatus != null)
			{
				this.certificateStatus = certificateStatus;
			}
			else
			{
				this.certificateStatus = new CertificateStatus();
				this.certificateStatus.Validity = CertificateValidity.UNKNOWN;
			}
		}
Esempio n. 5
0
		public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate
			 certificate, DateTime validationDate)
		{
			try
			{
				CertificateStatus report = new CertificateStatus();
				report.Certificate = childCertificate;
				report.ValidationDate = validationDate;
				report.IssuerCertificate = certificate;
				if (crlSource == null)
				{
					LOG.Warn("CRLSource null");
					return null;
				}
				X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate);
				if (x509crl == null)
				{
					LOG.Info("No CRL found for certificate " + childCertificate.SubjectDN);
					return null;
				}
				if (!IsCRLValid(x509crl, certificate, validationDate))
				{
					LOG.Warn("The CRL is not valid !");
					return null;
				}
				report.StatusSource = x509crl;
				report.Validity = CertificateValidity.UNKNOWN;
				report.Certificate = childCertificate;
				report.StatusSourceType = ValidatorSourceType.CRL;
				report.ValidationDate = validationDate;
				X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber);
				if (null == crlEntry)
				{
					LOG.Info("CRL OK for: " + childCertificate.SubjectDN);
					report.Validity = CertificateValidity.VALID;
				}
				else
				{
					if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After
					{
						LOG.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate
							);
						report.Validity = CertificateValidity.VALID;
						report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
					}
					else
					{
						LOG.Info("CRL reports certificate: " + childCertificate.SubjectDN
							 + " as revoked since " + crlEntry.RevocationDate);
						report.Validity = CertificateValidity.REVOKED;
						report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
						report.RevocationDate = crlEntry.RevocationDate;
					}
				}
				return report;
			}
			catch (IOException e)
			{
				LOG.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message);
				return null;
			}
		}
Esempio n. 6
0
		/// <param name="status">the status to set</param>
		public virtual void SetStatus(CertificateStatus status)
		{
			this.status = status;
		}
Esempio n. 7
0
        /// <summary>Build the validation context for the specific date</summary>
        /// <param name="validationDate"></param>
        /// <param name="optionalSource"></param>
        /// <exception cref="System.IO.IOException"></exception>
        public virtual void Validate(DateTime validationDate, CertificateSource optionalSource
                                     , ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource)
        {
            int         previousSize     = revocationInfo.Count;
            int         previousVerified = VerifiedTokenCount();
            SignedToken signedToken      = GetOneNotYetVerifiedToken();

            if (signedToken != null)
            {
                CertificateSource otherSource = optionalSource;
                if (signedToken != null)
                {
                    otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource
                                                                     (), optionalSource);
                }
                CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate
                                                                    );
                RevocationData data = null;
                if (issuer == null)
                {
                    LOG.Warn("Don't found any issuer for token " + signedToken);
                    data = new RevocationData(signedToken);
                }
                else
                {
                    AddNotYetVerifiedToken(new CertificateToken(issuer));
                    if (issuer.GetCertificate().SubjectDN.Equals(issuer.GetCertificate
                                                                     ().IssuerDN))
                    {
                        SignedToken    trustedToken     = new CertificateToken(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        // noNeedToValidate.setRevocationData(CertificateSourceType.TRUSTED_LIST);
                        Validate(trustedToken, noNeedToValidate);
                    }
                    if (issuer.GetCertificateSource() == CertificateSourceType.TRUSTED_LIST)
                    {
                        SignedToken    trustedToken     = new CertificateToken(issuer);
                        RevocationData noNeedToValidate = new RevocationData();
                        noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
                        Validate(trustedToken, noNeedToValidate);
                    }
                    if (signedToken is CertificateToken)
                    {
                        CertificateToken  ct     = (CertificateToken)signedToken;
                        CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(),
                                                                          issuer, validationDate, optionalCRLSource, optionalOCPSSource);
                        data = new RevocationData(signedToken);
                        if (status != null)
                        {
                            data.SetRevocationData(status.StatusSource);
                            if (status.StatusSource is X509Crl)
                            {
                                AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
                            }
                            else
                            {
                                if (status.StatusSource is BasicOcspResp)
                                {
                                    AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
                                }
                            }
                        }
                        else
                        {
                            LOG.Warn("No status for " + signedToken);
                        }
                    }
                    else
                    {
                        if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
                        {
                            data = new RevocationData(signedToken);
                            data.SetRevocationData(issuer);
                        }
                        else
                        {
                            throw new RuntimeException("Not supported token type " + signedToken.GetType().Name
                                                       );
                        }
                    }
                }
                Validate(signedToken, data);
                LOG.Info(this.ToString());
                int newSize     = revocationInfo.Count;
                int newVerified = VerifiedTokenCount();
                if (newSize != previousSize || newVerified != previousVerified)
                {
                    Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource);
                }
            }
        }