/// <summary>Verifies a certificate against a single OCSP response</summary> /// <param name="ocspResp">the OCSP response</param> /// <param name="signCert">the certificate that needs to be checked</param> /// <param name="issuerCert">the certificate of CA (certificate that issued signCert). This certificate is considered trusted and valid by this method. /// </param> /// <param name="signDate">sign date</param> /// <returns> /// /// <see langword="true"/> /// , in case successful check, otherwise false. /// </returns> public virtual bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, DateTime signDate) { if (ocspResp == null) { return(false); } // Getting the responses SingleResp[] resp = ocspResp.Responses; for (int i = 0; i < resp.Length; i++) { // check if the serial number corresponds if (!signCert.SerialNumber.Equals(resp[i].GetCertID().SerialNumber)) { continue; } // check if the issuer matches try { if (issuerCert == null) { issuerCert = signCert; } if (!SignUtils.CheckIfIssuersMatch(resp[i].GetCertID(), issuerCert)) { LOGGER.Info("OCSP: Issuers doesn't match."); continue; } } catch (OcspException) { continue; } // check if the OCSP response was valid at the time of signing if (resp[i].NextUpdate == null) { DateTime nextUpdate = SignUtils.Add180Sec(resp[i].ThisUpdate); LOGGER.Info(MessageFormatUtil.Format("No 'next update' for OCSP Response; assuming {0}", nextUpdate)); if (signDate.After(nextUpdate)) { LOGGER.Info(MessageFormatUtil.Format("OCSP no longer valid: {0} after {1}", signDate, nextUpdate)); continue; } } else { if (signDate.After(resp[i].NextUpdate)) { LOGGER.Info(MessageFormatUtil.Format("OCSP no longer valid: {0} after {1}", signDate, resp[i].NextUpdate)); continue; } } // check the status of the certificate Object status = resp[i].GetCertStatus(); if (status == CertificateStatus.Good) { // check if the OCSP response was genuine IsValidResponse(ocspResp, issuerCert, signDate); return(true); } } return(false); }