/// <summary>
/// Insert the certificate in the certificate list and check the certificate validity.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCert"></param>
/// <param name="ocspServers"></param>
/// <param name="crlList"></param>
/// <param name="digestMethod"></param>
/// <param name="addCertificateOcspUrl"></param>
/// <param name="extraCerts"></param>
/// <param name="useNonce">If true then nonce will be used. The ocsp server should support this. OCSP reposnder in Microsoft Windows must be configured explicitly to support nonce.</param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <OcspServer> ocspServers,
IEnumerable <X509Crl> crlList, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, X509Certificate2[] extraCerts = null, bool useNonce = true)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate
{
Id = "Cert" + guidCert,
PkiData = cert.GetRawCertData()
};
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod, addCertificateOcspUrl, useNonce);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(ocspCerts);
if (!EquivalentDN(startOcspCert.IssuerName, enumerator.Current.Certificate.SubjectName))
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, addCertificateOcspUrl, extraCerts);
}
}
/// <summary>
/// Inserta en la lista de certificados el certificado y comprueba la valided del certificado.
/// </summary>
/// <param name="cert"></param>
/// <param name="unsignedProperties"></param>
/// <param name="addCertValue"></param>
/// <param name="extraCerts"></param>
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string guidCert = Guid.NewGuid().ToString();
Cert chainCert = new Cert();
chainCert.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
chainCert.IssuerSerial.X509SerialNumber = CertUtil.HexToDecimal(cert.SerialNumber);
DigestUtil.SetCertDigest(cert.GetRawCertData(), _firma.RefsDigestMethod, chainCert.CertDigest);
chainCert.URI = "#Cert" + guidCert;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(chainCert);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + guidCert;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
var chain = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chain.Count > 1)
{
X509ChainElementEnumerator enumerator = chain.GetEnumerator();
enumerator.MoveNext(); // el mismo certificado que el pasado por parametro
enumerator.MoveNext();
bool valid = ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate);
if (!valid)
{
var ocspCerts = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate);
if (ocspCerts != null)
{
X509Certificate2 startOcspCert = DetermineStartCert(new List <X509Certificate2>(ocspCerts));
if (startOcspCert.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
var chainOcsp = CertUtil.GetCertChain(startOcspCert, ocspCerts);
AddCertificate(chainOcsp.ChainElements[1].Certificate, unsignedProperties, true, ocspCerts);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, extraCerts);
}
}
private void AddCertificate(X509Certificate2 cert, UnsignedProperties unsignedProperties, bool addCert, IEnumerable <string> ocspServers, IEnumerable <X509Crl> crlList, FirmaXades.Crypto.DigestMethod digestMethod, X509Certificate2[] extraCerts = null)
{
if (addCert)
{
if (CertificateChecked(cert, unsignedProperties))
{
return;
}
string str = Guid.NewGuid().ToString();
Cert cert2 = new Cert();
cert2.IssuerSerial.X509IssuerName = cert.IssuerName.Name;
cert2.IssuerSerial.X509SerialNumber = cert.GetSerialNumberAsDecimalString();
DigestUtil.SetCertDigest(cert.GetRawCertData(), digestMethod, cert2.CertDigest);
cert2.URI = "#Cert" + str;
unsignedProperties.UnsignedSignatureProperties.CompleteCertificateRefs.CertRefs.CertCollection.Add(cert2);
EncapsulatedX509Certificate encapsulatedX509Certificate = new EncapsulatedX509Certificate();
encapsulatedX509Certificate.Id = "Cert" + str;
encapsulatedX509Certificate.PkiData = cert.GetRawCertData();
unsignedProperties.UnsignedSignatureProperties.CertificateValues.EncapsulatedX509CertificateCollection.Add(encapsulatedX509Certificate);
}
X509ChainElementCollection chainElements = CertUtil.GetCertChain(cert, extraCerts).ChainElements;
if (chainElements.Count > 1)
{
X509ChainElementEnumerator enumerator = chainElements.GetEnumerator();
enumerator.MoveNext();
enumerator.MoveNext();
if (!ValidateCertificateByCRL(unsignedProperties, cert, enumerator.Current.Certificate, crlList, digestMethod))
{
X509Certificate2[] array = ValidateCertificateByOCSP(unsignedProperties, cert, enumerator.Current.Certificate, ocspServers, digestMethod);
if (array != null)
{
X509Certificate2 x509Certificate = DetermineStartCert(new List <X509Certificate2>(array));
if (x509Certificate.IssuerName.Name != enumerator.Current.Certificate.SubjectName.Name)
{
X509Chain certChain = CertUtil.GetCertChain(x509Certificate, array);
AddCertificate(certChain.ChainElements[1].Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, array);
}
}
}
AddCertificate(enumerator.Current.Certificate, unsignedProperties, true, ocspServers, crlList, digestMethod, extraCerts);
}
}
private OcspReq GenerateOcspRequest(CertificateID id, GeneralName requestorName,
System.Security.Cryptography.X509Certificates.X509Certificate2 signCertificate)
{
OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator();
ocspRequestGenerator.AddRequest(id);
if (requestorName != null)
{
ocspRequestGenerator.SetRequestorName(requestorName);
}
ArrayList oids = new ArrayList();
Hashtable values = new Hashtable();
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
_nonceAsn1OctetString = new DerOctetString(new DerOctetString(BigInteger.ValueOf(DateTime.Now.Ticks).ToByteArray()));
values.Add(OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(false, _nonceAsn1OctetString));
ocspRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values));
if (signCertificate != null)
{
return(ocspRequestGenerator.Generate((RSACryptoServiceProvider)signCertificate.PrivateKey, CertUtil.GetCertChain(signCertificate)));
}
else
{
return(ocspRequestGenerator.Generate());
}
}