/// <summary>
/// Checks the status of the certificate against an OCSP server.
/// Updates the internal state with the result.
/// </summary>
/// <param name="revocationLookupClient">The OCSP client to use for the request</param>
/// <returns>Returns the check status</returns>
public RevocationResponse CheckRevocationStatus(IRevocationLookup revocationLookupClient)
{
RevocationResponse response = new RevocationResponse();
try
{
response = revocationLookupClient.CheckCertificate(x509Certificate);
if (response.Exception == null)
{
if (response.IsValid)
{
response.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed;
}
else
{
response.RevocationCheckStatus = RevocationCheckStatus.CertificateRevoked;
}
}
else
{
response.RevocationCheckStatus = RevocationCheckStatus.UnknownIssue;
}
}
catch (Exception e)
{
response.Exception = e;
response.RevocationCheckStatus = RevocationCheckStatus.UnknownIssue;
}
return(response);
}
// Why use SignatureValidationStackCheck ... ?
// If used as designed, it will make the endpoint stop, if the interceptor throws an error
// private SignatureValidationStackCheck stackCheck;
/// <summary>
/// Constructor that takes the binding element extension for configuration reasons.
/// </summary>
/// <param name="configuration"></param>
public ServerSignatureValidationProofBindingElement(dk.gov.oiosi.extension.wcf.Interceptor.Validation.ValidationServerConfiguration configuration) // (ServerSignatureValidationProofBindingExtensionElement configuration)
: base(configuration)
{
this.logger = LoggerFactory.Create(this);
RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory();
this.revocationLookup = ocspLookupFactory.CreateRevocationLookupClient();
//this.stackCheck = new SignatureValidationStackCheck(GetType());
}
/// <summary>
/// Get the instance of an IRevocationLookup client based on configuration.
/// </summary>
/// <returns></returns>
public IRevocationLookup CreateRevocationLookupClient()
{
lock (objectLock)
{
if (revocationLookup == null)
{
this.revocationLookup = this.CreateInstance();
}
}
return(this.revocationLookup);
}
private void Revocation(X509Certificate2 certificate)
{
// Create the OCSP client
RevocationLookupFactory revocationLookupFactory = new RevocationLookupFactory();
IRevocationLookup revocationClient = revocationLookupFactory.CreateRevocationLookupClient();
// Check the validity status of the certificate using OCSP
RevocationResponse revocationResponse = revocationClient.CheckCertificate(certificate);
// Print out info
Console.Write(" 3. Certificate status returned by RevocationLookup.\n Is valid: ");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.WriteLine(revocationResponse.IsValid.ToString());
Console.ForegroundColor = ConsoleColor.White;
// Make sure the cert was valid
if (!revocationResponse.IsValid)
{
throw new Exception("The certificate returned by RevocationLookup was not valid");
}
}
protected void ValidateEndpointCertificate(OcesX509Certificate endpointOcesCertificate)
{
RevocationLookupFactory ocspLookupFactory = new RevocationLookupFactory();
IRevocationLookup ocspClient = ocspLookupFactory.CreateRevocationLookupClient();
RevocationResponse ocspStatus = endpointOcesCertificate.CheckRevocationStatus(ocspClient);
switch (ocspStatus.RevocationCheckStatus)
{
case RevocationCheckStatus.AllChecksPassed:
{
// all okay
break;
}
case RevocationCheckStatus.CertificateRevoked:
{
throw new Exception("Certificate validation error - CertificateRevoked");
//break;
}
case RevocationCheckStatus.NotChecked:
{
throw new Exception("Certificate validation error - NotChecked");
//break;
}
case RevocationCheckStatus.UnknownIssue:
{
throw new Exception("Certificate validation error - UnknownIssue");
// break;
}
default:
{
throw new Exception("Certificate validation error");
// break;
}
}
}
/// <summary>
/// Instantiates CertificateChecker
/// </summary>
/// <param name="defaultRootCertificate">default OCES root certificate</param>
public CertificateChecker(X509Certificate2 defaultRootCertificate)
{
try {
_defaultOCESrootCertificate = defaultRootCertificate;
//Initializes the component, that will do the actual ocsp lookup
RevocationLookupFactory lookupFactory = new RevocationLookupFactory();
_lookup = lookupFactory.CreateRevocationLookupClient();
} catch (UriFormatException) {
throw;
} catch (ArgumentNullException) {
throw;
} catch (OverflowException) {
throw;
} catch (FormatException) {
throw;
} catch (CryptographicUnexpectedOperationException) {
throw;
} catch (CryptographicException) {
throw;
} catch (Exception) {
throw;
}
}
/// <summary>
/// Builds an instance of an IRevocationLookup client based on configuration.
/// </summary>
/// <returns>ocsp lookup</returns>
private IRevocationLookup CreateInstance(RevocationLookupFactoryConfig config)
{
// 1. Get the type to load:
if (config.ImplementationNamespaceClass == null || config.ImplementationNamespaceClass == "")
{
throw new RevocationNoImplementingClassException();
}
if (config.ImplementationAssembly == null || config.ImplementationAssembly == "")
{
throw new RevocationNoImplementingAssemblyException();
}
string qualifiedTypename = config.ImplementationNamespaceClass + ", " + config.ImplementationAssembly;
Type lookupClientType = Type.GetType(qualifiedTypename);
if (lookupClientType == null)
{
throw new FailedToLoadLookupTypeException(qualifiedTypename);
}
// 3. Instantiate the type:
IRevocationLookup lookupClient = (IRevocationLookup)lookupClientType.GetConstructor(new Type[0]).Invoke(null);
return(lookupClient);
}
private void TextCertificate()
{
string subject = string.Empty;
/* Production configuration */
// specifie the subject to test
// Production certificates valid
// subject = "CN = NemHandel test service (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1200406941690, O = IT- og Telestyrelsen // CVR:26769388, C = DK";
//subject = "SERIALNUMBER=CVR:30808460-FID:1320135775022 + CN=TEST FOCES1 (funktionscertifikat), O=DANID A/S // CVR:30808460, C=DK";
// Production certificates not valid
/* Test configuration */
//
// Test certificates valid
// subject = "CN = Testendpoint (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1208430425605, O = IT- og Telestyrelsen // CVR:26769388, C = DK";
//subject = "CN = Testendpoint (funktionscertifikat) + SERIALNUMBER = CVR:26769388-FID:1208430425605, O = IT- og Telestyrelsen // CVR:26769388, C = DK";
// Test certificates not valid
//subject = "CN = TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:94731315, O = Danid A/S // CVR:30808460, C = DK";
// subject = "CN=Navision (funktionscertifikat) + OID.2.5.4.5=CVR:23267519-FID:1257424251148, O=TIETGENSKOLEN // CVR:23267519, C=DK";
//subject = "CN = TEST FOCES1 (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:1320135775022, O = DANID A/S // CVR:30808460, C = DK";
// not valid any more
//subject = "CN=TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER = CVR:30808460-FID:94731315, O = Danid A/S // CVR:30808460, C = DK";
// subject = "CN=TU GENEREL FOCES gyldig (funktionscertifikat) + SERIALNUMBER=CVR:30808460-FID:94731315, O=Danid A/S // CVR:30808460, C=DK";
// subject = "CN=FOCES1 (funktionscertifikat) + SERIALNUMBER=CVR:30808460-FID:1255692730737, O=DANID A/S // CVR:30808460, C=DK";
// subject = "CN=TU GENEREL MOCES gyldig + SERIALNUMBER=CVR:30808460-RID:45490598, O=Danid A/S // CVR:30808460, C=DK";
subject = "CN = mySupply NemHandel - Foces2 (funktionscertifikat) + SERIALNUMBER = CVR:32433030-FID:27705483, O = mySupply NemHandel // CVR:32433030, C = DK";
//subject = "SERIALNUMBER=CVR:34051178-FID:56940413 + CN=NemLog-in ADFS Test (funktionscertifikat), O=Digitaliseringsstyrelsen // CVR:34051178, C=DK";
// Now - retrive the certificate in LDAP, if the certificate is pressen...
CertificateSubject certificateSubject = new CertificateSubject(subject);
LdapLookupFactory ldapClientFactory = new LdapLookupFactory();
ICertificateLookup ldapClient = ldapClientFactory.CreateLdapLookupClient();
// Lookup the certificate using LDAP
X509Certificate2 certificate = ldapClient.GetCertificate(certificateSubject);
if (certificate != null)
{
Console.Write("Certificate whith subject ");
Console.ForegroundColor = ConsoleColor.Yellow;
Console.Write(subject);
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine(" found in LDAP.");
// Validate that the certificate is valid in OCSP
RevocationLookupFactory revocationLookupFactory = new RevocationLookupFactory();
IRevocationLookup revocationClient = revocationLookupFactory.CreateRevocationLookupClient();
// Check the validity status of the certificate using OCSP
RevocationResponse revocationResponse = revocationClient.CheckCertificate(certificate);
if (revocationResponse.IsValid)
{
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("Certificate valid in OCSP/CRL");
}
else
{
Console.ForegroundColor = ConsoleColor.Red;
Console.Write("Certificate not valid in OCSP/CRL");
}
}
else
{
Console.Write("Certificate whith subject ");
Console.ForegroundColor = ConsoleColor.Red;
Console.Write(subject);
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine(" NOT found in LDAP.");
}
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine();
Console.WriteLine("Press any key to exit.");
Console.ReadLine();
}
