internal virtual CertificateAndContext GetIssuerCertificate(ISignedToken signedToken, ICertificateSource optionalSource, DateTime validationDate)
{
if (signedToken.GetSignerSubjectName() == null)
{
return(null);
}
IList <CertificateAndContext> list = new CompositeCertificateSource(TrustedListCertificatesSource, optionalSource).GetCertificateBySubjectName(signedToken.GetSignerSubjectName());
if (list != null)
{
foreach (CertificateAndContext cert in list)
{
logger?.Info(cert.ToString());
if (validationDate != null)
{
try
{
cert.Certificate.CheckValidity(validationDate);
}
catch (CertificateExpiredException)
{
logger?.Info(WasExpiredMessage);
continue;
}
catch (CertificateNotYetValidException)
{
logger?.Info(WasNotYetValidMessage);
continue;
}
if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST && cert.Context != null)
{
ServiceInfo info = (ServiceInfo)cert.Context;
if (info.StatusStartingDateAtReferenceTime != null && validationDate.CompareTo( //jbonilla Before
info.StatusStartingDateAtReferenceTime) < 0)
{
logger?.Info(WasNotValidTSLMessage);
continue;
}
else
{
if (info.StatusEndingDateAtReferenceTime != null && validationDate.CompareTo(info //jbonilla After
.StatusEndingDateAtReferenceTime) > 0)
{
logger?.Info(WasNotValidTSLMessage);
continue;
}
}
}
}
if (signedToken.IsSignedBy(cert.Certificate))
{
return(cert);
}
}
}
return(null);
}
internal virtual void Validate(ISignedToken signedToken, RevocationData data)
{
if (!RevocationInfo.ContainsKey(signedToken))
{
throw new ArgumentException(signedToken + " must be a key of revocationInfo");
}
if (data is null)
{
throw new ArgumentNullException(nameof(data));
}
RevocationInfo[signedToken] = data;
}
internal void AddNotYetVerifiedToken(ISignedToken signedToken)
{
if (!RevocationInfo.ContainsKey(signedToken))
{
logger?.Info("New token to validate " + signedToken + " hashCode " + signedToken.GetHashCode());
RevocationInfo[signedToken] = null;
if (signedToken is CRLToken)
{
NeededCRL.Add(((CRLToken)signedToken).GetX509crl());
}
else
{
if (signedToken is OCSPRespToken)
{
NeededOCSPResp.Add(((OCSPRespToken)signedToken).GetOcspResp());
}
else
{
if (signedToken is CertificateToken)
{
bool found = false;
CertificateAndContext newCert = ((CertificateToken)signedToken).GetCertificateAndContext();
foreach (CertificateAndContext c in NeededCertificates)
{
if (c.Certificate.Equals(newCert.Certificate))
{
found = true;
break;
}
}
if (!found)
{
NeededCertificates.Add(newCert);
}
}
}
}
}
else
{
logger?.Info("Token was already in list " + signedToken);
}
}
/// <summary>
/// Build the validation context for the specific date
/// </summary>
public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
{
int previousSize = RevocationInfo.Count;
int previousVerified = VerifiedTokenCount();
ISignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource);
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate);
RevocationData data = null;
if (issuer == null)
{
logger?.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
usedCerts?.Add(issuer);
AddNotYetVerifiedToken(certificateTokenFactory(issuer));
if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN))
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
}
Validate(trustedToken, noNeedToValidate);
}
else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
logger?.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new Exception("Not supported token type " + signedToken.GetType().Name);
}
}
}
Validate(signedToken, data);
logger?.Info(ToString());
int newSize = RevocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts);
}
}
}
public RevocationData(ISignedToken signedToken)
{
targetToken = signedToken;
}
