//5. The time at which the status being indicated is known to be //correct (thisUpdate) is sufficiently recent. private void ValidateThisUpdate(SingleResp resp) { if (Math.Abs(resp.ThisUpdate.Ticks - DateTime.Now.Ticks) > MaxClockSkew) { //NEWthrow new Exception("Max clock skew reached."); } }
public FirmaXades.Clients.CertificateStatus ProcessOcspResponse(byte[] binaryResp) { if (binaryResp.Length != 0) { OcspResp ocspResp = new OcspResp(binaryResp); FirmaXades.Clients.CertificateStatus result = FirmaXades.Clients.CertificateStatus.Unknown; if (ocspResp.Status != 0) { throw new Exception("Unknow status '" + ocspResp.Status + "'."); } BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); if (basicOcspResp.Responses.Length == 1) { SingleResp singleResp = basicOcspResp.Responses[0]; object certStatus = singleResp.GetCertStatus(); if (certStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { result = FirmaXades.Clients.CertificateStatus.Good; } else if (certStatus is RevokedStatus) { result = FirmaXades.Clients.CertificateStatus.Revoked; } else if (certStatus is UnknownStatus) { result = FirmaXades.Clients.CertificateStatus.Unknown; } } return(result); } return(FirmaXades.Clients.CertificateStatus.Unknown); }
//6. When available, the time at or before which newer information will //be available about the status of the certificate (nextUpdate) is //greater than the current time. private void ValidateNextUpdate(SingleResp resp) { if (resp.NextUpdate != null && resp.NextUpdate.Value != null && resp.NextUpdate.Value.Ticks <= DateTime.Now.Ticks) { //NEWthrow new Exception("Invalid next update."); } }
/// <summary>Gets an encoded byte array with OCSP validation.</summary> /// <remarks>Gets an encoded byte array with OCSP validation. The method should not throw an exception.</remarks> /// <param name="checkCert">to certificate to check</param> /// <param name="rootCert">the parent certificate</param> /// <param name="url"> /// to get the verification. It it's null it will be taken /// from the check cert or from other implementation specific source /// </param> /// <returns>a byte array with the validation or null if the validation could not be obtained</returns> public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else { if (status is RevokedStatus) { throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_REVOKED); } else { throw new System.IO.IOException(iText.IO.LogMessageConstant.OCSP_STATUS_IS_UNKNOWN); } } } } } catch (Exception ex) { LOGGER.Error(ex.Message); } return(null); }
public OcspResponse ParseOcspResponse(BasicOcspResp brep) { SingleResp singleResp = brep.Responses.Single(); var itstatus = singleResp.GetCertStatus(); var status = new OcspResponse() { ProducedAt = brep.ProducedAt, ThisUpdate = singleResp.ThisUpdate, NextUpdate = singleResp.NextUpdate.Value }; if (itstatus == CertificateStatus.Good) { status.Status = OcspRevocationStatus.Good; } else if (itstatus is RevokedStatus revokedStatus) { status.Status = OcspRevocationStatus.Revoked; status.RevocationTime = revokedStatus.RevocationTime; try { status.RevocationReason = revokedStatus.RevocationReason; } catch (InvalidOperationException) { status.RevocationReason = -1; } } else { status.Status = OcspRevocationStatus.Unknown; } return(status); }
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * @param checkCert to certificate to check * @param rootCert the parent certificate * @param the url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained */ public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOcspResp basicResponse = GetBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) { LOGGER.Error(ex.Message); } } return(null); }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public byte[] GetEncoded() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } return(null); }
/// <summary> /// @see com.lowagie.text.pdf.OcspClient#getEncoded() /// </summary> /// <returns> a byte array</returns> public byte[] GetEncoded() { OcspReq request = generateOcspRequest(_rootCert, _checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(_url); con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStreamAsync().Result; outp.Write(array, 0, array.Length); outp.Dispose(); HttpWebResponse response = (HttpWebResponse)con.GetResponseAsync().Result; if (response.StatusCode != HttpStatusCode.OK) { throw new IOException($"Invalid HTTP response: {(int) response.StatusCode}"); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Dispose(); response.Dispose(); if (ocspResponse.Status != 0) { throw new IOException("Invalid status: " + ocspResponse.Status); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return(basicResponse.GetEncoded()); } else if (status is RevokedStatus) { throw new IOException("OCSP Status is revoked!"); } else { throw new IOException("OCSP Status is unknown!"); } } } return(null); }
private static bool IsCurrent(SingleResp resp) { if (Math.Abs(resp.ThisUpdate.Ticks - DateTime.Now.Ticks) > MaxClockSkew) { return(false); } else { return(true); } }
public SingleResp[] GetResponses() { Asn1Sequence responses = data.Responses; SingleResp[] array = new SingleResp[responses.Count]; for (int i = 0; i != array.Length; i++) { array[i] = new SingleResp(SingleResponse.GetInstance(responses[i])); } return(array); }
private OcspStatus VerifyResponse(byte[] response) { OcspResp r = new OcspResp(response); OcspStatus cStatusEnum = OcspStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: var or = (BasicOcspResp)r.GetResponseObject(); Debug.WriteLine(or.Responses.Length); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; var certificateStatus = resp.GetCertStatus(); if (certificateStatus == null || certificateStatus == CertificateStatus.Good) { cStatusEnum = OcspStatus.Good; } else if (certificateStatus is RevokedStatus) { cStatusEnum = OcspStatus.Revoked; } else if (certificateStatus is UnknownStatus) { cStatusEnum = OcspStatus.Unknown; } } break; case OcspResponseStatus.InternalError: case OcspResponseStatus.TryLater: cStatusEnum = OcspStatus.ServerError; break; case OcspResponseStatus.MalformedRequest: case OcspResponseStatus.SignatureRequired: case OcspResponseStatus.Unauthorized: cStatusEnum = OcspStatus.ClientError; break; default: Debug.WriteLine($"Unknow status '{r.Status}'."); cStatusEnum = OcspStatus.Unknown; break; } return(cStatusEnum); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(byte[] binaryResp, bool checkNonce) { if (binaryResp.Length == 0) { return(CertificateStatus.Unknown); } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (checkNonce) { if (or.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).ToString() != _nonceAsn1OctetString.ToString()) { throw new Exception("Bad nonce value"); } } if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return(cStatus); }
private CertificateStatus processOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp, out string respMsg) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); validateResponse(or, issuerCert); respMsg = string.Empty; if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; validateCertificateId(issuerCert, clientCert, resp.GetCertID()); validateThisUpdate(resp); validateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.good; respMsg = "Certificado Válido"; } else if (certificateStatus is RevokedStatus) { cStatus = CertificateStatus.revoked; respMsg = "Certificado Revocado"; } else if (certificateStatus is UnknownStatus) { cStatus = CertificateStatus.unknown; respMsg = "Certificado Desconocido"; } } break; default: respMsg = "No se ha podido procesar la respuesta OCSP"; //throw new Exception("Status Desconocido '" + r.Status + "'."); return(cStatus); } return(cStatus); }
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); ValidateResponse(or, issuerCert); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidateCertificateId(issuerCert, eeCert, resp.GetCertID()); ValidateThisUpdate(resp); ValidateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } break; default: throw new OCSPExpection("Unknown status '" + r.Status + "'."); } return(cStatus); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="eeCert"></param> /// <param name="issuerCert"></param> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { if (binaryResp.Length == 0) { return(CertificateStatus.Unknown); } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return(cStatus); }
private CertificateStatus ProcesarRespuestaOcsp(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor, byte[] in_BytesRespuesta) { OcspResp r = new OcspResp(in_BytesRespuesta); CertificateStatus estado = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidarCertificateId(in_CertificadoEmisor, in_Certificado, resp.GetCertID()); Object estadoCertificado = resp.GetCertStatus(); if (estadoCertificado == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { estado = CertificateStatus.Good; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.RevokedStatus) { estado = CertificateStatus.Revoked; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.UnknownStatus) { estado = CertificateStatus.Unknown; } } break; default: throw new Exception("Status desconocido'" + r.Status + "'."); } return(estado); }
/** * Checks if OCSP revocation refers to the document signing certificate. * @return true if it checks, false otherwise * @since 2.1.6 */ public bool IsRevocationValid() { if (basicResp == null) { return(false); } if (signCerts.Count < 2) { return(false); } try { X509Certificate[] cs = SignCertificateChain; SingleResp sr = basicResp.Responses[0]; CertificateID cid = sr.GetCertID(); X509Certificate sigcer = SigningCertificate; X509Certificate isscer = cs[1]; CertificateID tis = new CertificateID(CertificateID.HashSha1, isscer, sigcer.SerialNumber); return(tis.Equals(cid)); } catch { } return(false); }
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = null; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidateCertificateId(issuerCert, eeCert, resp.GetCertID()); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new Exception(Resource.ErrorOscpRevocado); } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { throw new Exception(Resource.ErrorOscpDesconocido); } } break; default: throw new Exception(Resource.ErrorOscpDesconocido); } return(cStatus); }
private OcspCheckStatus ParseOcspResponse(byte[] raw) { OcspResp response = new OcspResp(raw); if (response.Status == OcspRespStatus.Unauthorized) { return(OcspCheckStatus.Unauthorized); } else if (response.Status != OcspResponseStatus.Successful) { return(OcspCheckStatus.Error); } var brep = (BasicOcspResp)response.GetResponseObject(); SingleResp[] singleResps = brep.Responses; SingleResp singleResp = singleResps[0]; Object status = singleResp.GetCertStatus(); if (status == null) { return(OcspCheckStatus.Good); } if (status is RevokedStatus) { return(OcspCheckStatus.Revoked); } if (status is UnknownStatus) { return(OcspCheckStatus.Unknown); } return(OcspCheckStatus.Error); }
/// <summary> /// Validate a certificate against its AIA OCSP. /// </summary> /// <param name="cert"></param> /// <param name="aia"></param> /// <returns></returns> CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, AIA aia) { string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer)); string filePath = IssuerCachedFolder + hash; //Check if aki is cached if (!IsIssuerCached(aia.Issuer)) { Download(aia.Issuer, filePath); if (!IsIssuerCached(aia.Issuer)) { return(CertStatus.Unknown(CertStatus.BadIssuer)); } } var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath); var certParser = new Org.BouncyCastle.X509.X509CertificateParser(); var issuer = certParser.ReadCertificate(issuerTemp.RawData); var cert2Validate = certParser.ReadCertificate(cert.RawData); var id = new Org.BouncyCastle.Ocsp.CertificateID( Org.BouncyCastle.Ocsp.CertificateID.HashSha1, issuer, cert2Validate.SerialNumber); byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate); byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc); //Extract the response OcspResp ocspResponse = new OcspResp(resp); BasicOcspResp basicOCSPResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); SingleResp singResp = basicOCSPResponse.Responses[0]; //Validate ID var expectedId = singResp.GetCertID(); if (!expectedId.SerialNumber.Equals(id.SerialNumber)) { return(CertStatus.Unknown(CertStatus.BadSerial)); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash())) { return(CertStatus.Unknown(CertStatus.IssuerNotMatch)); } //Extract Status var certificateStatus = singResp.GetCertStatus(); if (certificateStatus == null) { return(CertStatus.Good); } if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason; var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime; return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason)); } if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { return(CertStatus.Unknown()); } return(CertStatus.Unknown()); }
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca) { DateTime nowInGmt = DateTime.Now.ToUniversalTime(); /* check condition: * The certificate identified in a received response corresponds to * that which was identified in the corresponding request; */ SingleResp[] responses = basicResp.Responses; if (responses.Length != 1) { throw new OcspException("unexpected number of responses received"); } if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber)) { throw new OcspException("Serial number mismatch problem"); } /* check condition * The signature on the response is valid; */ try { ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca); } catch (ChainVerificationException e) { throw new OcspException("OCSP response certificate chain is invalid", e); } /* check the signature on the ocsp response */ var ocspBcCertificate = new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData); if (!basicResp.Verify(ocspBcCertificate.GetPublicKey())) { throw new OcspException("signature validation failed for ocsp response"); } if (!CanSignOcspResponses(ocspBcCertificate)) { throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing"); } /* check expiry of the signing certificate */ if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid) { throw new OcspException("OCSP certificate expired or not yet valid"); } /* check condition * The time at which the status being indicated is known to be * correct (thisUpdate) is sufficiently recent. */ SingleResp response = responses[0]; var diff = response.ThisUpdate - nowInGmt; if (diff > new TimeSpan(0, 1, 0)) { throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: " + response.ThisUpdate); } if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt) { throw new OcspException("OCSP response is no longer valid"); } }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public Boolean runAuth() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); // Debug.WriteLine(checkCert.SerialNumber.ToString(16)); Debug.WriteLine("..running OCSP check with : " + url); byte[] array = request.GetEncoded(); // foreach (var i in array) { Debug.WriteLine(Convert.ToBase64String(i)); } HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp; try { outp = con.GetRequestStream(); } catch (Exception e) { Debug.WriteLine("Exception : " + e.Message); return(false); } outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException("invalid.http.response.1" + response.StatusCode); } Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); string responseText; using (var reader = new System.IO.StreamReader(inp, ASCIIEncoding.ASCII)) { responseText = reader.ReadToEnd(); } inp.Close(); response.Close(); if (ocspResponse.Status != 0) { throw new IOException("invalid.status.1" + ocspResponse.Status); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); var resp_certs = basicResponse.GetCerts(); //basicResponse.GetCertificates("Collection"); X509Store store = new X509Store(StoreName.CertificateAuthority); store.Open(System.Security.Cryptography.X509Certificates.OpenFlags.ReadOnly); int num_matches = 0; foreach (var c in resp_certs) { // Debug.WriteLine("..."); // cehck subject or issuer to see if in store // Debug.WriteLine(c.SubjectDN); // Debug.WriteLine(c.IssuerDN); string issuer_cn = c.IssuerDN.ToString().Split(new string[] { "CN=" }, StringSplitOptions.None)[1].Split(',')[0]; var fndCA = store.Certificates.Find(X509FindType.FindBySubjectName, issuer_cn, true); if (fndCA.Count > 0) { num_matches++; } } if (num_matches != resp_certs.Length) { throw new IOException("Response certificate validation failed!"); } if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); // Debug.WriteLine(status+"=?"+CertificateStatus.Good); if (status == CertificateStatus.Good) { //Debug.WriteLine("CERT IS GOOD!! VALID!!"); //return basicResponse.GetEncoded(); return(true); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { //throw new IOException("ocsp.status.is.revoked"); Debug.WriteLine("Cert is revoked!"); return(false); } else { //Debug.WriteLine(responseText); //throw new IOException("ocsp.status.is.unknown "); Debug.WriteLine("Unknown status!"); return(false); } } else { Debug.WriteLine("DID NOT GET UNIQUE RESPONSE! (" + responses.Length + ")"); /* * foreach (SingleResp r in responses) * { * Debug.WriteLine("..." + r.GetCertID()+" :: "+r.GetCertStatus()); * }*/ } } else { Debug.WriteLine("BASIC RESPONSE WAS NULL!"); } return(false); }
private int VerifyOCSPResponse() { if (ocspResponse.Status != 0) { this.lastError = Resources.INVALID_OCSP_STATUS + ocspResponse.Status; return((int)CertStatus.ERROR); } BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); if (basicResponse != null) { if (responderCert != null) { bool verifyResult = basicResponse.Verify(responderCert.GetPublicKey()); if (verifyResult != true) { this.lastError = Resources.OCSP_VERIFY_FAILED; return((int)CertStatus.ERROR); } } SingleResp[] responses = basicResponse.Responses; byte[] reqNonce = ocspRequest.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).GetEncoded(); byte[] respNonce = basicResponse.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce).GetEncoded(); if (reqNonce == null || Arrays.AreEqual(reqNonce, respNonce)) { // will handle single response only if (responses.Length != 1) { this.lastError = Resources.INVALID_OCSP_RESPONSE_COUNT + responses.Length; return((int)CertStatus.ERROR); } SingleResp resp = responses[0]; // Check that response creation time is in valid time slot. DateTime thisUpdate = resp.ThisUpdate; DateTimeObject nextUpdate = resp.NextUpdate; DateTime now = DateTime.UtcNow; // Check whether response creation ramained in valid slot bool valid = CheckTimeValidity(thisUpdate, nextUpdate, 5000, 100000); if (valid == false) { this.lastError = Resources.INVALID_OCSP_TIMESLOT; return((int)CertStatus.ERROR); } Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { // Ok return((int)CertStatus.GOOD); } else if (status is RevokedStatus) { this.lastError = string.Format(Resources.OCSP_ERROR, resp.GetCertID().SerialNumber, "revoked"); return((int)CertStatus.REVOKED); } else { this.lastError = string.Format(Resources.OCSP_ERROR, resp.GetCertID().SerialNumber, "unknown"); return((int)CertStatus.UNKNOWN); } } } else { this.lastError = Resources.INVALID_OCSP_RESPONSE; } // failed return((int)CertStatus.ERROR); }