/// <summary> /// Add the specified list of encoded attribute certificates to the validate request. /// </summary> /// <param name="validateRequest"></param> /// <param name="attributeCertificates"></param> private void addAttributeCertificates(ValidateRequestType validateRequest, EncapsulatedPKIDataType[] attributeCertificates) { AttributeCertificateMessageExtensionType attributeCertificateMessageExtension = new AttributeCertificateMessageExtensionType(); attributeCertificateMessageExtension.CertifiedRoles = attributeCertificates; validateRequest.MessageExtension = new MessageExtensionAbstractType[] { attributeCertificateMessageExtension }; }
/// <summary> /// Add the specified timestamp token to the validate request. /// </summary> /// <param name="validateRequest"></param> /// <param name="timeStampToken"></param> private void addTimeStampToken(ValidateRequestType validateRequest, TimeStampToken timeStampToken) { TSAMessageExtensionType tsaMessageExtension = new TSAMessageExtensionType(); EncapsulatedPKIDataType timeStampTokenValue = new EncapsulatedPKIDataType(); timeStampTokenValue.Value = timeStampToken.GetEncoded(); tsaMessageExtension.EncapsulatedTimeStamp = timeStampTokenValue; validateRequest.MessageExtension = new MessageExtensionAbstractType[] { tsaMessageExtension }; }
/// <summary> /// Add revocation data either from list of OCSP response objects or list of X509 CRL objects /// or from specified RevocationValuesType. /// </summary> /// <param name="validateRequest"></param> /// <param name="ocspResponses"></param> /// <param name="crls"></param> /// <param name="revocationData"></param> private void addRevocationData(ValidateRequestType validateRequest, List <OcspResp> ocspResponses, List <X509Crl> crls, RevocationValuesType revocationData) { RevocationDataMessageExtensionType revocationDataMessageExtension = new RevocationDataMessageExtensionType(); if (null != revocationData) { revocationDataMessageExtension.RevocationValues = revocationData; } else { RevocationValuesType revocationValues = new RevocationValuesType(); // OCSP EncapsulatedPKIDataType[] ocspValues = new EncapsulatedPKIDataType[ocspResponses.Count]; int idx = 0; foreach (OcspResp ocspResponse in ocspResponses) { EncapsulatedPKIDataType ocspValue = new EncapsulatedPKIDataType(); ocspValue.Value = ocspResponse.GetEncoded(); ocspValues[idx++] = ocspValue; } revocationValues.OCSPValues = ocspValues; // CRL EncapsulatedPKIDataType[] crlValues = new EncapsulatedPKIDataType[crls.Count]; idx = 0; foreach (X509Crl crl in crls) { EncapsulatedPKIDataType crlValue = new EncapsulatedPKIDataType(); crlValue.Value = crl.GetEncoded(); crlValues[idx++] = crlValue; } revocationValues.CRLValues = crlValues; revocationDataMessageExtension.RevocationValues = revocationValues; } validateRequest.MessageExtension = new MessageExtensionAbstractType[] { revocationDataMessageExtension }; }
/// <summary> /// Add revocation data either from list of OCSP response objects or list of X509 CRL objects /// or from specified RevocationValuesType. /// </summary> /// <param name="validateRequest"></param> /// <param name="ocspResponses"></param> /// <param name="crls"></param> /// <param name="revocationData"></param> private void addRevocationData(ValidateRequestType validateRequest, List<OcspResp> ocspResponses, List<X509Crl> crls, RevocationValuesType revocationData) { RevocationDataMessageExtensionType revocationDataMessageExtension = new RevocationDataMessageExtensionType(); if (null != revocationData) { revocationDataMessageExtension.RevocationValues = revocationData; } else { RevocationValuesType revocationValues = new RevocationValuesType(); // OCSP EncapsulatedPKIDataType[] ocspValues = new EncapsulatedPKIDataType[ocspResponses.Count]; int idx = 0; foreach (OcspResp ocspResponse in ocspResponses) { EncapsulatedPKIDataType ocspValue = new EncapsulatedPKIDataType(); ocspValue.Value = ocspResponse.GetEncoded(); ocspValues[idx++] = ocspValue; } revocationValues.OCSPValues = ocspValues; // CRL EncapsulatedPKIDataType[] crlValues = new EncapsulatedPKIDataType[crls.Count]; idx = 0; foreach (X509Crl crl in crls) { EncapsulatedPKIDataType crlValue = new EncapsulatedPKIDataType(); crlValue.Value = crl.GetEncoded(); crlValues[idx++] = crlValue; } revocationValues.CRLValues = crlValues; revocationDataMessageExtension.RevocationValues = revocationValues; } validateRequest.MessageExtension = new MessageExtensionAbstractType[] { revocationDataMessageExtension }; }
/* * Validation */ private void validate(List<Org.BouncyCastle.X509.X509Certificate> certificateChain, string trustDomain, bool returnRevocationData, DateTime validationDate, List<OcspResp> ocspResponses, List<X509Crl> crls, RevocationValuesType revocationValues, TimeStampToken timeStampToken, EncapsulatedPKIDataType[] attributeCertificates) { // setup the client setupClient(); // validate ValidateRequestType validateRequest = new ValidateRequestType(); QueryKeyBindingType queryKeyBinding = new QueryKeyBindingType(); KeyInfoType keyInfo = new KeyInfoType(); X509DataType x509Data = new X509DataType(); x509Data.Items = new object[certificateChain.Count]; x509Data.ItemsElementName = new ItemsChoiceType[certificateChain.Count]; int idx = 0; foreach (Org.BouncyCastle.X509.X509Certificate certificate in certificateChain) { x509Data.Items[idx] = certificate.GetEncoded(); x509Data.ItemsElementName[idx] = ItemsChoiceType.X509Certificate; idx++; } keyInfo.Items = new object[] { x509Data }; keyInfo.ItemsElementName = new ItemsChoiceType2[] { ItemsChoiceType2.X509Data }; queryKeyBinding.KeyInfo = keyInfo; validateRequest.QueryKeyBinding = queryKeyBinding; /* * Set optional trust domain */ if (null != trustDomain) { UseKeyWithType useKeyWith = new UseKeyWithType(); useKeyWith.Application = XkmsConstants.TRUST_DOMAIN_APPLICATION_URI; useKeyWith.Identifier = trustDomain; queryKeyBinding.UseKeyWith = new UseKeyWithType[] { useKeyWith }; } /* * Add timestamp token for TSA validation */ if (null != timeStampToken) { addTimeStampToken(validateRequest, timeStampToken); } /* * Add attribute certificates */ if (null != attributeCertificates) { addAttributeCertificates(validateRequest, attributeCertificates); } /* * Set if used revocation data should be returned or not */ if (returnRevocationData) { validateRequest.RespondWith = new string[] { XkmsConstants.RETURN_REVOCATION_DATA_URI }; } /* * Historical validation, add the revocation data to the request */ if (!validationDate.Equals(DateTime.MinValue)) { TimeInstantType timeInstant = new TimeInstantType(); timeInstant.Time = validationDate; queryKeyBinding.TimeInstant = timeInstant; addRevocationData(validateRequest, ocspResponses, crls, revocationValues); } /* * Validate */ ValidateResultType validateResult = client.Validate(validateRequest); /* * Check result */ checkResponse(validateResult); /* * Set the optionally requested revocation data */ if (returnRevocationData) { foreach (MessageExtensionAbstractType messageExtension in validateResult.MessageExtension) { if (messageExtension is RevocationDataMessageExtensionType) { this.revocationValues = ((RevocationDataMessageExtensionType)messageExtension).RevocationValues; } } if (null == this.revocationValues) { throw new RevocationDataNotFoundException(); } } /* * Store reason URIs */ foreach (KeyBindingType keyBinding in validateResult.KeyBinding) { if (KeyBindingEnum.httpwwww3org200203xkmsValid.Equals(keyBinding.Status.StatusValue)) { return; } foreach (string reason in keyBinding.Status.InvalidReason) { this.invalidReasonURIs.AddLast(reason); } throw new ValidationFailedException(this.invalidReasonURIs); } }
/* * Validation */ private void validate(List <Org.BouncyCastle.X509.X509Certificate> certificateChain, string trustDomain, bool returnRevocationData, DateTime validationDate, List <OcspResp> ocspResponses, List <X509Crl> crls, RevocationValuesType revocationValues, TimeStampToken timeStampToken, EncapsulatedPKIDataType[] attributeCertificates) { // setup the client setupClient(); // validate ValidateRequestType validateRequest = new ValidateRequestType(); QueryKeyBindingType queryKeyBinding = new QueryKeyBindingType(); KeyInfoType keyInfo = new KeyInfoType(); X509DataType x509Data = new X509DataType(); x509Data.Items = new object[certificateChain.Count]; x509Data.ItemsElementName = new ItemsChoiceType[certificateChain.Count]; int idx = 0; foreach (Org.BouncyCastle.X509.X509Certificate certificate in certificateChain) { x509Data.Items[idx] = certificate.GetEncoded(); x509Data.ItemsElementName[idx] = ItemsChoiceType.X509Certificate; idx++; } keyInfo.Items = new object[] { x509Data }; keyInfo.ItemsElementName = new ItemsChoiceType2[] { ItemsChoiceType2.X509Data }; queryKeyBinding.KeyInfo = keyInfo; validateRequest.QueryKeyBinding = queryKeyBinding; /* * Set optional trust domain */ if (null != trustDomain) { UseKeyWithType useKeyWith = new UseKeyWithType(); useKeyWith.Application = XkmsConstants.TRUST_DOMAIN_APPLICATION_URI; useKeyWith.Identifier = trustDomain; queryKeyBinding.UseKeyWith = new UseKeyWithType[] { useKeyWith }; } /* * Add timestamp token for TSA validation */ if (null != timeStampToken) { addTimeStampToken(validateRequest, timeStampToken); } /* * Add attribute certificates */ if (null != attributeCertificates) { addAttributeCertificates(validateRequest, attributeCertificates); } /* * Set if used revocation data should be returned or not */ if (returnRevocationData) { validateRequest.RespondWith = new string[] { XkmsConstants.RETURN_REVOCATION_DATA_URI }; } /* * Historical validation, add the revocation data to the request */ if (!validationDate.Equals(DateTime.MinValue)) { TimeInstantType timeInstant = new TimeInstantType(); timeInstant.Time = validationDate; queryKeyBinding.TimeInstant = timeInstant; addRevocationData(validateRequest, ocspResponses, crls, revocationValues); } /* * Validate */ ValidateResultType validateResult = client.Validate(validateRequest); /* * Check result */ checkResponse(validateResult); /* * Set the optionally requested revocation data */ if (returnRevocationData) { foreach (MessageExtensionAbstractType messageExtension in validateResult.MessageExtension) { if (messageExtension is RevocationDataMessageExtensionType) { this.revocationValues = ((RevocationDataMessageExtensionType)messageExtension).RevocationValues; } } if (null == this.revocationValues) { throw new RevocationDataNotFoundException(); } } /* * Store reason URIs */ foreach (KeyBindingType keyBinding in validateResult.KeyBinding) { if (KeyBindingEnum.httpwwww3org200203xkmsValid.Equals(keyBinding.Status.StatusValue)) { return; } foreach (string reason in keyBinding.Status.InvalidReason) { this.invalidReasonURIs.AddLast(reason); } throw new ValidationFailedException(this.invalidReasonURIs); } }