/// <summary>
/// Checks the validity of the certificate, and calls the next
/// verifier in the chain, if any.
/// </summary>
/// <param name="signCert">the certificate that needs to be checked</param>
/// <param name="issuerCert">its issuer</param>
/// <param name="signDate">the date the certificate needs to be valid</param>
/// <returns>
/// a list of <code>VerificationOK</code> objects.
/// The list will be empty if the certificate couldn't be verified.
/// </returns>
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
/// <exception cref="System.IO.IOException"/>
public virtual IList <VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime
signDate)
{
// Check if the certificate is valid on the signDate
if (signDate != null)
{
signCert.CheckValidity(signDate);
}
// Check if the signature is valid
if (issuerCert != null)
{
signCert.Verify(issuerCert.GetPublicKey());
}
else
{
// Also in case, the certificate is self-signed
signCert.Verify(signCert.GetPublicKey());
}
IList <VerificationOK> result = new List <VerificationOK>();
if (verifier != null)
{
result.AddAll(verifier.Verify(signCert, issuerCert, signDate));
}
return(result);
}
/// <summary>
///
/// </summary>
public X509Certificate RetrieveAndVerifyCertificate(string certChainUrl)
{
// making requests to externally-supplied URLs is an open invitation to DoS
// so restrict host to an Alexa controlled subdomain/path
if (!VerifyCertificateUrl(certChainUrl))
{
return(null);
}
WebClient webClient = new WebClient();
string content = webClient.DownloadString(certChainUrl);
Org.BouncyCastle.OpenSsl.PemReader pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(content));
X509Certificate cert = (X509Certificate)pemReader.ReadObject();
try
{
cert.CheckValidity();
if (!CheckCertSubjectNames(cert))
{
return(null);
}
}
catch (CertificateExpiredException)
{
return(null);
}
catch (CertificateNotYetValidException)
{
return(null);
}
return(cert);
}
public static X509Certificate MakeCertificate(IAsymmetricCipherKeyPair _subKP,
string _subDN, IAsymmetricCipherKeyPair _issKP, string _issDN, string algorithm, bool _ca)
{
IAsymmetricKeyParameter _subPub = _subKP.Public;
IAsymmetricKeyParameter _issPriv = _issKP.Private;
IAsymmetricKeyParameter _issPub = _issKP.Public;
X509V3CertificateGenerator _v3CertGen = new X509V3CertificateGenerator();
_v3CertGen.Reset();
_v3CertGen.SetSerialNumber(allocateSerialNumber());
_v3CertGen.SetIssuerDN(new X509Name(_issDN));
_v3CertGen.SetNotBefore(DateTime.UtcNow);
_v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
_v3CertGen.SetSubjectDN(new X509Name(_subDN));
_v3CertGen.SetPublicKey(_subPub);
_v3CertGen.SetSignatureAlgorithm(algorithm);
_v3CertGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
createSubjectKeyId(_subPub));
_v3CertGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
createAuthorityKeyId(_issPub));
_v3CertGen.AddExtension(X509Extensions.BasicConstraints, false,
new BasicConstraints(_ca));
X509Certificate _cert = _v3CertGen.Generate(_issPriv);
_cert.CheckValidity(DateTime.UtcNow);
_cert.Verify(_issPub);
return(_cert);
}
private static bool VerifyCertificate(X509Certificate cert, X509Certificate rootCert, X509Certificate middleCert, bool ifValidateCNName)
{
var cn = GetIdentitiesFromCertficate(cert);
try
{
cert.CheckValidity(); //验证有效期
if (!VerifyCertificateChain(cert, rootCert, middleCert)) //验证书链
{
return(false);
}
}
catch
{
return(false);
}
if (ifValidateCNName)
{
// 验证公钥是否属于银联
if (UNIONPAY_CNNAME != cn)
{
return(false);
}
}
else
{
if (UNIONPAY_CNNAME != cn && "00040000:SIGN" != cn)
{
return(false);
}
}
return(true);
}
private static bool VerifyCertificate(X509Certificate x509Cert)
{
string cn = GetIdentitiesFromCertficate(x509Cert);
try
{
x509Cert.CheckValidity(); //验证有效期
if (!VerifyCertificateChain(x509Cert)) //验证书链
{
return(false);
}
}
catch
{
return(false);
}
string unionpayCnName = "中国银联股份有限公司";
if (!unionpayCnName.Equals(cn) && !"00040000:SIGN".Equals(cn))
{
return(false);
}
return(true);
}
internal static AsymmetricKeyParameter CreatePublicKeyFromCertificateBytes(byte[] certificate)
{
X509CertificateParser parser = new X509CertificateParser();
X509Certificate cert = parser.ReadCertificate(certificate);
cert.CheckValidity();
return(cert.GetPublicKey());
}
public bool Verify(X509Certificate cert)
{
Org.BouncyCastle.Asn1.Cms.Time signingTime = this.GetSigningTime();
if (signingTime != null)
{
cert.CheckValidity(signingTime.Date);
}
return(this.DoVerify(cert.GetPublicKey()));
}
/// <summary>
/// Test if the signed x509 certificate has been expired.
/// </summary>
/// <param name="certificate">x509 certificate instance to validate.</param>
/// <returns></returns>
public static bool IsExpired(X509Certificate certificate)
{
try {
certificate.CheckValidity(DateTime.Now);
return(false);
}
catch (Exception) {
return(true);
}
}
public void Validate(X509Certificate cert)
{
try
{
byte[] b = DigestUtilities.CalculateDigest(certID.GetHashAlgorithmName(), cert.GetEncoded());
if (!Arrays.ConstantTimeAreEqual(certID.GetCertHash(), b))
{
throw new TspValidationException("certificate hash does not match certID hash.");
}
if (certID.IssuerSerial != null)
{
if (!certID.IssuerSerial.Serial.Value.Equals(cert.SerialNumber))
{
throw new TspValidationException("certificate serial number does not match certID for signature.");
}
GeneralName[] names = certID.IssuerSerial.Issuer.GetNames();
X509Name issuerX509Principal = PrincipalUtilities.GetIssuerX509Principal(cert);
bool flag = false;
for (int i = 0; i != names.Length; i++)
{
if (names[i].TagNo == 4 && X509Name.GetInstance(names[i].Name).Equivalent(issuerX509Principal))
{
flag = true;
break;
}
}
if (!flag)
{
throw new TspValidationException("certificate name does not match certID for signature. ");
}
}
TspUtil.ValidateCertificate(cert);
cert.CheckValidity(tstInfo.GenTime);
if (!tsaSignerInfo.Verify(cert))
{
throw new TspValidationException("signature not created by certificate.");
}
}
catch (CmsException ex)
{
if (ex.InnerException != null)
{
throw new TspException(ex.Message, ex.InnerException);
}
throw new TspException("CMS exception: " + ex, ex);
}
catch (CertificateEncodingException ex2)
{
throw new TspException("problem processing certificate: " + ex2, ex2);
}
catch (SecurityUtilityException ex3)
{
throw new TspException("cannot find algorithm: " + ex3.Message, ex3);
}
}
public void Validate(X509Certificate certificate)
{
try
{
certificate.CheckValidity(DateTime.Now);
}
catch (Exception e) when(e is CertificateNotYetValidException || e is CertificateExpiredException)
{
throw new FailedValidationException("Certificate does not have a valid expiration date.");
}
}
/**
* verify that the given certificate successfully handles and confirms
* the signature associated with this signer and, if a signingTime
* attribute is available, that the certificate was valid at the time the
* signature was generated.
*/
public bool Verify(
X509Certificate cert)
{
Asn1.Cms.Time signingTime = GetSigningTime();
if (signingTime != null)
{
cert.CheckValidity(signingTime.Date);
}
return(DoVerify(cert.GetPublicKey()));
}
public static bool ValidateSelfSignedCert(X509Certificate cert, ICipherParameters pubKey)
{
cert.CheckValidity(DateTime.UtcNow);
var tbsCert = cert.GetTbsCertificate();
var sig = cert.GetSignature();
var signer = SignerUtilities.GetSigner(cert.SigAlgName);
signer.Init(false, pubKey);
signer.BlockUpdate(tbsCert, 0, tbsCert.Length);
return(signer.VerifySignature(sig));
}
/// <summary>
/// Checks the certificate in this same date and time.
/// </summary>
/// <returns>
/// <c>true</c>, if is valid now, <c>false</c> otherwise.
/// </returns>
/// <param name='BCCert'>
/// BouncyCastle cert to check.
/// </param>
private static bool CertIsValidNow(X509Certificate BCCert)
{
try
{
BCCert.CheckValidity();
return(BCCert.IsValidNow);
}catch (CertificateExpiredException ce) {
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Certificate has expired");
}catch (CertificateNotYetValidException cex) {
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation: Certificate is not yet valid");
}
return(false);
}
/// <summary>
/// Generate subject certificate.
/// </summary>
/// <param name="signatureAlgorithmName">Signature algorithm name.</param>
/// <param name="issuerPrivateKey">The asymmetric private key of issuer.</param>
/// <param name="issuerCert">The certificate of issuer.</param>
/// <param name="subjectPublicKey">The asymmetric public key of subject.</param>
/// <param name="subjectDN">The distinct name of subject.</param>
/// <param name="subjectExtensions">Extensions of subject.</param>
/// <param name="start">Start time.</param>
/// <param name="days">The valid days from the start time.</param>
/// <returns></returns>
/// <exception cref="Exception"/>
public static X509Certificate GenerateSubjectCert(string signatureAlgorithmName,
AsymmetricKeyParameter issuerPrivateKey,
X509Certificate issuerCert,
AsymmetricKeyParameter subjectPublicKey,
X509Name subjectDN,
X509Extensions subjectExtensions,
DateTime start,
int days)
{
if (issuerPrivateKey is null)
{
throw new ArgumentNullException(nameof(issuerPrivateKey));
}
if (issuerCert is null)
{
throw new ArgumentNullException(nameof(issuerCert));
}
if (subjectPublicKey is null)
{
throw new ArgumentNullException(nameof(subjectPublicKey));
}
try
{
issuerCert.CheckValidity();
}
catch
{
throw new CryptographicException("The issuer's certificate has expired.");
}
try
{
issuerCert.CheckValidity(start.AddDays(days));
}
catch
{
throw new CryptographicException("The end time exceeds the validity of the issuer certificate.");
}
return(GenerateCert(signatureAlgorithmName, issuerPrivateKey, issuerCert.SubjectDN, subjectPublicKey, subjectDN, subjectExtensions, start, days));
}
/// <summary>
/// Checks the ca cert is valid.
/// </summary>
/// <param name="issuingCaCert">The issuing ca cert.</param>
/// <returns>True if valid, false if not</returns>
protected bool checkCaCertValid(X509Certificate issuingCaCert)
{
try
{
caCertificate.CheckValidity();
caCertificate.Verify(issuingCaCert.GetPublicKey());
}
catch (Exception ex)
{
logEvent(LogEvent.EventType.Error, "CA " + ex.Message);
return(false);
}
return(true);
}
private static bool VerifyCertificate(X509Certificate x509Cert)
{
var cn = GetIdentitiesFromCertficate(x509Cert);
x509Cert.CheckValidity(); //验证有效期
if (!VerifyCertificateChain(x509Cert)) //验证书链
{
return(false);
}
var unionpayCnName = "中国银联股份有限公司";
return(unionpayCnName.Equals(cn) || "00040000:SIGN".Equals(cn));
}
public void ShowCertificateInfo(X509Certificate cert, DateTime signDate)
{
Console.WriteLine("Issuer: " + cert.IssuerDN);
Console.WriteLine("Subject: " + cert.SubjectDN);
Console.WriteLine("Valid from: " + cert.NotBefore.ToUniversalTime().ToString("yyyy-MM-dd"));
Console.WriteLine("Valid to: " + cert.NotAfter.ToUniversalTime().ToString("yyyy-MM-dd"));
// Check if a certificate was valid on the signing date
try
{
cert.CheckValidity(signDate);
Console.WriteLine("The certificate was valid at the time of signing.");
}
catch (CertificateExpiredException)
{
Console.WriteLine("The certificate was expired at the time of signing.");
}
catch (CertificateNotYetValidException)
{
Console.WriteLine("The certificate wasn't valid yet at the time of signing.");
}
// Check if a certificate is still valid now
try
{
cert.CheckValidity();
Console.WriteLine("The certificate is still valid.");
}
catch (CertificateExpiredException)
{
Console.WriteLine("The certificate has expired.");
}
catch (CertificateNotYetValidException)
{
Console.WriteLine("The certificate isn't valid yet.");
}
}
public static X509Certificate MakeV1Certificate(AsymmetricCipherKeyPair subKP,
string _subDN, AsymmetricCipherKeyPair issKP, string _issDN)
{
AsymmetricKeyParameter subPub = subKP.Public;
AsymmetricKeyParameter issPriv = issKP.Private;
AsymmetricKeyParameter issPub = issKP.Public;
X509V1CertificateGenerator v1CertGen = new X509V1CertificateGenerator();
v1CertGen.Reset();
v1CertGen.SetSerialNumber(AllocateSerialNumber());
v1CertGen.SetIssuerDN(new X509Name(_issDN));
v1CertGen.SetNotBefore(DateTime.UtcNow);
v1CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
v1CertGen.SetSubjectDN(new X509Name(_subDN));
v1CertGen.SetPublicKey(subPub);
if (issPub is RsaKeyParameters)
{
v1CertGen.SetSignatureAlgorithm("SHA1WithRSA");
}
else if (issPub is DsaPublicKeyParameters)
{
v1CertGen.SetSignatureAlgorithm("SHA1withDSA");
}
else if (issPub is ECPublicKeyParameters)
{
ECPublicKeyParameters ecPub = (ECPublicKeyParameters)issPub;
if (ecPub.AlgorithmName == "ECGOST3410")
{
v1CertGen.SetSignatureAlgorithm("GOST3411withECGOST3410");
}
else
{
v1CertGen.SetSignatureAlgorithm("SHA1withECDSA");
}
}
else
{
v1CertGen.SetSignatureAlgorithm("GOST3411WithGOST3410");
}
X509Certificate _cert = v1CertGen.Generate(issPriv);
_cert.CheckValidity(DateTime.UtcNow);
_cert.Verify(issPub);
return(_cert);
}
private async Task <X509Certificate> RetrieveAndVerifyCertificateAsync(string certChainUrl)
{
// making requests to externally-supplied URLs is an open invitation to DoS
// so restrict host to an Alexa controlled subdomain/path
if (!VerifyCertificateUrl(certChainUrl))
{
return(null);
}
X509Certificate foundCert = null;
HttpResponseMessage responseMessage = null;
using (HttpClient client = new HttpClient())
{
responseMessage = await client.GetAsync(certChainUrl);
}
if (responseMessage.IsSuccessStatusCode)
{
string certText = await responseMessage.Content.ReadAsStringAsync();
foundCert = TextToCert(certText);
try
{
foundCert.CheckValidity();
if (!CheckCertSubjectNames(foundCert))
{
return(null);
}
else
{
await StoreCertAsync(certChainUrl, certText);
}
}
catch (CertificateExpiredException)
{
_logger.LogError("Certificate expired");
return(null);
}
catch (CertificateNotYetValidException)
{
_logger.LogError("Certificate not yet valid");
return(null);
}
}
return(foundCert);
}
/// <summary>
/// Checks the certificates in a certificate chain:
/// are they valid on a specific date, and
/// do they chain up correctly?
/// </summary>
/// <param name="chain">the certificate chain</param>
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
public virtual void VerifyChain(X509Certificate[] chain)
{
// Loop over the certificates in the chain
for (int i = 0; i < chain.Length; i++)
{
X509Certificate cert = (X509Certificate)chain[i];
// check if the certificate was/is valid
cert.CheckValidity(signDate);
// check if the previous certificate was issued by this certificate
if (i > 0)
{
chain[i - 1].Verify(chain[i].GetPublicKey());
}
}
LOGGER.Info("All certificates are valid on " + signDate.ToString());
}
/// <summary>
/// Test if the signed x509 certificate has been expired.
/// </summary>
/// <param name="data">PEM formatted certificate byte array.</param>
/// <returns></returns>
/// <exception cref="CertificateIOException">Thrown when the
/// <see cref="data"/> is either null or zero length.</exception>
public static bool IsExpired(byte[] data)
{
if (data == null || data.Length == 0)
{
throw new Exception();
}
X509Certificate certificate = DeserializeCert(data);
try {
certificate.CheckValidity(DateTime.Now);
return(false);
}
catch (Exception) {
return(true);
}
}
public void TestX509CertificateConversion()
{
BigInteger DSAParaG = new BigInteger(Base64.Decode("AL0fxOTq10OHFbCf8YldyGembqEu08EDVzxyLL29Zn/t4It661YNol1rnhPIs+cirw+yf9zeCe+KL1IbZ/qIMZM="));
BigInteger DSAParaP = new BigInteger(Base64.Decode("AM2b/UeQA+ovv3dL05wlDHEKJ+qhnJBsRT5OB9WuyRC830G79y0R8wuq8jyIYWCYcTn1TeqVPWqiTv6oAoiEeOs="));
BigInteger DSAParaQ = new BigInteger(Base64.Decode("AIlJT7mcKL6SUBMmvm24zX1EvjNx"));
BigInteger DSAPublicY = new BigInteger(Base64.Decode("TtWy2GuT9yGBWOHi1/EpCDa/bWJCk2+yAdr56rAcqP0eHGkMnA9s9GJD2nGU8sFjNHm55swpn6JQb8q0agrCfw=="));
BigInteger DsaPrivateX = new BigInteger(Base64.Decode("MMpBAxNlv7eYfxLTZ2BItJeD31A="));
DsaParameters para = new DsaParameters(DSAParaP, DSAParaQ, DSAParaG);
DsaPrivateKeyParameters dsaPriv = new DsaPrivateKeyParameters(DsaPrivateX, para);
DsaPublicKeyParameters dsaPub = new DsaPublicKeyParameters(DSAPublicY, para);
IDictionary attrs = new Hashtable();
attrs[X509Name.C] = "AU";
attrs[X509Name.O] = "The Legion of the Bouncy Castle";
attrs[X509Name.L] = "Melbourne";
attrs[X509Name.ST] = "Victoria";
attrs[X509Name.E] = "*****@*****.**";
IList ord = new ArrayList(attrs.Keys);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.SetSerialNumber(BigInteger.One);
certGen.SetIssuerDN(new X509Name(ord, attrs));
certGen.SetNotBefore(DateTime.UtcNow.AddDays(-1));
certGen.SetNotAfter(DateTime.UtcNow.AddDays(1));
certGen.SetSubjectDN(new X509Name(ord, attrs));
certGen.SetPublicKey(dsaPub);
certGen.SetSignatureAlgorithm("SHA1WITHDSA");
X509Certificate cert = certGen.Generate(dsaPriv);
cert.CheckValidity();
cert.Verify(dsaPub);
SystemX509.X509Certificate dotNetCert = DotNetUtilities.ToX509Certificate(cert);
X509Certificate certCopy = DotNetUtilities.FromX509Certificate(dotNetCert);
Assert.AreEqual(cert, certCopy);
certCopy.CheckValidity();
certCopy.Verify(dsaPub);
}
/**
* we generate the CA's certificate
*/
public static X509CertificateEntry CreateMasterCert(
AsymmetricKeyParameter pubKey,
AsymmetricKeyParameter privKey)
{
//
// signers name
//
string issuer = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate";
//
// subjects name - the same as we are self signed.
//
string subject = "C=AU, O=The Legion of the Bouncy Castle, OU=Bouncy Primary Certificate";
//
// create the certificate - version 1
//
v1CertGen.SetSerialNumber(BigInteger.One);
v1CertGen.SetIssuerDN(new X509Name(issuer));
v1CertGen.SetNotBefore(DateTime.UtcNow.AddMonths(-1));
v1CertGen.SetNotAfter(DateTime.UtcNow.AddMonths(1));
v1CertGen.SetSubjectDN(new X509Name(subject));
v1CertGen.SetPublicKey(pubKey);
v1CertGen.SetSignatureAlgorithm("SHA1WithRSAEncryption");
X509Certificate cert = v1CertGen.Generate(privKey);
cert.CheckValidity(DateTime.UtcNow);
cert.Verify(pubKey);
// PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert;
IDictionary bagAttr = new Hashtable();
//
// this is actually optional - but if you want to have control
// over setting the friendly name this is the way to do it...
//
// bagAttr.setBagAttribute(
// PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
// new DERBMPString("Bouncy Primary Certificate"));
bagAttr.Add(PkcsObjectIdentifiers.Pkcs9AtFriendlyName.Id,
new DerBmpString("Bouncy Primary Certificate"));
return(new X509CertificateEntry(cert, bagAttr));
}
/**
* Checks the validity of the certificate, and calls the next
* verifier in the chain, if any.
* @param signCert the certificate that needs to be checked
* @param issuerCert its issuer
* @param signDate the date the certificate needs to be valid
* @return a list of <code>VerificationOK</code> objects.
* The list will be empty if the certificate couldn't be verified.
* @throws GeneralSecurityException
* @throws IOException
*/
virtual public List<VerificationOK> Verify(X509Certificate signCert, X509Certificate issuerCert, DateTime signDate) {
// Check if the certificate is valid on the signDate
//if (signDate != null)
signCert.CheckValidity(signDate);
// Check if the signature is valid
if (issuerCert != null) {
signCert.Verify(issuerCert.GetPublicKey());
}
// Also in case, the certificate is self-signed
else {
signCert.Verify(signCert.GetPublicKey());
}
List<VerificationOK> result = new List<VerificationOK>();
if (verifier != null)
result.AddRange(verifier.Verify(signCert, issuerCert, signDate));
return result;
}
public static X509Certificate MakeCertificate(AsymmetricCipherKeyPair _subKP,
string _subDN, AsymmetricCipherKeyPair _issKP, string _issDN, bool _ca)
{
AsymmetricKeyParameter _subPub = _subKP.Public;
AsymmetricKeyParameter _issPriv = _issKP.Private;
AsymmetricKeyParameter _issPub = _issKP.Public;
X509V3CertificateGenerator _v3CertGen = new X509V3CertificateGenerator();
_v3CertGen.Reset();
_v3CertGen.SetSerialNumber(allocateSerialNumber());
_v3CertGen.SetIssuerDN(new X509Name(_issDN));
_v3CertGen.SetNotBefore(DateTime.UtcNow);
_v3CertGen.SetNotAfter(DateTime.UtcNow.AddDays(100));
_v3CertGen.SetSubjectDN(new X509Name(_subDN));
_v3CertGen.SetPublicKey(_subPub);
_v3CertGen.SetSignatureAlgorithm("MD5WithRSAEncryption");
_v3CertGen.AddExtension(X509Extensions.SubjectKeyIdentifier, false,
createSubjectKeyId(_subPub));
_v3CertGen.AddExtension(X509Extensions.AuthorityKeyIdentifier, false,
createAuthorityKeyId(_issPub));
if (_ca)
{
_v3CertGen.AddExtension(X509Extensions.BasicConstraints, false,
new BasicConstraints(_ca));
}
else
{
_v3CertGen.AddExtension(X509Extensions.ExtendedKeyUsage, true,
ExtendedKeyUsage.GetInstance(new DerSequence(KeyPurposeID.IdKPTimeStamping)));
}
X509Certificate _cert = _v3CertGen.Generate(_issPriv);
_cert.CheckValidity(DateTime.UtcNow);
_cert.Verify(_issPub);
return(_cert);
}
/**
* verify that the given certificate succesfully handles and confirms
* the signature associated with this signer and, if a signingTime
* attribute is available, that the certificate was valid at the time the
* signature was generated.
*/
public bool Verify(
X509Certificate cert)
{
Asn1.Cms.AttributeTable attr = this.SignedAttributes;
if (attr != null)
{
Asn1.Cms.Attribute t = attr[CmsAttributes.SigningTime];
if (t != null)
{
Asn1.Cms.Time time = Asn1.Cms.Time.GetInstance(
t.AttrValues[0].ToAsn1Object());
cert.CheckValidity(time.Date);
}
}
return(DoVerify(cert.GetPublicKey(), attr));
}
/// <summary>
///
/// </summary>
public async Task <X509Certificate> RetrieveAndVerifyCertificateAsync(string certChainUrl)
{
// making requests to externally-supplied URLs is an open invitation to DoS
// so restrict host to an Alexa controlled subdomain/path
if (!VerifyCertificateUrl(certChainUrl))
{
return(null);
}
HttpClient httpClient = new HttpClient();
HttpResponseMessage httpResponse = await httpClient.GetAsync(certChainUrl);
string content = await httpResponse.Content.ReadAsStringAsync();
if (string.IsNullOrEmpty(content))
{
return(null);
}
Org.BouncyCastle.OpenSsl.PemReader pemReader = new Org.BouncyCastle.OpenSsl.PemReader(new StringReader(content));
X509Certificate cert = (X509Certificate)pemReader.ReadObject();
try
{
cert.CheckValidity();
if (!CheckCertSubjectNames(cert))
{
return(null);
}
}
catch (CertificateExpiredException)
{
return(null);
}
catch (CertificateNotYetValidException)
{
return(null);
}
return(cert);
}
private void CheckCertificateValidity(X509Certificate cert)
{
cert.CheckValidity();
var caCert = GetRootCert();
var gst = GetSigner();
gst.Init(false, caCert.GetPublicKey());
var tbsCertificate = cert.GetTbsCertificate();
gst.BlockUpdate(tbsCertificate, 0, tbsCertificate.Length);
var t = gst.VerifySignature(cert.GetSignature());
if (!t)
{
throw new CryptographicException("Cannot verify signature");
}
}
/// <summary>
/// Deserializes a PEM formatted certificate byte array into
/// a <see cref="X509Certificate"/> instance.
/// </summary>
/// <param name="data">PEM formatted certificate byte array.</param>
/// <returns><see cref="X509Certificate"/> instance.</returns>
/// <exception cref="CertificateIOException">Thrown when the
/// <see cref="data"/> is either null or zero length.</exception>
public static X509Certificate DeserializeCert(byte[] data)
{
if (data == null || data.Length == 0)
{
throw new Exception();
}
using (MemoryStream stream = new MemoryStream(data)) {
using (StreamReader reader = new StreamReader(stream)) {
PemReader pemReader = new PemReader(reader);
X509Certificate cert = (X509Certificate)pemReader.ReadObject();
pemReader.Reader.Close();
try {
cert.CheckValidity();
return(cert);
}
catch (Exception) {
return(null);
}
}
}
}
private static Boolean VerifyCertificate(X509Certificate x509Cert)
{
string cn = GetIdentitiesFromCertficate(x509Cert);
try
{
x509Cert.CheckValidity(); //验证有效期
// x509Cert.Verify(rootCert.GetPublicKey());
if (!VerifyCertificateChain(x509Cert)) //验证书链
{
return(false);
}
}
catch (Exception e)
{
Log.Error("verifyCertificate fail", e);
return(false);
}
if (!"false".Equals(SdkConfig.IfValidateCNName))
{
// 验证公钥是否属于银联
if (!UNIONPAY_CNNAME.Equals(cn))
{
Log.Error("cer owner is not CUP:" + cn);
return(false);
}
}
else
{
if (!UNIONPAY_CNNAME.Equals(cn) && !"00040000:SIGN".Equals(cn))
{
Log.Error("cer owner is not CUP:" + cn);
return(false);
}
}
return(true);
}
