private OcspReq GenerateOcspRequest(CertificateID id) { OcspReqGenerator ocspRequestGenerator = new OcspReqGenerator(); ocspRequestGenerator.AddRequest(id); BigInteger nonce = BigInteger.ValueOf(new DateTime().Ticks); ArrayList oids = new ArrayList(); Hashtable values = new Hashtable(); oids.Add(OcspObjectIdentifiers.PkixOcsp); Asn1OctetString asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 })); values.Add(OcspObjectIdentifiers.PkixOcsp, new X509Extension(false, asn1)); ocspRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values)); return ocspRequestGenerator.Generate(); }
/// <exception cref="System.IO.IOException"></exception> public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate) { try { this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod); LOG.Info("OCSP URI: " + this.OcspUri); if (this.OcspUri == null) { return null; } OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate , certificate.SerialNumber); ocspReqGenerator.AddRequest(certId); OcspReq ocspReq = ocspReqGenerator.Generate(); byte[] ocspReqData = ocspReq.GetEncoded(); OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream (ocspReqData))); try { return (BasicOcspResp)ocspResp.GetResponseObject(); } catch (ArgumentNullException) { // Encountered a case when the OCSPResp is initialized with a null OCSP response... // (and there are no nullity checks in the OCSPResp implementation) return null; } } catch (CannotFetchDataException) { return null; } catch (OcspException e) { LOG.Error("OCSP error: " + e.Message); return null; } }
/// <summary> /// Verifies the certificate chain via OCSP /// </summary> /// <returns> /// <c>true</c>, if certificate is revoked, <c>false</c> otherwise. /// </returns> /// <param name='chain'> /// The certificate chain. /// </param> private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain) { List<X509Certificate> certsList = new List<X509Certificate> (); List<Uri> certsUrls = new List<Uri> (); bool bCertificateIsRevoked = false; try { //Get the OCSP URLS to be validated for each certificate. foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) { X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate); if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) { X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension (X509Extensions.AuthorityInfoAccess); if (ext != null) { AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance (ext).GetAccessDescriptions (); Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString ().StartsWith("http://")) ? new Uri (certUrls [0].AccessLocation.Name.ToString ()) : null; certsList.Add (BCCert); if (!certsUrls.Contains (url)) certsUrls.Add (url); } } } if(certsUrls.Count>0){ //create requests for each cert List<OcspReq> RequestList = new List<OcspReq>(); OcspReqGenerator OCSPRequestGenerator; for (int i =0; i< (certsList.Count -1); i++) { OCSPRequestGenerator = new OcspReqGenerator (); BigInteger nonce = BigInteger.ValueOf (DateTime.Now.Ticks); List<DerObjectIdentifier> oids = new List<DerObjectIdentifier> (); oids.Add (Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce); List<X509Extension> values = new List<X509Extension> (); values.Add (new X509Extension (false, new DerOctetString (nonce.ToByteArray ()))); OCSPRequestGenerator.SetRequestExtensions (new X509Extensions (oids, values)); CertificateID ID = new CertificateID (CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber); OCSPRequestGenerator.AddRequest (ID); RequestList.Add(OCSPRequestGenerator.Generate()); } //send requests to the OCSP server and read the response for (int i =0; i< certsUrls.Count && !bCertificateIsRevoked; i++) { for(int j = 0; j< RequestList.Count && !bCertificateIsRevoked ; j++){ HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create (certsUrls [i]); requestToOCSPServer.Method = "POST"; requestToOCSPServer.ContentType = "application/ocsp-request"; requestToOCSPServer.Accept = "application/ocsp-response"; requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response byte[] bRequestBytes = RequestList[j].GetEncoded(); using (Stream requestStream = requestToOCSPServer.GetRequestStream()) { requestStream.Write (bRequestBytes, 0, bRequestBytes.Length); requestStream.Flush (); } HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse (); OcspResp OCSPResponse = new OcspResp (serverResponse.GetResponseStream ()); BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject (); //get the status from the response if (basicOCSPResponse != null) { foreach (SingleResp singleResponse in basicOCSPResponse.Responses) { object certStatus = singleResponse.GetCertStatus (); if (certStatus is RevokedStatus) bCertificateIsRevoked = true; } } } } }else { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");} } catch (Exception e) { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message); bCertificateIsRevoked = true; } if(bCertificateIsRevoked) SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked"); return bCertificateIsRevoked; }
private ResponseObject( CertificateID certId, CertificateStatus certStatus, DerGeneralizedTime thisUpdate, DerGeneralizedTime nextUpdate, X509Extensions extensions) { this.certId = certId; if (certStatus == null) { this.certStatus = new CertStatus(); } else if (certStatus is UnknownStatus) { this.certStatus = new CertStatus(2, DerNull.Instance); } else { RevokedStatus rs = (RevokedStatus) certStatus; CrlReason revocationReason = rs.HasRevocationReason ? new CrlReason(rs.RevocationReason) : null; this.certStatus = new CertStatus( new RevokedInfo(new DerGeneralizedTime(rs.RevocationTime), revocationReason)); } this.thisUpdate = thisUpdate; this.nextUpdate = nextUpdate; this.extensions = extensions; }
/// <exception cref="System.IO.IOException"></exception> public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate) { LOG.Info("find OCSP response"); try { foreach (BasicOcspResp basicOCSPResp in GetOCSPResponsesFromSignature()) { CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate , certificate.SerialNumber); foreach (SingleResp singleResp in basicOCSPResp.Responses) { if (singleResp.GetCertID().Equals(certId)) { LOG.Info("OCSP response found"); return basicOCSPResp; } } } OcspNotFound(certificate, issuerCertificate); return null; } catch (OcspException e) { LOG.Error("OcspException: " + e.Message); return null; } }
/// <summary> /// Generate OCSP Request /// </summary> /// <param name="id"></param> /// <param name="cert"></param> /// <returns></returns> byte[] GenerateOCSPRequest(Org.BouncyCastle.Ocsp.CertificateID id, Org.BouncyCastle.X509.X509Certificate cert) { byte[] nonce = new byte[16]; Random rand = new Random(); rand.NextBytes(nonce); //OCSP OID var asn1 = new DerOctetString(new DerOctetString(new byte[] { 1, 3, 6, 1, 5, 5, 7, 48, 1, 1 })); //Create OCSP Request var gen = new Org.BouncyCastle.Ocsp.OcspReqGenerator(); gen.AddRequest(id); gen.SetRequestorName(new Org.BouncyCastle.Asn1.X509.GeneralName( Org.BouncyCastle.Asn1.X509.GeneralName.DirectoryName, cert.SubjectDN)); IList oids = new ArrayList(); IList values = new ArrayList(); oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce); values.Add(new X509Extension(false, new Org.BouncyCastle.Asn1.DerOctetString( new Org.BouncyCastle.Asn1.DerOctetString(nonce)))); oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcsp); values.Add(new X509Extension(false, asn1)); gen.SetRequestExtensions(new X509Extensions(oids, values)); var req = gen.Generate(); return(req.GetEncoded()); }
public RequestObject( CertificateID certId, X509Extensions extensions) { this.certId = certId; this.extensions = extensions; }
public ResponseObject( CertificateID certId, CertificateStatus certStatus, DateTime thisUpdate, X509Extensions extensions) : this(certId, certStatus, new DerGeneralizedTime(thisUpdate), null, extensions) { }
/// <summary> /// Creates the ocsprequest to send to the ocsp responder. /// </summary> /// <param name="issuerCert">Certificate of the issuer of the client certificate</param> /// <param name="serialNumber">Serial number of the client certificate</param> /// <returns>Ocsp Request to be sent to OCSP responder</returns> private BouncyCastleOCSP.OcspReq CreateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) { BouncyCastleOCSP.CertificateID certID = new BouncyCastleOCSP.CertificateID(BouncyCastleOCSP.CertificateID.HashSha1, issuerCert, serialNumber); BouncyCastleOCSP.OcspReqGenerator ocspRequestGenerator = new BouncyCastleOCSP.OcspReqGenerator(); ocspRequestGenerator.AddRequest(certID); return(ocspRequestGenerator.Generate()); }
/// <summary> /// Checks the certificate ID of the response is valid. /// </summary> /// <param name="issuerCert">Issuer Certificate if the client</param> /// <param name="clientCert">Client Certificate</param> /// <param name="certificateId">Id of certificate found in OCSP response</param> private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate clientCert, BouncyCastleOCSP.CertificateID certificateId) { BouncyCastleOCSP.CertificateID expectedId = new BouncyCastleOCSP.CertificateID(BouncyCastleOCSP.CertificateID.HashSha1, issuerCert, clientCert.SerialNumber); if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber)) { throw new HttpException(401, "Invalid certificate ID in response"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash())) { throw new HttpException(401, "Invalid certificate Issuer in response"); } }
/** * Generates an OCSP request using BouncyCastle. * @param issuerCert certificate of the issues * @param serialNumber serial number * @return an OCSP request * @throws OCSPException * @throws IOException */ private static OcspReq GenerateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) { // Generate the id for the certificate we are looking for CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber); // basic request generation with nonce OcspReqGenerator gen = new OcspReqGenerator(); gen.AddRequest(id); // create details for nonce extension IDictionary extensions = new Hashtable(); extensions[OcspObjectIdentifiers.PkixOcspNonce] = new X509Extension(false, new DerOctetString(new DerOctetString(PdfEncryption.CreateDocumentId()).GetEncoded())); gen.SetRequestExtensions(new X509Extensions(extensions)); return gen.Generate(); }
/** * Add a response for a particular Certificate ID. * * @param certID certificate ID details * @param certStatus status of the certificate - null if okay */ public void AddResponse( CertificateID certID, CertificateStatus certStatus) { list.Add(new ResponseObject(certID, certStatus, DateTime.UtcNow, null)); }
/** * Add a request for the given CertificateID. * * @param certId certificate ID of interest */ public void AddRequest( CertificateID certId) { list.Add(new RequestObject(certId, null)); }
public CertificateID(string hashAlgorithm, X509Certificate issuerCert, BigInteger serialNumber) { AlgorithmIdentifier hashAlg = new AlgorithmIdentifier(new DerObjectIdentifier(hashAlgorithm), DerNull.Instance); this.id = CertificateID.CreateCertID(hashAlg, issuerCert, new DerInteger(serialNumber)); }
/// <summary> /// Validate a certificate against its AIA OCSP. /// </summary> /// <param name="cert"></param> /// <param name="aia"></param> /// <returns></returns> CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, AIA aia) { string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer)); string filePath = IssuerCachedFolder + hash; //Check if aki is cached if (!IsIssuerCached(aia.Issuer)) { Download(aia.Issuer, filePath); if (!IsIssuerCached(aia.Issuer)) { return(CertStatus.Unknown(CertStatus.BadIssuer)); } } var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath); var certParser = new Org.BouncyCastle.X509.X509CertificateParser(); var issuer = certParser.ReadCertificate(issuerTemp.RawData); var cert2Validate = certParser.ReadCertificate(cert.RawData); var id = new Org.BouncyCastle.Ocsp.CertificateID( Org.BouncyCastle.Ocsp.CertificateID.HashSha1, issuer, cert2Validate.SerialNumber); byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate); byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc); //Extract the response OcspResp ocspResponse = new OcspResp(resp); BasicOcspResp basicOCSPResponse = (BasicOcspResp)ocspResponse.GetResponseObject(); SingleResp singResp = basicOCSPResponse.Responses[0]; //Validate ID var expectedId = singResp.GetCertID(); if (!expectedId.SerialNumber.Equals(id.SerialNumber)) { return(CertStatus.Unknown(CertStatus.BadSerial)); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash())) { return(CertStatus.Unknown(CertStatus.IssuerNotMatch)); } //Extract Status var certificateStatus = singResp.GetCertStatus(); if (certificateStatus == null) { return(CertStatus.Good); } if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason; var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime; return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason)); } if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { return(CertStatus.Unknown()); } return(CertStatus.Unknown()); }
public bool MatchesIssuer(X509Certificate issuerCert) { return(CertificateID.CreateCertID(this.id.HashAlgorithm, issuerCert, this.id.SerialNumber).Equals(this.id)); }
/** * Add a response for a particular Certificate ID. * * @param certID certificate ID details * @param certStatus status of the certificate - null if okay * @param singleExtensions optional extensions */ public void AddResponse( CertificateID certID, CertificateStatus certStatus, X509Extensions singleExtensions) { list.Add(new ResponseObject(certID, certStatus, DateTime.UtcNow, singleExtensions)); }
public void AddResponse(CertificateID certID, CertificateStatus certStatus) { list.Add((object)new ResponseObject(certID, certStatus, global::System.DateTime.get_UtcNow(), null)); }
/** * Create a new CertificateID for a new serial number derived from a previous one * calculated for the same CA certificate. * * @param original the previously calculated CertificateID for the CA. * @param newSerialNumber the serial number for the new certificate of interest. * * @return a new CertificateID for newSerialNumber */ public static CertificateID DeriveCertificateID(CertificateID original, BigInteger newSerialNumber) { return(new CertificateID(new CertID(original.id.HashAlgorithm, original.id.IssuerNameHash, original.id.IssuerKeyHash, new DerInteger(newSerialNumber)))); }
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate) { CertificateStatus status = new CertificateStatus(); status.Certificate = childCertificate; status.ValidationDate = validationDate; status.IssuerCertificate = certificate; if (ocspSource == null) { LOG.Warn("OCSPSource null"); return null; } try { BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate ); if (null == ocspResp) { LOG.Info("OCSP response not found"); return null; } BasicOcspResp basicOCSPResp = (BasicOcspResp)ocspResp; CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate , childCertificate.SerialNumber); SingleResp[] singleResps = basicOCSPResp.Responses; foreach (SingleResp singleResp in singleResps) { CertificateID responseCertificateId = singleResp.GetCertID(); if (false == certificateId.Equals(responseCertificateId)) { continue; } DateTime thisUpdate = singleResp.ThisUpdate; LOG.Info("OCSP thisUpdate: " + thisUpdate); LOG.Info("OCSP nextUpdate: " + singleResp.NextUpdate); status.StatusSourceType = ValidatorSourceType.OCSP; status.StatusSource = ocspResp; status.RevocationObjectIssuingTime = ocspResp.ProducedAt; if (null == singleResp.GetCertStatus()) { LOG.Info("OCSP OK for: " + childCertificate.SubjectDN); status.Validity = CertificateValidity.VALID; } else { LOG.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName ); if (singleResp.GetCertStatus() is RevokedStatus) { LOG.Info("OCSP status revoked"); if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0) //jbonilla - Before { LOG.Info("OCSP revocation time after the validation date, the certificate was valid at " + validationDate); status.Validity = CertificateValidity.VALID; } else { status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime; status.Validity = CertificateValidity.REVOKED; } } else { if (singleResp.GetCertStatus() is UnknownStatus) { LOG.Info("OCSP status unknown"); status.Validity = CertificateValidity.UNKNOWN; } } } return status; } LOG.Info("no matching OCSP response entry"); return null; } catch (IOException ex) { LOG.Error("OCSP exception: " + ex.Message); return null; } catch (OcspException ex) { LOG.Error("OCSP exception: " + ex.Message); throw new RuntimeException(ex); } }
public ResponseObject(CertificateID certId, CertificateStatus certStatus, global::System.DateTime thisUpdate, global::System.DateTime nextUpdate, X509Extensions extensions) : this(certId, certStatus, new DerGeneralizedTime(thisUpdate), new DerGeneralizedTime(nextUpdate), extensions) { }
//1. The certificate identified in a received response corresponds to //that which was identified in the corresponding request; private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId) { CertificateID expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber); if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber)) { throw new Exception("Invalid certificate ID in response"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash())) { throw new Exception("Invalid certificate Issuer in response"); } }
private OcspReq GenerarRequestOCSP(X509Certificate in_CertificadoEmisor, BigInteger in_NumeroSerie) { CertificateID id = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_NumeroSerie); return GenerarRequestOCSP(id); }
/** * Add a request with extensions * * @param certId certificate ID of interest * @param singleRequestExtensions the extensions to attach to the request */ public void AddRequest( CertificateID certId, X509Extensions singleRequestExtensions) { list.Add(new RequestObject(certId, singleRequestExtensions)); }
private void ValidarCertificateId(X509Certificate in_CertificadoEmisor, X509Certificate in_Certificado, CertificateID in_IDCertificado) { CertificateID idEsperado = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_Certificado.SerialNumber); if (!idEsperado.SerialNumber.Equals(in_IDCertificado.SerialNumber)) { throw new Exception("ID de Certificado invalido"); } if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(idEsperado.GetIssuerNameHash(), in_IDCertificado.GetIssuerNameHash())) { throw new Exception("Certificado Emisor invalido"); } }
public void AddResponse(CertificateID certID, CertificateStatus certStatus, global::System.DateTime nextUpdate, X509Extensions singleExtensions) { list.Add((object)new ResponseObject(certID, certStatus, global::System.DateTime.get_UtcNow(), nextUpdate, singleExtensions)); }
private OcspReq GenerateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) { CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber); return GenerateOcspRequest(id); }
/** * Create a new CertificateID for a new serial number derived from a previous one * calculated for the same CA certificate. * * @param original the previously calculated CertificateID for the CA. * @param newSerialNumber the serial number for the new certificate of interest. * * @return a new CertificateID for newSerialNumber */ public static CertificateID DeriveCertificateID(CertificateID original, BigInteger newSerialNumber) { return new CertificateID(new CertID(original.id.HashAlgorithm, original.id.IssuerNameHash, original.id.IssuerKeyHash, new DerInteger(newSerialNumber))); }
/** * Add a response for a particular Certificate ID. * * @param certID certificate ID details * @param thisUpdate date this response was valid on * @param nextUpdate date when next update should be requested * @param certStatus status of the certificate - null if okay * @param singleExtensions optional extensions */ public void AddResponse( CertificateID certID, CertificateStatus certStatus, DateTime thisUpdate, DateTime nextUpdate, X509Extensions singleExtensions) { list.Add(new ResponseObject(certID, certStatus, thisUpdate, nextUpdate, singleExtensions)); }
/** * Checks if OCSP revocation refers to the document signing certificate. * @return true if it checks false otherwise * @since 2.1.6 */ public bool IsRevocationValid() { if (basicResp == null) return false; if (signCerts.Count < 2) return false; try { X509Certificate[] cs = SignCertificateChain; SingleResp sr = basicResp.Responses[0]; CertificateID cid = sr.GetCertID(); X509Certificate sigcer = SigningCertificate; X509Certificate isscer = cs[1]; CertificateID tis = new CertificateID(CertificateID.HashSha1, isscer, sigcer.SerialNumber); return tis.Equals(cid); } catch { } return false; }
public RequestObject(CertificateID certId, X509Extensions extensions) { this.certId = certId; this.extensions = extensions; }