/// <summary>Verifies a certificate against a single OCSP response</summary>
/// <param name="ocspResp">the OCSP response</param>
/// <param name="signCert">the certificate that needs to be checked</param>
/// <param name="issuerCert">the certificate of CA (certificate that issued signCert). This certificate is considered trusted and valid by this method.
/// </param>
/// <param name="signDate">sign date</param>
/// <returns>
///
/// <see langword="true"/>
/// , in case successful check, otherwise false.
/// </returns>
public virtual bool Verify(BasicOcspResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, DateTime
signDate)
{
if (ocspResp == null)
{
return(false);
}
// Getting the responses
SingleResp[] resp = ocspResp.Responses;
for (int i = 0; i < resp.Length; i++)
{
// check if the serial number corresponds
if (!signCert.SerialNumber.Equals(resp[i].GetCertID().SerialNumber))
{
continue;
}
// check if the issuer matches
try {
if (issuerCert == null)
{
issuerCert = signCert;
}
if (!SignUtils.CheckIfIssuersMatch(resp[i].GetCertID(), issuerCert))
{
LOGGER.Info("OCSP: Issuers doesn't match.");
continue;
}
}
catch (OcspException) {
continue;
}
// check if the OCSP response was valid at the time of signing
if (resp[i].NextUpdate == null)
{
DateTime nextUpdate = SignUtils.Add180Sec(resp[i].ThisUpdate);
LOGGER.Info(MessageFormatUtil.Format("No 'next update' for OCSP Response; assuming {0}", nextUpdate));
if (signDate.After(nextUpdate))
{
LOGGER.Info(MessageFormatUtil.Format("OCSP no longer valid: {0} after {1}", signDate, nextUpdate));
continue;
}
}
else
{
if (signDate.After(resp[i].NextUpdate))
{
LOGGER.Info(MessageFormatUtil.Format("OCSP no longer valid: {0} after {1}", signDate, resp[i].NextUpdate));
continue;
}
}
// check the status of the certificate
Object status = resp[i].GetCertStatus();
if (status == CertificateStatus.Good)
{
// check if the OCSP response was genuine
IsValidResponse(ocspResp, issuerCert, signDate);
return(true);
}
}
return(false);
}
