/** * Fetches the CRL bytes from an URL. * If no url is passed as parameter, the url will be obtained from the certificate. * If you want to load a CRL from a local file, subclass this method and pass an * URL with the path to the local file to this method. An other option is to use * the CrlClientOffline class. * @see com.itextpdf.text.pdf.security.CrlClient#getEncoded(java.security.cert.X509Certificate, java.lang.String) */ public ICollection <byte[]> GetEncoded(X509Certificate checkCert, String url) { if (checkCert == null) { return(null); } if (urls.Count == 0) { LOGGER.Info("Looking for CRL for certificate " + checkCert.SubjectDN.ToString()); try { if (url == null) { url = CertificateUtil.GetCRLURL(checkCert); } if (url == null) { throw new ArgumentNullException(); } urls.Add(url); LOGGER.Info("Found CRL url: " + url); } catch (Exception e) { LOGGER.Info("Skipped CRL url: " + e.Message); } } List <byte[]> ar = new List <byte[]>(); foreach (string urlt in urls) { try { LOGGER.Info("Checking CRL: " + urlt); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(urlt); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } //Get Response Stream inp = response.GetResponseStream(); byte[] buf = new byte[1024]; MemoryStream bout = new MemoryStream(); while (true) { int n = inp.Read(buf, 0, buf.Length); if (n <= 0) { break; } bout.Write(buf, 0, n); } inp.Close(); ar.Add(bout.ToArray()); LOGGER.Info("Added CRL found at: " + urlt); } catch (Exception e) { LOGGER.Info("Skipped CRL: " + e.Message + " for " + urlt); } } return(ar); }
/** * Fetches the CRL bytes from an URL. * If no url is passed as parameter, the url will be obtained from the certificate. * If you want to load a CRL from a local file, subclass this method and pass an * URL with the path to the local file to this method. An other option is to use * the CrlClientOffline class. * @see com.itextpdf.text.pdf.security.CrlClient#getEncoded(java.security.cert.X509Certificate, java.lang.String) */ public virtual ICollection <byte[]> GetEncoded(X509Certificate checkCert, String url) { try { if (url == null) { if (checkCert == null) { return(null); } url = CertificateUtil.GetCRLURL(checkCert); } if (url == null) { return(null); } HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) { throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); } //Get Response Stream inp = response.GetResponseStream(); byte[] buf = new byte[1024]; MemoryStream bout = new MemoryStream(); while (true) { int n = inp.Read(buf, 0, buf.Length); if (n <= 0) { break; } bout.Write(buf, 0, n); } inp.Close(); return(new byte[][] { bout.ToArray() }); } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) { LOGGER.Error("CrlClientImp", ex); } } return(null); }
/** * Creates a CrlClientOnline instance using a certificate chain. */ public CrlClientOnline(ICollection <X509Certificate> chain) { foreach (X509Certificate cert in chain) { String url = null; try { LOGGER.Info("Checking certificate: " + cert.SubjectDN.ToString()); url = CertificateUtil.GetCRLURL(cert); if (url != null) { urls.Add(url); LOGGER.Info("Added CRL url: " + url); } } catch { LOGGER.Info("Skipped CRL url: " + url); } } }
/** * Creates a CrlClientOnline instance using a certificate chain. */ public CrlClientOnline(ICollection <X509Certificate> chain) { foreach (X509Certificate cert in chain) { String url = null; try { LOGGER.Info("Checking certificate: " + cert.SubjectDN.ToString()); url = CertificateUtil.GetCRLURL(cert); if (url != null) { AddUrl(url); } } catch (CertificateParsingException) { LOGGER.Info("Skipped CRL url: (certificate could not be parsed)"); } } }
/** * Fetches a CRL for a specific certificate online (without further checking). * @param signCert the certificate * @param issuerCert its issuer * @return an X509CRL object */ virtual public X509Crl GetCrl(X509Certificate signCert, X509Certificate issuerCert) { try { // gets the URL from the certificate String crlurl = CertificateUtil.GetCRLURL(signCert); if (crlurl == null) { return(null); } LOGGER.Info("Getting CRL from " + crlurl); X509CrlParser crlParser = new X509CrlParser(); // Creates the CRL Stream url = WebRequest.Create(crlurl).GetResponse().GetResponseStream(); return(crlParser.ReadCrl(url)); } catch (IOException) { return(null); } catch (GeneralSecurityException) { return(null); } }
/** * Verifies if an OCSP response is genuine * If it doesn't verify against the issuer certificate and response's certificates, it may verify * using a trusted anchor or cert. * @param ocspResp the OCSP response * @param issuerCert the issuer certificate * @throws GeneralSecurityException * @throws IOException */ virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert) { //OCSP response might be signed by the issuer certificate or //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension X509Certificate responderCert = null; //first check if the issuer certificate signed the response //since it is expected to be the most common case if (IsSignatureValid(ocspResp, issuerCert)) { responderCert = issuerCert; } //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses // from properties or from certificate chain received with response if (responderCert == null) { if (ocspResp.GetCerts() != null) { //look for existence of Authorized OCSP responder inside the cert chain in ocsp response X509Certificate[] certs = ocspResp.GetCerts(); foreach (X509Certificate cert in certs) { X509Certificate tempCert; try { tempCert = cert; } catch (Exception ex) { continue; } IList keyPurposes = null; try { keyPurposes = tempCert.GetExtendedKeyUsage(); if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert)) { responderCert = tempCert; break; } } catch (CertificateParsingException ignored) { } } // Certificate signing the ocsp response is not found in ocsp response's certificate chain received // and is not signed by the issuer certificate. if (responderCert == null) { throw new VerificationException(issuerCert, "OCSP response could not be verified"); } } else { //certificate chain is not present in response received //try to verify using rootStore if (certificates != null) { foreach (X509Certificate anchor in certificates) { try { if (IsSignatureValid(ocspResp, anchor)) { responderCert = anchor; break; } } catch (GeneralSecurityException ignored) { } } } // OCSP Response does not contain certificate chain, and response is not signed by any // of the rootStore or the issuer certificate. if (responderCert == null) { throw new VerificationException(issuerCert, "OCSP response could not be verified"); } } } //check "This certificate MUST be issued directly by the CA that issued the certificate in question". responderCert.Verify(issuerCert.GetPublicKey()); // validating ocsp signers certificate // Check if responders certificate has id-pkix-ocsp-nocheck extension, // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null) { X509Crl crl; try { X509CrlParser crlParser = new X509CrlParser(); // Creates the CRL Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream(); crl = crlParser.ReadCrl(url); } catch (Exception ignored) { crl = null; } if (crl != null) { CrlVerifier crlVerifier = new CrlVerifier(null, null); crlVerifier.Certificates = certificates; crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed; crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow); return; } } //check if lifetime of certificate is ok responderCert.CheckValidity(); }