GetCRLURL() public static method

public static GetCRLURL ( X509Certificate certificate ) : String
certificate Org.BouncyCastle.X509.X509Certificate
return String
コード例 #1
0
        /**
         * Fetches the CRL bytes from an URL.
         * If no url is passed as parameter, the url will be obtained from the certificate.
         * If you want to load a CRL from a local file, subclass this method and pass an
         * URL with the path to the local file to this method. An other option is to use
         * the CrlClientOffline class.
         * @see com.itextpdf.text.pdf.security.CrlClient#getEncoded(java.security.cert.X509Certificate, java.lang.String)
         */
        public ICollection <byte[]> GetEncoded(X509Certificate checkCert, String url)
        {
            if (checkCert == null)
            {
                return(null);
            }
            if (urls.Count == 0)
            {
                LOGGER.Info("Looking for CRL for certificate " + checkCert.SubjectDN.ToString());
                try {
                    if (url == null)
                    {
                        url = CertificateUtil.GetCRLURL(checkCert);
                    }
                    if (url == null)
                    {
                        throw new ArgumentNullException();
                    }
                    urls.Add(url);
                    LOGGER.Info("Found CRL url: " + url);
                }
                catch (Exception e) {
                    LOGGER.Info("Skipped CRL url: " + e.Message);
                }
            }
            List <byte[]> ar = new List <byte[]>();

            foreach (string urlt in urls)
            {
                try {
                    LOGGER.Info("Checking CRL: " + urlt);
                    HttpWebRequest  con      = (HttpWebRequest)WebRequest.Create(urlt);
                    HttpWebResponse response = (HttpWebResponse)con.GetResponse();
                    if (response.StatusCode != HttpStatusCode.OK)
                    {
                        throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
                    }
                    //Get Response
                    Stream       inp  = response.GetResponseStream();
                    byte[]       buf  = new byte[1024];
                    MemoryStream bout = new MemoryStream();
                    while (true)
                    {
                        int n = inp.Read(buf, 0, buf.Length);
                        if (n <= 0)
                        {
                            break;
                        }
                        bout.Write(buf, 0, n);
                    }
                    inp.Close();
                    ar.Add(bout.ToArray());
                    LOGGER.Info("Added CRL found at: " + urlt);
                }
                catch (Exception e) {
                    LOGGER.Info("Skipped CRL: " + e.Message + " for " + urlt);
                }
            }
            return(ar);
        }
コード例 #2
0
ファイル: CrlClientImp.cs プロジェクト: mohsenmetn/itextsharp
 /**
  * Fetches the CRL bytes from an URL.
  * If no url is passed as parameter, the url will be obtained from the certificate.
  * If you want to load a CRL from a local file, subclass this method and pass an
  * URL with the path to the local file to this method. An other option is to use
  * the CrlClientOffline class.
  * @see com.itextpdf.text.pdf.security.CrlClient#getEncoded(java.security.cert.X509Certificate, java.lang.String)
  */
 public virtual ICollection <byte[]> GetEncoded(X509Certificate checkCert, String url)
 {
     try {
         if (url == null)
         {
             if (checkCert == null)
             {
                 return(null);
             }
             url = CertificateUtil.GetCRLURL(checkCert);
         }
         if (url == null)
         {
             return(null);
         }
         HttpWebRequest  con      = (HttpWebRequest)WebRequest.Create(url);
         HttpWebResponse response = (HttpWebResponse)con.GetResponse();
         if (response.StatusCode != HttpStatusCode.OK)
         {
             throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
         }
         //Get Response
         Stream       inp  = response.GetResponseStream();
         byte[]       buf  = new byte[1024];
         MemoryStream bout = new MemoryStream();
         while (true)
         {
             int n = inp.Read(buf, 0, buf.Length);
             if (n <= 0)
             {
                 break;
             }
             bout.Write(buf, 0, n);
         }
         inp.Close();
         return(new byte[][] { bout.ToArray() });
     }
     catch (Exception ex) {
         if (LOGGER.IsLogging(Level.ERROR))
         {
             LOGGER.Error("CrlClientImp", ex);
         }
     }
     return(null);
 }
コード例 #3
0
 /**
  * Creates a CrlClientOnline instance using a certificate chain.
  */
 public CrlClientOnline(ICollection <X509Certificate> chain)
 {
     foreach (X509Certificate cert in chain)
     {
         String url = null;
         try {
             LOGGER.Info("Checking certificate: " + cert.SubjectDN.ToString());
             url = CertificateUtil.GetCRLURL(cert);
             if (url != null)
             {
                 urls.Add(url);
                 LOGGER.Info("Added CRL url: " + url);
             }
         } catch {
             LOGGER.Info("Skipped CRL url: " + url);
         }
     }
 }
コード例 #4
0
 /**
  * Creates a CrlClientOnline instance using a certificate chain.
  */
 public CrlClientOnline(ICollection <X509Certificate> chain)
 {
     foreach (X509Certificate cert in chain)
     {
         String url = null;
         try {
             LOGGER.Info("Checking certificate: " + cert.SubjectDN.ToString());
             url = CertificateUtil.GetCRLURL(cert);
             if (url != null)
             {
                 AddUrl(url);
             }
         }
         catch (CertificateParsingException)
         {
             LOGGER.Info("Skipped CRL url: (certificate could not be parsed)");
         }
     }
 }
コード例 #5
0
        /**
         * Fetches a CRL for a specific certificate online (without further checking).
         * @param signCert	the certificate
         * @param issuerCert	its issuer
         * @return	an X509CRL object
         */
        virtual public X509Crl GetCrl(X509Certificate signCert, X509Certificate issuerCert)
        {
            try {
                // gets the URL from the certificate
                String crlurl = CertificateUtil.GetCRLURL(signCert);
                if (crlurl == null)
                {
                    return(null);
                }
                LOGGER.Info("Getting CRL from " + crlurl);

                X509CrlParser crlParser = new X509CrlParser();
                // Creates the CRL
                Stream url = WebRequest.Create(crlurl).GetResponse().GetResponseStream();
                return(crlParser.ReadCrl(url));
            }
            catch (IOException) {
                return(null);
            }
            catch (GeneralSecurityException) {
                return(null);
            }
        }
コード例 #6
0
        /**
         * Verifies if an OCSP response is genuine
         *  If it doesn't verify against the issuer certificate and response's certificates, it may verify
         * using a trusted anchor or cert.
         * @param ocspResp	the OCSP response
         * @param issuerCert	the issuer certificate
         * @throws GeneralSecurityException
         * @throws IOException
         */
        virtual public void IsValidResponse(BasicOcspResp ocspResp, X509Certificate issuerCert)
        {
            //OCSP response might be signed by the issuer certificate or
            //the Authorized OCSP responder certificate containing the id-kp-OCSPSigning extended key usage extension
            X509Certificate responderCert = null;

            //first check if the issuer certificate signed the response
            //since it is expected to be the most common case
            if (IsSignatureValid(ocspResp, issuerCert))
            {
                responderCert = issuerCert;
            }

            //if the issuer certificate didn't sign the ocsp response, look for authorized ocsp responses
            // from properties or from certificate chain received with response
            if (responderCert == null)
            {
                if (ocspResp.GetCerts() != null)
                {
                    //look for existence of Authorized OCSP responder inside the cert chain in ocsp response
                    X509Certificate[] certs = ocspResp.GetCerts();
                    foreach (X509Certificate cert in certs)
                    {
                        X509Certificate tempCert;
                        try {
                            tempCert = cert;
                        } catch (Exception ex) {
                            continue;
                        }
                        IList keyPurposes = null;
                        try {
                            keyPurposes = tempCert.GetExtendedKeyUsage();
                            if ((keyPurposes != null) && keyPurposes.Contains(id_kp_OCSPSigning) && IsSignatureValid(ocspResp, tempCert))
                            {
                                responderCert = tempCert;
                                break;
                            }
                        } catch (CertificateParsingException ignored) {
                        }
                    }
                    // Certificate signing the ocsp response is not found in ocsp response's certificate chain received
                    // and is not signed by the issuer certificate.
                    if (responderCert == null)
                    {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                }
                else
                {
                    //certificate chain is not present in response received
                    //try to verify using rootStore
                    if (certificates != null)
                    {
                        foreach (X509Certificate anchor in certificates)
                        {
                            try {
                                if (IsSignatureValid(ocspResp, anchor))
                                {
                                    responderCert = anchor;
                                    break;
                                }
                            } catch (GeneralSecurityException ignored) {
                            }
                        }
                    }

                    // OCSP Response does not contain certificate chain, and response is not signed by any
                    // of the rootStore or the issuer certificate.
                    if (responderCert == null)
                    {
                        throw new VerificationException(issuerCert, "OCSP response could not be verified");
                    }
                }
            }

            //check "This certificate MUST be issued directly by the CA that issued the certificate in question".
            responderCert.Verify(issuerCert.GetPublicKey());

            // validating ocsp signers certificate
            // Check if responders certificate has id-pkix-ocsp-nocheck extension,
            // in which case we do not validate (perform revocation check on) ocsp certs for lifetime of certificate
            if (responderCert.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNocheck.Id) == null)
            {
                X509Crl crl;
                try {
                    X509CrlParser crlParser = new X509CrlParser();
                    // Creates the CRL
                    Stream url = WebRequest.Create(CertificateUtil.GetCRLURL(responderCert)).GetResponse().GetResponseStream();
                    crl = crlParser.ReadCrl(url);
                } catch (Exception ignored) {
                    crl = null;
                }
                if (crl != null)
                {
                    CrlVerifier crlVerifier = new CrlVerifier(null, null);
                    crlVerifier.Certificates          = certificates;
                    crlVerifier.OnlineCheckingAllowed = onlineCheckingAllowed;
                    crlVerifier.Verify(crl, responderCert, issuerCert, DateTime.UtcNow);
                    return;
                }
            }

            //check if lifetime of certificate is ok
            responderCert.CheckValidity();
        }