public virtual byte[] MakeOcspResponse(byte[] requestBytes) { OcspReq ocspRequest = new OcspReq(requestBytes); Req[] requestList = ocspRequest.GetRequestList(); X509Extension extNonce = ocspRequest.RequestExtensions.GetExtension(OcspObjectIdentifiers.PkixOcspNonce); if (extNonce != null) { // TODO ensure X509Extensions responseExtensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, extNonce } }); responseBuilder.SetResponseExtensions(responseExtensions); } foreach (Req req in requestList) { responseBuilder.AddResponse(req.GetCertID(), certificateStatus, thisUpdate.ToUniversalTime(), nextUpdate.ToUniversalTime(), null); } DateTime time = DateTimeUtil.GetCurrentUtcTime(); BasicOcspResp ocspResponse = responseBuilder.Generate(new Asn1SignatureFactory(SIGN_ALG, (AsymmetricKeyParameter)issuerPrivateKey), new X509Certificate[] { issuerCert }, time); // return new OCSPRespBuilder().build(ocspResult, ocspResponse).getEncoded(); return(ocspResponse.GetEncoded()); }
/// <summary> /// Gets the <see cref="OcspResp"/> for the <see cref="OcspReq"/> /// </summary> /// <param name="ocspRequest"></param> /// <param name="issuerCertificate"></param> /// <returns></returns> private async Task <OcspResp> GetOcspDefinitiveResponse(OcspReq ocspRequest, X509Certificate issuerCertificate) { var basicResponseGenerator = new BasicOcspRespGenerator( new RespID( await OcspResponderRepository.GetResponderPublicKey(issuerCertificate))); var extensionsGenerator = new X509ExtensionsGenerator(); var nextUpdate = await OcspResponderRepository.GetNextUpdate(); foreach (var request in ocspRequest.GetRequestList()) { var certificateId = request.GetCertID(); var serialNumber = certificateId.SerialNumber; CertificateStatus certificateStatus; CaCompromisedStatus caCompromisedStatus = await OcspResponderRepository.IsCaCompromised(issuerCertificate); if (caCompromisedStatus.IsCompromised) { // See section 2.7 of RFC 6960 certificateStatus = new RevokedStatus(caCompromisedStatus.CompromisedDate.Value.UtcDateTime, (int)RevocationReason.CACompromise); } else { // Se section 2.2 of RFC 6960 if (await OcspResponderRepository.SerialExists(serialNumber, issuerCertificate)) { var status = await OcspResponderRepository.SerialIsRevoked(serialNumber, issuerCertificate); certificateStatus = status.IsRevoked ? new RevokedStatus(status.RevokedInfo.Date.UtcDateTime, (int)status.RevokedInfo.Reason) : CertificateStatus.Good; } else { certificateStatus = new RevokedStatus(new DateTime(1970, 1, 1), CrlReason.CertificateHold); extensionsGenerator.AddExtension(OcspObjectIdentifierExtensions.PkixOcspExtendedRevoke, false, DerNull.Instance.GetDerEncoded()); } } basicResponseGenerator.AddResponse(certificateId, certificateStatus, DateTimeOffset.UtcNow.DateTime, nextUpdate.UtcDateTime, null); } SetNonceExtension(ocspRequest, extensionsGenerator); basicResponseGenerator.SetResponseExtensions(extensionsGenerator.Generate()); // Algorithm that all clients shall accept as defined in section 4.3 of RFC 6960 const string signatureAlgorithm = "sha256WithRSAEncryption"; var basicOcspResponse = basicResponseGenerator.Generate( signatureAlgorithm, await OcspResponderRepository.GetResponderPrivateKey(issuerCertificate), await OcspResponderRepository.GetChain(issuerCertificate), nextUpdate.UtcDateTime); var ocspResponse = OcspResponseGenerator.Generate(OcspRespStatus.Successful, basicOcspResponse); return(ocspResponse); }
public override void Respond(HttpListenerContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var bytes = GetOcspRequest(context); if (bytes == null) { context.Response.StatusCode = 400; return; } var ocspReq = new OcspReq(bytes); var respId = new RespID(CertificateAuthority.Certificate.SubjectDN); var basicOcspRespGenerator = new BasicOcspRespGenerator(respId); var requests = ocspReq.GetRequestList(); var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); if (nonce != null) { var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) } }); basicOcspRespGenerator.SetResponseExtensions(extensions); } var now = DateTime.UtcNow; foreach (var request in requests) { var certificateId = request.GetCertID(); var certificateStatus = CertificateAuthority.GetStatus(certificateId); var thisUpdate = _options.ThisUpdate?.UtcDateTime ?? now; var nextUpdate = _options.NextUpdate?.UtcDateTime ?? now.AddSeconds(1); basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate, nextUpdate, singleExtensions: null); } var certificateChain = GetCertificateChain(); var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now); var ocspRespGenerator = new OCSPRespGenerator(); var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp); bytes = ocspResp.GetEncoded(); context.Response.ContentType = ResponseContentType; WriteResponseBody(context.Response, bytes); }
public BasicOcspResp Generate() { //append nonce if we have it if (_nonce != null) { _extensions_generator.AddExtension(new DerObjectIdentifier("1.3.6.1.5.5.7.48.1.2"), false, _nonce); } //set responseExtensions _builder.SetResponseExtensions(_extensions_generator.Generate()); var ocsp_resp = _builder.Generate(_algorithm, _token.GetPrivateKey(), new[] { _token.GetOcspSigningCert() }, DateTime.UtcNow.AddMinutes(5)); return(ocsp_resp); }
public override void Respond(HttpListenerContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var bytes = GetOcspRequest(context); if (bytes == null) { context.Response.StatusCode = 400; return; } var ocspReq = new OcspReq(bytes); var respId = new RespID(CertificateAuthority.Certificate.SubjectDN); var basicOcspRespGenerator = new BasicOcspRespGenerator(respId); var requests = ocspReq.GetRequestList(); var nonce = ocspReq.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce); if (nonce != null) { var extensions = new X509Extensions(new Dictionary <DerObjectIdentifier, X509Extension>() { { OcspObjectIdentifiers.PkixOcspNonce, new X509Extension(critical: false, value: nonce) } }); basicOcspRespGenerator.SetResponseExtensions(extensions); } var now = DateTimeOffset.UtcNow; foreach (var request in requests) { var certificateId = request.GetCertID(); var certificateStatus = CertificateAuthority.GetStatus(certificateId); var thisUpdate = _options.ThisUpdate ?? now; //On Windows, if the current time is equal (to the second) to a notAfter time (or nextUpdate time), it's considered valid. //But OpenSSL considers it already expired (that the expiry happened when the clock changed to this second) var nextUpdate = _options.NextUpdate ?? now.AddSeconds(2); _responses.AddOrUpdate(certificateId.SerialNumber.ToString(), nextUpdate, (key, currentNextUpdate) => { if (nextUpdate > currentNextUpdate) { return(nextUpdate); } return(currentNextUpdate); }); basicOcspRespGenerator.AddResponse(certificateId, certificateStatus, thisUpdate.UtcDateTime, nextUpdate.UtcDateTime, singleExtensions: null); } var certificateChain = GetCertificateChain(); var basicOcspResp = basicOcspRespGenerator.Generate("SHA256WITHRSA", CertificateAuthority.KeyPair.Private, certificateChain, now.UtcDateTime); var ocspRespGenerator = new OCSPRespGenerator(); var ocspResp = ocspRespGenerator.Generate(OCSPRespGenerator.Successful, basicOcspResp); bytes = ocspResp.GetEncoded(); context.Response.ContentType = ResponseContentType; WriteResponseBody(context.Response, bytes); }