private bool ValidateCertificateByCRL(UnsignedProperties unsignedProperties, X509Certificate2 certificate, X509Certificate2 issuer)
{
Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(certificate);
Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer);
foreach (var crlEntry in _firma.CRLEntries)
{
if (crlEntry.IssuerDN.Equivalent(issuerCert.SubjectDN) && crlEntry.NextUpdate.Value > DateTime.Now)
{
if (!crlEntry.IsRevoked(clientCert))
{
if (!ExistsCRL(unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection,
issuer.Subject))
{
string idCrlValue = "CRLValue-" + Guid.NewGuid().ToString();
CRLRef crlRef = new CRLRef();
crlRef.CRLIdentifier.UriAttribute = "#" + idCrlValue;
crlRef.CRLIdentifier.Issuer = issuer.Subject;
crlRef.CRLIdentifier.IssueTime = crlEntry.ThisUpdate.ToLocalTime();
var crlNumber = GetCRLNumber(crlEntry);
if (crlNumber.HasValue)
{
crlRef.CRLIdentifier.Number = crlNumber.Value;
}
byte[] crlEncoded = crlEntry.GetEncoded();
DigestUtil.SetCertDigest(crlEncoded, _firma.RefsDigestMethod, crlRef.CertDigest);
CRLValue crlValue = new CRLValue();
crlValue.PkiData = crlEncoded;
crlValue.Id = idCrlValue;
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection.Add(crlRef);
unsignedProperties.UnsignedSignatureProperties.RevocationValues.CRLValues.CRLValueCollection.Add(crlValue);
}
return(true);
}
else
{
throw new Exception("Certificado revocado");
}
}
}
return(false);
}
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer)
{
bool byKey = false;
List <string> ocspServers = new List <string>();
Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(client);
Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer);
OcspClient ocsp = new OcspClient();
string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert);
if (!string.IsNullOrEmpty(certOcspUrl))
{
ocspServers.Add(certOcspUrl);
}
foreach (var ocspUrl in _firma.OCSPServers)
{
ocspServers.Add(ocspUrl);
}
foreach (var ocspUrl in ocspServers)
{
byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspUrl);
FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(clientCert, issuerCert, resp);
if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked)
{
throw new Exception("Certificado revocado");
}
else if (status == FirmaXadesNet.Clients.CertificateStatus.Good)
{
Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp);
byte[] rEncoded = r.GetEncoded();
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
string guidOcsp = Guid.NewGuid().ToString();
OCSPRef ocspRef = new OCSPRef();
ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp;
DigestUtil.SetCertDigest(rEncoded, _firma.RefsDigestMethod, ocspRef.CertDigest);
Org.BouncyCastle.Asn1.Ocsp.ResponderID rpId = or.ResponderId.ToAsn1Object();
string name = GetResponderName(rpId, ref byKey);
if (!byKey)
{
ocspRef.OCSPIdentifier.ResponderID = RevertIssuerName(name);
}
else
{
ocspRef.OCSPIdentifier.ResponderID = name;
ocspRef.OCSPIdentifier.ByKey = true;
}
ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef);
OCSPValue ocspValue = new OCSPValue();
ocspValue.PkiData = rEncoded;
ocspValue.Id = "OcspValue" + guidOcsp;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue);
return((from cert in or.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
throw new Exception("El certificado no ha podido ser validado");
}
