private bool ValidateCertificateByCRL(UnsignedProperties unsignedProperties, X509Certificate2 certificate, X509Certificate2 issuer) { Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(certificate); Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer); foreach (var crlEntry in _firma.CRLEntries) { if (crlEntry.IssuerDN.Equivalent(issuerCert.SubjectDN) && crlEntry.NextUpdate.Value > DateTime.Now) { if (!crlEntry.IsRevoked(clientCert)) { if (!ExistsCRL(unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection, issuer.Subject)) { string idCrlValue = "CRLValue-" + Guid.NewGuid().ToString(); CRLRef crlRef = new CRLRef(); crlRef.CRLIdentifier.UriAttribute = "#" + idCrlValue; crlRef.CRLIdentifier.Issuer = issuer.Subject; crlRef.CRLIdentifier.IssueTime = crlEntry.ThisUpdate.ToLocalTime(); var crlNumber = GetCRLNumber(crlEntry); if (crlNumber.HasValue) { crlRef.CRLIdentifier.Number = crlNumber.Value; } byte[] crlEncoded = crlEntry.GetEncoded(); DigestUtil.SetCertDigest(crlEncoded, _firma.RefsDigestMethod, crlRef.CertDigest); CRLValue crlValue = new CRLValue(); crlValue.PkiData = crlEncoded; crlValue.Id = idCrlValue; unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.CRLRefs.CRLRefCollection.Add(crlRef); unsignedProperties.UnsignedSignatureProperties.RevocationValues.CRLValues.CRLValueCollection.Add(crlValue); } return(true); } else { throw new Exception("Certificado revocado"); } } } return(false); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer) { bool byKey = false; List <string> ocspServers = new List <string>(); Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(client); Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer); OcspClient ocsp = new OcspClient(); string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { ocspServers.Add(certOcspUrl); } foreach (var ocspUrl in _firma.OCSPServers) { ocspServers.Add(ocspUrl); } foreach (var ocspUrl in ocspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspUrl); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(clientCert, issuerCert, resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, _firma.RefsDigestMethod, ocspRef.CertDigest); Org.BouncyCastle.Asn1.Ocsp.ResponderID rpId = or.ResponderId.ToAsn1Object(); string name = GetResponderName(rpId, ref byKey); if (!byKey) { ocspRef.OCSPIdentifier.ResponderID = RevertIssuerName(name); } else { ocspRef.OCSPIdentifier.ResponderID = name; ocspRef.OCSPIdentifier.ByKey = true; } ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("El certificado no ha podido ser validado"); }