public ActionResult Verify(string xml) { Response response = new Response(xml); Challenge challenge = Session["challenge"] as Challenge; if (!response.Valid(challenge)) { return(Json(new { error = "Invalid DSIG" }, JsonRequestBehavior.AllowGet)); } OcspClient ocspclient = new OcspClient(); // This uses the BouncyCastle X509 primitives (Org.BouncyCastle.X509) X509CertificateParser parser = new X509CertificateParser(); var fullgiltbytes = System.IO.File.ReadAllBytes(HttpContext.Server.MapPath("~/certs/fullgilt.cer")); X509Certificate fullgilt = parser.ReadCertificate(fullgiltbytes); X509Certificate user = parser.ReadCertificate(response.Certificate); try { CertificateStatus ocspresonse = ocspclient.Query(user, fullgilt); if (ocspresonse != CertificateStatus.Good) { return(Json(new { error = Enum.GetName(typeof(CertificateStatus), ocspresonse) })); } // Do your normal login stuff here. Session["LoggedIn"] = true; return(Json(new { valid = true, msg = "Login successful" }, JsonRequestBehavior.AllowGet)); } catch (Org.BouncyCastle.Ocsp.OcspException ocspex) { return(Json(new { error = ocspex.Message }, JsonRequestBehavior.AllowGet)); } }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <string> ocspServers, FirmaXades.Crypto.DigestMethod digestMethod) { bool byKey = false; List <string> list = new List <string>(); Org.BouncyCastle.X509.X509Certificate eeCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate x509Certificate = issuer.ToBouncyX509Certificate(); OcspClient ocspClient = new OcspClient(); string authorityInformationAccessOcspUrl = ocspClient.GetAuthorityInformationAccessOcspUrl(x509Certificate); if (!string.IsNullOrEmpty(authorityInformationAccessOcspUrl)) { list.Add(authorityInformationAccessOcspUrl); } foreach (string ocspServer in ocspServers) { list.Add(ocspServer); } foreach (string item in list) { byte[] array = ocspClient.QueryBinary(eeCert, x509Certificate, item); switch (ocspClient.ProcessOcspResponse(array)) { case FirmaXades.Clients.CertificateStatus.Revoked: throw new Exception("Certificado revocado"); case FirmaXades.Clients.CertificateStatus.Good: { OcspResp ocspResp = new OcspResp(array); byte[] encoded = ocspResp.GetEncoded(); BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject(); string str = Guid.NewGuid().ToString(); OCSPRef oCSPRef = new OCSPRef(); oCSPRef.OCSPIdentifier.UriAttribute = "#OcspValue" + str; DigestUtil.SetCertDigest(encoded, digestMethod, oCSPRef.CertDigest); ResponderID responderId = basicOcspResp.ResponderId.ToAsn1Object(); string responderName = GetResponderName(responderId, ref byKey); if (!byKey) { oCSPRef.OCSPIdentifier.ResponderID = RevertIssuerName(responderName); } else { oCSPRef.OCSPIdentifier.ResponderID = responderName; oCSPRef.OCSPIdentifier.ByKey = true; } oCSPRef.OCSPIdentifier.ProducedAt = basicOcspResp.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(oCSPRef); OCSPValue oCSPValue = new OCSPValue(); oCSPValue.PkiData = encoded; oCSPValue.Id = "OcspValue" + str; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(oCSPValue); return((from cert in basicOcspResp.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } } throw new Exception("El certificado no ha podido ser validado"); }
static bool IsCertificateRevoked(IOcesCertificate certificate) { if (Environments.TrustedEnvironments.Contains(OcesEnvironment.OcesIDanidEnvDevelopment)) { /* OCSP checking is not supported in this environment - since this is a test environment, we assume * the certificate is *not* revoked */ Logger.Info("OCSP checking is not supported in this environment. Assuming certificate is not revoked"); return(false); } return(!OcspClient.IsValid(certificate)); }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl) { bool byKey = false; List <OcspServer> finalOcspServers = new List <OcspServer>(); Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate(); Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate(); OcspClient ocsp = new OcspClient(); if (addCertificateOcspUrl) { string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { finalOcspServers.Add(new OcspServer(certOcspUrl)); } } foreach (var ocspServer in ocspServers) { finalOcspServers.Add(ocspServer); } foreach (var ocspServer in finalOcspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, ocspServer.RequestorName, ocspServer.SignCertificate); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest); ResponderID rpId = or.ResponderId.ToAsn1Object(); ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey); ocspRef.OCSPIdentifier.ByKey = byKey; ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return((from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray()); } } throw new Exception("El certificado no ha podido ser validado"); }
public async Task <IActionResult> OnPostAsync(long id, string action, string key) { AcmeCertificate = await _context.AcmeCertificates .Include(a => a.AcmeAccount) .ThenInclude(a => a.Key) .Include(a => a.AcmeOrders) .ThenInclude(o => o.DomainCertificate) .FirstOrDefaultAsync(m => m.AcmeCertificateId == id); if (AcmeCertificate == null) { return(NotFound()); } switch (action.ToLower()) { case "keychange": switch (key) { case "apikey1": AcmeCertificate.ApiKey1 = ApiKeyGenerator.CreateApiKey(); break; case "apikey2": AcmeCertificate.ApiKey2 = ApiKeyGenerator.CreateApiKey(); break; } await _context.SaveChangesAsync(); break; case "ocspcheck": try { var order = AcmeCertificate.GetLatestValidAcmeOrder(); if (order?.Certificate != null) { var client = new OcspClient(); var status = client.GetOcspStatus(order.Certificate); OcspStatus = status.ToString(); } else { OcspStatus = "No certificate"; } } catch (Exception e) { _logger.LogWarning($"Error obtaining OCSP status:{e.Message}"); OcspStatus = "Error"; } break; case "revoke": { var order = AcmeCertificate.GetLatestValidAcmeOrder(); if (order?.RawDataPem != null) { _certesAcmeProvider.Initialize(AcmeCertificate); var cert = new Certes.Acme.CertificateChain(order.RawDataPem); var reason = (RevocationReason)Enum.Parse(typeof(RevocationReason), RevocationReason, true); await _certesAcmeProvider.Revoke(cert.Certificate.ToDer(), reason); StatusMessage = "Certificate revocation submitted"; } break; } } return(Page()); }