public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST) { CertificateStatus status = new CertificateStatus { Validity = CertificateValidity.VALID, StatusSourceType = ValidatorSourceType.TRUSTED_LIST, Certificate = cert.Certificate }; return(status); } CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert); if (issuer == null) { return(null); } IOcspSource ocspSource = new ListOCSPSource(NeededOCSPResp); ICrlSource crlSource = new ListCRLSource(NeededCRL); var verifier = certificateVerifierFactory(ocspSource, crlSource); return(verifier.Check(cert.Certificate, issuer.Certificate, ValidationDate)); }
public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer, DateTime validationDate) { if (cert is null) { throw new ArgumentNullException(nameof(cert)); } logger.Info("OCSP request for " + cert.SubjectDN); CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate); if (result != null && result.Validity != CertificateValidity.UNKNOWN) { logger.Info(OCSPDoneMessage); return(result); } else { logger.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN); result = crlVerifier.Check(cert, potentialIssuer, validationDate); if (result != null && result.Validity != CertificateValidity.UNKNOWN) { logger.Info(CLRDoneMessage); return(result); } else { logger.Info(NoResponceMessage); return(null); } } }
public CertificateVerification(CertificateAndContext cert, IValidationContext ctx) { if (ctx is null) { throw new System.ArgumentNullException(nameof(ctx)); } CertificateAndContext = cert; if (cert != null) { try { cert.Certificate.CheckValidity(ctx.ValidationDate); validityPeriodVerification = new Result(ResultStatus.VALID, null); } catch (CertificateExpiredException) { validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateExpired"); } catch (CertificateNotYetValidException) { validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateNotYetValid"); } CertificateStatus status = ctx.GetCertificateStatusFromContext(cert); if (status != null) { certificateStatus = new RevocationVerificationResult(status); } Summary.SetStatus(ResultStatus.VALID, null); if (ValidityPeriodVerification.IsInvalid) { Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateIsNotValid"); } if (CertificateStatus != null) { if (CertificateStatus.Status == CertificateValidity.REVOKED) { Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateRevoked"); } else { if (CertificateStatus.Status == CertificateValidity.UNKNOWN) { Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_RevocationUnknown"); } } } else if (!ValidityPeriodVerification.IsInvalid) { Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_NoRevocationData"); } } }
public RevocationVerificationResult(CertificateStatus certificateStatus) { if (certificateStatus != null) { this.certificateStatus = certificateStatus; } else { this.certificateStatus = new CertificateStatus { Validity = CertificateValidity.UNKNOWN }; } }
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate) { CertificateStatus status = new CertificateStatus { Certificate = childCertificate, ValidationDate = validationDate, IssuerCertificate = certificate }; if (ocspSource == null) { logger.Warn("OCSPSource null"); return(null); } try { BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate); if (null == ocspResp) { logger.Info("OCSP response not found"); return(null); } BasicOcspResp basicOCSPResp = ocspResp; CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate, childCertificate.SerialNumber); SingleResp[] singleResps = basicOCSPResp.Responses; foreach (SingleResp singleResp in singleResps) { CertificateID responseCertificateId = singleResp.GetCertID(); if (!certificateId.Equals(responseCertificateId)) { continue; } DateTime thisUpdate = singleResp.ThisUpdate; logger.Info("OCSP thisUpdate: " + thisUpdate); logger.Info("OCSP nextUpdate: " + singleResp.NextUpdate); status.StatusSourceType = ValidatorSourceType.OCSP; status.StatusSource = ocspResp; status.RevocationObjectIssuingTime = ocspResp.ProducedAt; if (null == singleResp.GetCertStatus()) { logger.Info("OCSP OK for: " + childCertificate.SubjectDN); status.Validity = CertificateValidity.VALID; } else { logger.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName); if (singleResp.GetCertStatus() is RevokedStatus) { logger.Info("OCSP status revoked"); if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0) { logger.Info("OCSP revocation time after the validation date, the certificate was valid at " + validationDate); status.Validity = CertificateValidity.VALID; } else { status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime; status.Validity = CertificateValidity.REVOKED; } } else { if (singleResp.GetCertStatus() is UnknownStatus) { logger.Info("OCSP status unknown"); status.Validity = CertificateValidity.UNKNOWN; } } } return(status); } logger.Info("no matching OCSP response entry"); return(null); } catch (IOException ex) { logger.Error("OCSP exception: " + ex.Message); return(null); } catch (OcspException ex) { logger.Error("OCSP exception: " + ex.Message); throw; } }
/// <param> /// the status to set /// </param> public virtual void SetStatus(CertificateStatus status) { this.status = status; }
/// <summary> /// Build the validation context for the specific date /// </summary> public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts) { int previousSize = RevocationInfo.Count; int previousVerified = VerifiedTokenCount(); ISignedToken signedToken = GetOneNotYetVerifiedToken(); if (signedToken != null) { ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource); CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate); RevocationData data = null; if (issuer == null) { logger?.Warn("Don't found any issuer for token " + signedToken); data = new RevocationData(signedToken); } else { usedCerts?.Add(issuer); AddNotYetVerifiedToken(certificateTokenFactory(issuer)); if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN)) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); } Validate(trustedToken, noNeedToValidate); } else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST) { ISignedToken trustedToken = certificateTokenFactory(issuer); RevocationData noNeedToValidate = new RevocationData(); noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST); Validate(trustedToken, noNeedToValidate); } if (signedToken is CertificateToken) { CertificateToken ct = (CertificateToken)signedToken; CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource); data = new RevocationData(signedToken); if (status != null) { data.SetRevocationData(status.StatusSource); if (status.StatusSource is X509Crl) { AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource)); } else { if (status.StatusSource is BasicOcspResp) { AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource)); } } } else { logger?.Warn("No status for " + signedToken); } } else { if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken) { data = new RevocationData(signedToken); data.SetRevocationData(issuer); } else { throw new Exception("Not supported token type " + signedToken.GetType().Name); } } } Validate(signedToken, data); logger?.Info(ToString()); int newSize = RevocationInfo.Count; int newVerified = VerifiedTokenCount(); if (newSize != previousSize || newVerified != previousVerified) { Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts); } } }
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate) { try { CertificateStatus report = new CertificateStatus { Certificate = childCertificate, ValidationDate = validationDate, IssuerCertificate = certificate }; if (crlSource == null) { logger.Warn("CRLSource null"); return(null); } X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate); if (x509crl == null) { logger.Info("No CRL found for certificate " + childCertificate.SubjectDN); return(null); } if (!IsCRLValid(x509crl, certificate, validationDate)) { logger.Warn("The CRL is not valid !"); return(null); } report.StatusSource = x509crl; report.Validity = CertificateValidity.UNKNOWN; report.Certificate = childCertificate; report.StatusSourceType = ValidatorSourceType.CRL; report.ValidationDate = validationDate; X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber); if (null == crlEntry) { logger.Info("CRL OK for: " + childCertificate.SubjectDN); report.Validity = CertificateValidity.VALID; } else { if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After { logger.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate); report.Validity = CertificateValidity.VALID; report.RevocationObjectIssuingTime = x509crl.ThisUpdate; } else { logger.Info("CRL reports certificate: " + childCertificate.SubjectDN + " as revoked since " + crlEntry.RevocationDate); report.Validity = CertificateValidity.REVOKED; report.RevocationObjectIssuingTime = x509crl.ThisUpdate; report.RevocationDate = crlEntry.RevocationDate; } } return(report); } catch (IOException e) { logger.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message); return(null); } }