public virtual CertificateStatus GetCertificateStatusFromContext(CertificateAndContext cert)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
if (cert.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
CertificateStatus status = new CertificateStatus
{
Validity = CertificateValidity.VALID,
StatusSourceType = ValidatorSourceType.TRUSTED_LIST,
Certificate = cert.Certificate
};
return(status);
}
CertificateAndContext issuer = GetIssuerCertificateFromThisContext(cert);
if (issuer == null)
{
return(null);
}
IOcspSource ocspSource = new ListOCSPSource(NeededOCSPResp);
ICrlSource crlSource = new ListCRLSource(NeededCRL);
var verifier = certificateVerifierFactory(ocspSource, crlSource);
return(verifier.Check(cert.Certificate, issuer.Certificate, ValidationDate));
}
public virtual CertificateStatus Check(X509Certificate cert, X509Certificate potentialIssuer, DateTime validationDate)
{
if (cert is null)
{
throw new ArgumentNullException(nameof(cert));
}
logger.Info("OCSP request for " + cert.SubjectDN);
CertificateStatus result = ocspVerifier.Check(cert, potentialIssuer, validationDate);
if (result != null && result.Validity != CertificateValidity.UNKNOWN)
{
logger.Info(OCSPDoneMessage);
return(result);
}
else
{
logger.Info("No OCSP check performed, looking for a CRL for " + cert.SubjectDN);
result = crlVerifier.Check(cert, potentialIssuer, validationDate);
if (result != null && result.Validity != CertificateValidity.UNKNOWN)
{
logger.Info(CLRDoneMessage);
return(result);
}
else
{
logger.Info(NoResponceMessage);
return(null);
}
}
}
public CertificateVerification(CertificateAndContext cert, IValidationContext ctx)
{
if (ctx is null)
{
throw new System.ArgumentNullException(nameof(ctx));
}
CertificateAndContext = cert;
if (cert != null)
{
try
{
cert.Certificate.CheckValidity(ctx.ValidationDate);
validityPeriodVerification = new Result(ResultStatus.VALID, null);
}
catch (CertificateExpiredException)
{
validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateExpired");
}
catch (CertificateNotYetValidException)
{
validityPeriodVerification = new Result(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateNotYetValid");
}
CertificateStatus status = ctx.GetCertificateStatusFromContext(cert);
if (status != null)
{
certificateStatus = new RevocationVerificationResult(status);
}
Summary.SetStatus(ResultStatus.VALID, null);
if (ValidityPeriodVerification.IsInvalid)
{
Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateIsNotValid");
}
if (CertificateStatus != null)
{
if (CertificateStatus.Status == CertificateValidity.REVOKED)
{
Summary.SetStatus(ResultStatus.INVALID, "$UI_Signatures_ValidationText_CertificateRevoked");
}
else
{
if (CertificateStatus.Status == CertificateValidity.UNKNOWN)
{
Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_RevocationUnknown");
}
}
}
else if (!ValidityPeriodVerification.IsInvalid)
{
Summary.SetStatus(ResultStatus.UNDETERMINED, "$UI_Signatures_ValidationText_NoRevocationData");
}
}
}
public RevocationVerificationResult(CertificateStatus certificateStatus)
{
if (certificateStatus != null)
{
this.certificateStatus = certificateStatus;
}
else
{
this.certificateStatus = new CertificateStatus
{
Validity = CertificateValidity.UNKNOWN
};
}
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate)
{
CertificateStatus status = new CertificateStatus
{
Certificate = childCertificate,
ValidationDate = validationDate,
IssuerCertificate = certificate
};
if (ocspSource == null)
{
logger.Warn("OCSPSource null");
return(null);
}
try
{
BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate);
if (null == ocspResp)
{
logger.Info("OCSP response not found");
return(null);
}
BasicOcspResp basicOCSPResp = ocspResp;
CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate, childCertificate.SerialNumber);
SingleResp[] singleResps = basicOCSPResp.Responses;
foreach (SingleResp singleResp in singleResps)
{
CertificateID responseCertificateId = singleResp.GetCertID();
if (!certificateId.Equals(responseCertificateId))
{
continue;
}
DateTime thisUpdate = singleResp.ThisUpdate;
logger.Info("OCSP thisUpdate: " + thisUpdate);
logger.Info("OCSP nextUpdate: " + singleResp.NextUpdate);
status.StatusSourceType = ValidatorSourceType.OCSP;
status.StatusSource = ocspResp;
status.RevocationObjectIssuingTime = ocspResp.ProducedAt;
if (null == singleResp.GetCertStatus())
{
logger.Info("OCSP OK for: " + childCertificate.SubjectDN);
status.Validity = CertificateValidity.VALID;
}
else
{
logger.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName);
if (singleResp.GetCertStatus() is RevokedStatus)
{
logger.Info("OCSP status revoked");
if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0)
{
logger.Info("OCSP revocation time after the validation date, the certificate was valid at "
+ validationDate);
status.Validity = CertificateValidity.VALID;
}
else
{
status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime;
status.Validity = CertificateValidity.REVOKED;
}
}
else
{
if (singleResp.GetCertStatus() is UnknownStatus)
{
logger.Info("OCSP status unknown");
status.Validity = CertificateValidity.UNKNOWN;
}
}
}
return(status);
}
logger.Info("no matching OCSP response entry");
return(null);
}
catch (IOException ex)
{
logger.Error("OCSP exception: " + ex.Message);
return(null);
}
catch (OcspException ex)
{
logger.Error("OCSP exception: " + ex.Message);
throw;
}
}
/// <param>
/// the status to set
/// </param>
public virtual void SetStatus(CertificateStatus status)
{
this.status = status;
}
/// <summary>
/// Build the validation context for the specific date
/// </summary>
public virtual void Validate(DateTime validationDate, ICertificateSource optionalSource, ICrlSource optionalCRLSource, IOcspSource optionalOCPSSource, IList <CertificateAndContext> usedCerts)
{
int previousSize = RevocationInfo.Count;
int previousVerified = VerifiedTokenCount();
ISignedToken signedToken = GetOneNotYetVerifiedToken();
if (signedToken != null)
{
ICertificateSource otherSource = new CompositeCertificateSource(signedToken.GetWrappedCertificateSource(), optionalSource);
CertificateAndContext issuer = GetIssuerCertificate(signedToken, otherSource, validationDate);
RevocationData data = null;
if (issuer == null)
{
logger?.Warn("Don't found any issuer for token " + signedToken);
data = new RevocationData(signedToken);
}
else
{
usedCerts?.Add(issuer);
AddNotYetVerifiedToken(certificateTokenFactory(issuer));
if (issuer.Certificate.SubjectDN.Equals(issuer.Certificate.IssuerDN))
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
}
Validate(trustedToken, noNeedToValidate);
}
else if (issuer.CertificateSource == CertificateSourceType.TRUSTED_LIST)
{
ISignedToken trustedToken = certificateTokenFactory(issuer);
RevocationData noNeedToValidate = new RevocationData();
noNeedToValidate.SetRevocationData(CertificateSourceType.TRUSTED_LIST);
Validate(trustedToken, noNeedToValidate);
}
if (signedToken is CertificateToken)
{
CertificateToken ct = (CertificateToken)signedToken;
CertificateStatus status = GetCertificateValidity(ct.GetCertificateAndContext(), issuer, validationDate, optionalCRLSource, optionalOCPSSource);
data = new RevocationData(signedToken);
if (status != null)
{
data.SetRevocationData(status.StatusSource);
if (status.StatusSource is X509Crl)
{
AddNotYetVerifiedToken(new CRLToken((X509Crl)status.StatusSource));
}
else
{
if (status.StatusSource is BasicOcspResp)
{
AddNotYetVerifiedToken(new OCSPRespToken((BasicOcspResp)status.StatusSource));
}
}
}
else
{
logger?.Warn("No status for " + signedToken);
}
}
else
{
if (signedToken is CRLToken || signedToken is OCSPRespToken || signedToken is TimestampToken)
{
data = new RevocationData(signedToken);
data.SetRevocationData(issuer);
}
else
{
throw new Exception("Not supported token type " + signedToken.GetType().Name);
}
}
}
Validate(signedToken, data);
logger?.Info(ToString());
int newSize = RevocationInfo.Count;
int newVerified = VerifiedTokenCount();
if (newSize != previousSize || newVerified != previousVerified)
{
Validate(validationDate, otherSource, optionalCRLSource, optionalOCPSSource, usedCerts);
}
}
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate certificate, DateTime validationDate)
{
try
{
CertificateStatus report = new CertificateStatus
{
Certificate = childCertificate,
ValidationDate = validationDate,
IssuerCertificate = certificate
};
if (crlSource == null)
{
logger.Warn("CRLSource null");
return(null);
}
X509Crl x509crl = crlSource.FindCrl(childCertificate, certificate);
if (x509crl == null)
{
logger.Info("No CRL found for certificate " + childCertificate.SubjectDN);
return(null);
}
if (!IsCRLValid(x509crl, certificate, validationDate))
{
logger.Warn("The CRL is not valid !");
return(null);
}
report.StatusSource = x509crl;
report.Validity = CertificateValidity.UNKNOWN;
report.Certificate = childCertificate;
report.StatusSourceType = ValidatorSourceType.CRL;
report.ValidationDate = validationDate;
X509CrlEntry crlEntry = x509crl.GetRevokedCertificate(childCertificate.SerialNumber);
if (null == crlEntry)
{
logger.Info("CRL OK for: " + childCertificate.SubjectDN);
report.Validity = CertificateValidity.VALID;
}
else
{
if (crlEntry.RevocationDate.CompareTo(validationDate) > 0) //jbonilla - After
{
logger.Info("CRL OK for: " + childCertificate.SubjectDN + " at " + validationDate);
report.Validity = CertificateValidity.VALID;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
}
else
{
logger.Info("CRL reports certificate: " + childCertificate.SubjectDN
+ " as revoked since " + crlEntry.RevocationDate);
report.Validity = CertificateValidity.REVOKED;
report.RevocationObjectIssuingTime = x509crl.ThisUpdate;
report.RevocationDate = crlEntry.RevocationDate;
}
}
return(report);
}
catch (IOException e)
{
logger.Error("IOException when accessing CRL for " + childCertificate.SubjectDN.ToString() + " " + e.Message);
return(null);
}
}
