/// <exception cref="System.IO.IOException"></exception> public BasicOcspResp GetOcspResponse(X509Certificate certificate, X509Certificate issuerCertificate) { try { this.OcspUri = GetAccessLocation(certificate, X509ObjectIdentifiers.OcspAccessMethod); LOG.Info("OCSP URI: " + this.OcspUri); if (this.OcspUri == null) { return null; } OcspReqGenerator ocspReqGenerator = new OcspReqGenerator(); CertificateID certId = new CertificateID(CertificateID.HashSha1, issuerCertificate , certificate.SerialNumber); ocspReqGenerator.AddRequest(certId); OcspReq ocspReq = ocspReqGenerator.Generate(); byte[] ocspReqData = ocspReq.GetEncoded(); OcspResp ocspResp = new OcspResp(HttpDataLoader.Post(this.OcspUri, new MemoryStream (ocspReqData))); try { return (BasicOcspResp)ocspResp.GetResponseObject(); } catch (ArgumentNullException) { // Encountered a case when the OCSPResp is initialized with a null OCSP response... // (and there are no nullity checks in the OCSPResp implementation) return null; } } catch (CannotFetchDataException) { return null; } catch (OcspException e) { LOG.Error("OCSP error: " + e.Message); return null; } }
/// <summary> /// Verifies the certificate chain via OCSP /// </summary> /// <returns> /// <c>true</c>, if certificate is revoked, <c>false</c> otherwise. /// </returns> /// <param name='chain'> /// The certificate chain. /// </param> private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain) { List<X509Certificate> certsList = new List<X509Certificate> (); List<Uri> certsUrls = new List<Uri> (); bool bCertificateIsRevoked = false; try { //Get the OCSP URLS to be validated for each certificate. foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements) { X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate (cert.Certificate); if (BCCert.CertificateStructure.TbsCertificate.Extensions != null) { X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension (X509Extensions.AuthorityInfoAccess); if (ext != null) { AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance (ext).GetAccessDescriptions (); Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString ().StartsWith("http://")) ? new Uri (certUrls [0].AccessLocation.Name.ToString ()) : null; certsList.Add (BCCert); if (!certsUrls.Contains (url)) certsUrls.Add (url); } } } if(certsUrls.Count>0){ //create requests for each cert List<OcspReq> RequestList = new List<OcspReq>(); OcspReqGenerator OCSPRequestGenerator; for (int i =0; i< (certsList.Count -1); i++) { OCSPRequestGenerator = new OcspReqGenerator (); BigInteger nonce = BigInteger.ValueOf (DateTime.Now.Ticks); List<DerObjectIdentifier> oids = new List<DerObjectIdentifier> (); oids.Add (Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce); List<X509Extension> values = new List<X509Extension> (); values.Add (new X509Extension (false, new DerOctetString (nonce.ToByteArray ()))); OCSPRequestGenerator.SetRequestExtensions (new X509Extensions (oids, values)); CertificateID ID = new CertificateID (CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber); OCSPRequestGenerator.AddRequest (ID); RequestList.Add(OCSPRequestGenerator.Generate()); } //send requests to the OCSP server and read the response for (int i =0; i< certsUrls.Count && !bCertificateIsRevoked; i++) { for(int j = 0; j< RequestList.Count && !bCertificateIsRevoked ; j++){ HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create (certsUrls [i]); requestToOCSPServer.Method = "POST"; requestToOCSPServer.ContentType = "application/ocsp-request"; requestToOCSPServer.Accept = "application/ocsp-response"; requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response byte[] bRequestBytes = RequestList[j].GetEncoded(); using (Stream requestStream = requestToOCSPServer.GetRequestStream()) { requestStream.Write (bRequestBytes, 0, bRequestBytes.Length); requestStream.Flush (); } HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse (); OcspResp OCSPResponse = new OcspResp (serverResponse.GetResponseStream ()); BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject (); //get the status from the response if (basicOCSPResponse != null) { foreach (SingleResp singleResponse in basicOCSPResponse.Responses) { object certStatus = singleResponse.GetCertStatus (); if (certStatus is RevokedStatus) bCertificateIsRevoked = true; } } } } }else { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");} } catch (Exception e) { SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message); bCertificateIsRevoked = true; } if(bCertificateIsRevoked) SystemLogger.Log (SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked"); return bCertificateIsRevoked; }
static bool CertificateIsValid(CertID id, OcspResp ocspResp, string serialNumber, Ca ca) { CheckOcspResp(ocspResp); BasicOcspResp response = GetResponseObject(ocspResp); CheckValidityOfResponse(id, response, ca); return SerialNumberInResponseIsNotRevoked(response, serialNumber); }
/// <summary>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </summary> /// <remarks>Convert a BasicOcspResp in OcspResp (connection status is set to SUCCESSFUL). /// </remarks> /// <param name="basicOCSPResp"></param> /// <returns></returns> public static OcspResp FromBasicToResp(byte[] basicOCSPResp) { OcspResponse response = new OcspResponse(new OcspResponseStatus(OcspResponseStatus .Successful), new ResponseBytes(OcspObjectIdentifiers.PkixOcspBasic, new DerOctetString (basicOCSPResp))); OcspResp resp = new OcspResp(response); return resp; }
/// <summary>Convert a OcspResp in a BasicOcspResp</summary> /// <param name="ocspResp"></param> /// <returns></returns> public static BasicOcspResp FromRespToBasic(OcspResp ocspResp) { try { return (BasicOcspResp)ocspResp.GetResponseObject(); } catch (OcspException e) { throw new RuntimeException(e); } }
public BouncyCastleOCSP.BasicOcspResp getOCSPCertFromResponse() { if (ocspResponse == null) { return(null); } else { Org.BouncyCastle.Ocsp.OcspResp resp = new BouncyCastleOCSP.OcspResp(ocspResponse); BouncyCastleOCSP.BasicOcspResp bresp = resp.GetResponseObject() as BouncyCastleOCSP.BasicOcspResp; return(bresp); } }
/// <summary> /// Checks if the OCSP response from the OCSP responder. Returns the validity of the certificate used to sign the ocsp response and also /// if the client certificate is valid, revoked or unknown. /// </summary> /// <param name="clientCert">Client certificate</param> /// <param name="issuerCert">Issuer certificate of the client certificate</param> /// <param name="binaryResp">OCSP response</param> /// <returns>CertificateStatus</returns> private CertificateStatus CheckOcspResponse(X509Certificate clientCert, X509Certificate issuerCert, byte[] binaryResp) { BouncyCastleOCSP.OcspResp ocspResponse = new BouncyCastleOCSP.OcspResp(binaryResp); CertificateStatus certStatus = CertificateStatus.Unknown; switch (ocspResponse.Status) { case BouncyCastleOCSP.OcspRespStatus.Successful: BouncyCastleOCSP.BasicOcspResp response = (BouncyCastleOCSP.BasicOcspResp)ocspResponse.GetResponseObject(); if (response.Responses.Length == 1) { BouncyCastleOCSP.SingleResp singleResponse = response.Responses[0]; ValidateCertificateId(issuerCert, clientCert, singleResponse.GetCertID()); ValidateThisUpdate(singleResponse); ValidateNextUpdate(singleResponse); Object certificateStatus = singleResponse.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { certStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { certStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { certStatus = CertificateStatus.Unknown; } } break; default: { throw new BouncyCastleOCSP.OcspException("Error status: " + this.GetOCSPResponseStatus(ocspResponse.Status)); } } return(certStatus); }
private CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); ValidateResponse(or, issuerCert); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidateCertificateId(issuerCert, eeCert, resp.GetCertID()); ValidateThisUpdate(resp); ValidateNextUpdate(resp); Object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } break; default: throw new Exception("Unknow status '" + r.Status + "'."); } return cStatus; }
private OcspResp GetOcspResponse(X509Certificate checkCert, X509Certificate rootCert, String url) { if (checkCert == null || rootCert == null) return null; if (url == null) { url = CertificateUtil.GetOCSPURL(checkCert); } if (url == null) return null; LOGGER.Info("Getting OCSP from " + url); OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); return ocspResponse; }
/** * @return a byte array * @see com.lowagie.text.pdf.OcspClient#getEncoded() */ public byte[] GetEncoded() { OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); BasicOcspResp basicResponse = (BasicOcspResp) ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return basicResponse.GetEncoded(); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } return null; }
private CertificateStatus ProcesarRespuestaOcsp(X509Certificate in_Certificado, X509Certificate in_CertificadoEmisor, byte[] in_BytesRespuesta) { OcspResp r = new OcspResp(in_BytesRespuesta); CertificateStatus estado = CertificateStatus.Unknown; switch (r.Status) { case OcspRespStatus.Successful: BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; ValidarCertificateId(in_CertificadoEmisor, in_Certificado, resp.GetCertID()); Object estadoCertificado = resp.GetCertStatus(); if (estadoCertificado == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { estado = CertificateStatus.Good; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.RevokedStatus) { estado = CertificateStatus.Revoked; } else if (estadoCertificado is Org.BouncyCastle.Ocsp.UnknownStatus) { estado = CertificateStatus.Unknown; } } break; default: throw new Exception("Status desconocido'" + r.Status + "'."); } return estado; }
public static bool CertificateIsValid(CertID id, OcspResp ocspResp, IOcesCertificate certificate) { return CertificateIsValid(id, ocspResp, SerialNumberConverter.FromCertificate(certificate), certificate.IssuingCa); }
static BasicOcspResp GetResponseObject(OcspResp ocspResp) { var response = (BasicOcspResp) ocspResp.GetResponseObject(); if (response == null) { throw new OcspException("Did not return basic response"); } return response; }
static void CheckOcspResp(OcspResp resp) { if (resp.Status != OcspRespStatus.Successful) { throw new OcspException("ocsp response status: " + resp.Status); } }
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * @param checkCert to certificate to check * @param rootCert the parent certificate * @param the url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained */ public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { if (checkCert == null || rootCert == null) return null; if (url == null) { url = PdfPKCS7.GetOCSPURL(checkCert); } if (url == null) return null; OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber); byte[] array = request.GetEncoded(); HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url); con.ContentLength = array.Length; con.ContentType = "application/ocsp-request"; con.Accept = "application/ocsp-response"; con.Method = "POST"; Stream outp = con.GetRequestStream(); outp.Write(array, 0, array.Length); outp.Close(); HttpWebResponse response = (HttpWebResponse)con.GetResponse(); if (response.StatusCode != HttpStatusCode.OK) throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode)); Stream inp = response.GetResponseStream(); OcspResp ocspResponse = new OcspResp(inp); inp.Close(); response.Close(); if (ocspResponse.Status != 0) throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status)); BasicOcspResp basicResponse = (BasicOcspResp) ocspResponse.GetResponseObject(); if (basicResponse != null) { SingleResp[] responses = basicResponse.Responses; if (responses.Length == 1) { SingleResp resp = responses[0]; Object status = resp.GetCertStatus(); if (status == CertificateStatus.Good) { return basicResponse.GetEncoded(); } else if (status is Org.BouncyCastle.Ocsp.RevokedStatus) { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown")); } } } } catch (Exception ex) { if (LOGGER.IsLogging(Level.ERROR)) LOGGER.Error("OcspClientBouncyCastle", ex); } return null; }
/** * Gets OCSP responses from the Document Security Store. * @return a list of BasicOCSPResp objects * @throws IOException * @throws GeneralSecurityException */ virtual public List<BasicOcspResp> GetOCSPResponsesFromDSS() { List<BasicOcspResp> ocsps = new List<BasicOcspResp>(); if (dss == null) return ocsps; PdfArray ocsparray = dss.GetAsArray(PdfName.OCSPS); if (ocsparray == null) return ocsps; for (int i = 0; i < ocsparray.Size; i++) { PRStream stream = (PRStream) ocsparray.GetAsStream(i); OcspResp ocspResponse = new OcspResp(PdfReader.GetStreamBytes(stream)); if (ocspResponse.Status == 0) try { ocsps.Add((BasicOcspResp) ocspResponse.GetResponseObject()); } catch (OcspException e) { throw new GeneralSecurityException(e.ToString()); } } return ocsps; }
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer) { bool byKey = false; List<string> ocspServers = new List<string>(); Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(client); Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer); OcspClient ocsp = new OcspClient(); string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert); if (!string.IsNullOrEmpty(certOcspUrl)) { ocspServers.Add(certOcspUrl); } foreach (var ocspUrl in _firma.OCSPServers) { ocspServers.Add(ocspUrl); } foreach (var ocspUrl in ocspServers) { byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspUrl); FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(clientCert, issuerCert, resp); if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked) { throw new Exception("Certificado revocado"); } else if (status == FirmaXadesNet.Clients.CertificateStatus.Good) { Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp); byte[] rEncoded = r.GetEncoded(); BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); string guidOcsp = Guid.NewGuid().ToString(); OCSPRef ocspRef = new OCSPRef(); ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp; DigestUtil.SetCertDigest(rEncoded, _firma.RefsDigestMethod, ocspRef.CertDigest); Org.BouncyCastle.Asn1.Ocsp.ResponderID rpId = or.ResponderId.ToAsn1Object(); string name = GetResponderName(rpId, ref byKey); if (!byKey) { ocspRef.OCSPIdentifier.ResponderID = RevertIssuerName(name); } else { ocspRef.OCSPIdentifier.ResponderID = name; ocspRef.OCSPIdentifier.ByKey = true; } ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime(); unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef); OCSPValue ocspValue = new OCSPValue(); ocspValue.PkiData = rEncoded; ocspValue.Id = "OcspValue" + guidOcsp; unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue); return (from cert in or.GetCerts() select new X509Certificate2(cert.GetEncoded())).ToArray(); } } throw new Exception("El certificado no ha podido ser validado"); }
/// <summary> /// Procesa la respuesta del servidor OCSP y devuelve el estado del certificado /// </summary> /// <param name="eeCert"></param> /// <param name="issuerCert"></param> /// <param name="binaryResp"></param> /// <returns></returns> public CertificateStatus ProcessOcspResponse(X509Certificate eeCert, X509Certificate issuerCert, byte[] binaryResp) { if (binaryResp.Length == 0) { return CertificateStatus.Unknown; } OcspResp r = new OcspResp(binaryResp); CertificateStatus cStatus = CertificateStatus.Unknown; if (r.Status == OcspRespStatus.Successful) { BasicOcspResp or = (BasicOcspResp)r.GetResponseObject(); if (or.Responses.Length == 1) { SingleResp resp = or.Responses[0]; object certificateStatus = resp.GetCertStatus(); if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good) { cStatus = CertificateStatus.Good; } else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus) { cStatus = CertificateStatus.Revoked; } else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus) { cStatus = CertificateStatus.Unknown; } } } else { throw new Exception("Unknow status '" + r.Status + "'."); } return cStatus; }