static OcesCertificate SelectCertificateSubclass(String subjectSerialNumber, Ca signingCa, X509Certificate2 endUserCertificate) { var currentEnv = GetEnvironmentForRoot(signingCa); if (subjectSerialNumber.StartsWith("PID:") && MatchPocesPolicy(endUserCertificate, currentEnv)) { return(new PocesCertificate(endUserCertificate, signingCa)); } const int lengthOfCvrXxxxxxxx = 12; if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-RID:") && MatchMocesPolicy(endUserCertificate, currentEnv)) { return(new MocesCertificate(endUserCertificate, signingCa)); } if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-UID:") && MatchVocesPolicy(endUserCertificate, currentEnv)) { return(new VocesCertificate(endUserCertificate, signingCa)); } if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-FID:") && MatchFocesPolicy(endUserCertificate, currentEnv)) { return(new FocesCertificate(endUserCertificate, signingCa)); } throw new NonOcesCertificateException("End user certificate is not POCES, MOCES, VOCES og FOCES"); }
private static OcesEnvironment GetEnvironmentForRoot(Ca ca) { if (!ca.IsRoot) { return(GetEnvironmentForRoot(ca.IssuingCa)); } return(RootCertificates.GetEnvironment(ca)); }
static bool CertificateIsValid(CertID id, OcspResp ocspResp, string serialNumber, Ca ca) { CheckOcspResp(ocspResp); BasicOcspResp response = GetResponseObject(ocspResp); CheckValidityOfResponse(id, response, ca); return SerialNumberInResponseIsNotRevoked(response, serialNumber); }
/// <summary> /// Constructs a CA with <code>certificate</code> as the certificate of this /// CA and <code>issuingCa</code> as the parent CA which has signed the /// certificate of this CA /// </summary> /// <param name="certificate">CA certificate</param> /// <param name="issuingCa">CA which has signed the certificate of this CA</param> public Ca(X509Certificate2 certificate, Ca issuingCa) { if (certificate == null) { throw new ArgumentException("Certificate cannot be null"); } Certificate = certificate; IssuingCa = issuingCa; }
static Ca CreateCaChain(IList <X509Certificate2> certificates) { Ca parent = null; for (int i = certificates.Count - 1; i > 0; i--) { parent = new Ca(certificates[i], parent); } return(parent); }
public static bool VerifyTrust(X509Certificate2 certificate, Ca signingCa) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(certificate); if (Verify(certificate, GetPublicKey(signingCa.Certificate))) { if (VerifyChain(signingCa, 0)) { return VerifyRoot(signingCa); } } return false; }
public static bool VerifyTrust(X509Certificate2 certificate, Ca signingCa) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(certificate); if (Verify(certificate, GetPublicKey(signingCa.Certificate))) { if (VerifyChain(signingCa, 0)) { return(VerifyRoot(signingCa)); } } return(false); }
static bool VerifyRoot(Ca ca) { if (ca.IsRoot) { var certificates = Environments.TrustedCertificates; foreach (var certificate in certificates) { if (certificate.Equals(ca.Certificate)) { return(true); } } return(false); } return(VerifyRoot(ca.IssuingCa)); }
private static bool VerifyChain(Ca ca, int pathLength) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(ca.Certificate); //check that CA certificate is in fact a CA if (!basicConstraints.CertificateAuthority) { return(false); } //check that CA certificate must sign other certificates X509KeyUsageFlags flags = X509CertificatePropertyExtrator.GetKeyUsage(ca.Certificate).KeyUsages; if ((flags & (X509KeyUsageFlags.KeyCertSign)) != X509KeyUsageFlags.KeyCertSign) { return(false); } // Check path length if (basicConstraints.HasPathLengthConstraint && basicConstraints.PathLengthConstraint < pathLength) { return(false); } if (IsSelfSigned(ca) && !ca.IsRoot) { return(false); } if (ca.IsRoot) { return(true); } if (ca.IssuingCa == null) { return(false); } Ca signingCa = ca.IssuingCa; if (X509CertificatePropertyExtrator.GetBasicConstraints(signingCa.Certificate).PathLengthConstraint >= 0) { if (Verify(ca.Certificate, GetPublicKey(signingCa.Certificate))) { return(VerifyChain(ca.IssuingCa, ++pathLength)); } } return(false); }
/// <summary> /// Generates an <code>OcesCertificate</code>. The returned <code>OcesCertificate</code> is the end user certificate, which has a parent relation /// to the certificate of its issuing CA which again can have a parent relation to the certificate of the root CA. /// The root CA has no parent relation. /// /// The factory verifies that each certificate in the certificate chain has been signed by its issuing CA. /// </summary> /// <param name="certificates">List of certificates to create OcesCertificate chain from.</param> /// <returns><code>OcesCertificate</code> with parent relation to (chain of) issuing CAs. Depending on the Subject DN in the /// certificate a <code>PocesCertificate</code>, <code>MocesCertificate</code>, <code>VocesCertificate</code>, or <code>FocesCertificate</code> will be created.</returns> /// <exception cref="org.openoces.ooapi.exceptions.TrustCouldNotBeVerifiedException">when a OcesCertificate in the chain cannot be trusted, i.e. has not been signed by its issuing CA.</exception> public OcesCertificate Generate(List <X509Certificate2> certificates) { certificates = SortCertificatesIssuerLast(certificates); AddIssuerCertificateIfNeeded(certificates); ValidateExactlyOneChainInList(certificates); AppendRootIfMissing(certificates); X509Certificate2 endUserCertificate = certificates[0]; Ca signingCa = CreateCaChain(certificates); string subjectSerialNumber = ExtractSubjectSerialNumber(endUserCertificate); OcesCertificate certificate = SelectCertificateSubclass(subjectSerialNumber, signingCa, endUserCertificate); if (ChainVerifier.VerifyTrust(certificate)) { return(certificate); } throw new TrustCouldNotBeVerifiedException(certificate, Environments.TrustedEnvironments); }
/// <summary> /// Gets <code>Environment</code> for given <code>CA</code> /// </summary> public static OcesEnvironment GetEnvironment(Ca ca) { if (ca == null) { throw new ArgumentException("Ca is null"); } if (!ca.IsRoot) { return GetEnvironment(ca.IssuingCa); } foreach (var e in TheRootCertificates) { if (e.Value.Equals(ca.Certificate)) { return e.Key; } } throw new ArgumentException(ca + " is not a known root certificate"); }
internal bool IsRevoked(Ca ca) { if (ca.IsRoot) { throw new InvalidOperationException("Cannot check revocation for root CA"); } try { VerifyCrl(ca.IssuingCa.Certificate); } catch (SignatureException e) { throw new InvalidSignatureException("CRL Issued by" + _crl.IssuerDN + " does not have valid signature by ca's issuer certificate " + ca.IssuingCa.Certificate.SubjectName.Name, e); } return IsRevoked(ca.Certificate); }
/// <summary> /// Creates a OcesCertificate. /// </summary> /// <param name="certificate"><code>X509Certificate</code> to encapsulate</param> /// <param name="issuingCa">parent relation to its issuing CA</param> protected OcesCertificate(X509Certificate2 certificate, Ca issuingCa) { Certificate = certificate; IssuingCa = issuingCa; SubjectSerialNumber = ExtractSubjectSerialNumber(certificate); }
private static bool VerifyChain(Ca ca, int pathLength) { var basicConstraints = X509CertificatePropertyExtrator.GetBasicConstraints(ca.Certificate); //check that CA certificate is in fact a CA if (!basicConstraints.CertificateAuthority) { return false; } //check that CA certificate must sign other certificates X509KeyUsageFlags flags = X509CertificatePropertyExtrator.GetKeyUsage(ca.Certificate).KeyUsages; if((flags & (X509KeyUsageFlags.KeyCertSign))!=X509KeyUsageFlags.KeyCertSign) { return false; } // Check path length if (basicConstraints.HasPathLengthConstraint && basicConstraints.PathLengthConstraint < pathLength) { return false; } if (IsSelfSigned(ca) && !ca.IsRoot) { return false; } if (ca.IsRoot) { return true; } if (ca.IssuingCa == null) { return false; } Ca signingCa = ca.IssuingCa; if (X509CertificatePropertyExtrator.GetBasicConstraints(signingCa.Certificate).PathLengthConstraint >= 0) { if (Verify(ca.Certificate, GetPublicKey(signingCa.Certificate))) { return VerifyChain(ca.IssuingCa, ++pathLength); } } return false; }
Crl DownloadCrl(Ca ca) { string crlDistributionPoint = CrlDistributionPointsExtractor.ExtractCrlDistributionPoints(ca.Certificate).CrlDistributionPoint; return DownloadCrl(crlDistributionPoint); }
static OcesCertificate SelectCertificateSubclass(String subjectSerialNumber, Ca signingCa, X509Certificate2 endUserCertificate) { var currentEnv = GetEnvironmentForRoot(signingCa); if (subjectSerialNumber.StartsWith("PID:") && MatchPocesPolicy(endUserCertificate, currentEnv)) { return new PocesCertificate(endUserCertificate, signingCa); } const int lengthOfCvrXxxxxxxx = 12; if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-RID:") && MatchMocesPolicy(endUserCertificate, currentEnv)) { return new MocesCertificate(endUserCertificate, signingCa); } if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-UID:") && MatchVocesPolicy(endUserCertificate, currentEnv)) { return new VocesCertificate(endUserCertificate, signingCa); } if (subjectSerialNumber.StartsWith("CVR:") && subjectSerialNumber.Substring(lengthOfCvrXxxxxxxx).StartsWith("-FID:") && MatchFocesPolicy(endUserCertificate, currentEnv)) { return new FocesCertificate(endUserCertificate, signingCa); } throw new NonOcesCertificateException("End user certificate is not POCES, MOCES, VOCES og FOCES"); }
Crl DownloadCrl(Ca ca, OcesEnvironment environment) { string crlDistributionPoint = CrlDistributionPointsExtractor.ExtractCrlDistributionPoints(ca.Certificate).PartitionedCrlDistributionPoint; return _crlDownloader.Download(environment, crlDistributionPoint); }
static Ca CreateCaChain(IList<X509Certificate2> certificates) { Ca parent = null; for (int i = certificates.Count - 1; i > 0; i--) { parent = new Ca(certificates[i], parent); } return parent; }
private static X509Certificate2[] CreateOcspCertificateChain(Ca ca) { var chain = new List<X509Certificate2> (); while (ca != null) { chain.Add(ca.Certificate); ca = ca.IssuingCa; } return chain.ToArray(); }
static void CheckValidityOfResponse(CertID id, BasicOcspResp responseObject, Ca ca) { var inputStream = new MemoryStream(responseObject.GetEncoded()); var asn1Sequence = (Asn1Sequence)new Asn1InputStream(inputStream).ReadObject(); var response = BasicOcspResponse.GetInstance(asn1Sequence); var ocspChain = CreateOcspCertificateChain(ca); if(ocspChain.Length == 0) { throw new OcspException("OCSP certificate chain is invalid"); } var ocesOcspCertificate = OcesCertificateFactory.Instance.Generate(CompleteOcspChain(response, ocspChain)); CheckBasicOcspResp(id, responseObject, ocesOcspCertificate, ca); var signingCertificate = new X509CertificateParser().ReadCertificate(response.Certs[0].GetEncoded()); var issuingCertificate = new X509CertificateParser().ReadCertificate(ocspChain[0].GetRawCertData()); signingCertificate.Verify(issuingCertificate.GetPublicKey()); if (!responseObject.Verify(signingCertificate.GetPublicKey())) { throw new OcspException("Signature is invalid"); } }
private static bool IsSelfSigned(Ca ca) { return Verify(ca.Certificate, GetPublicKey(ca.Certificate)); }
static bool VerifyRoot(Ca ca) { if (ca.IsRoot) { var certificates = Environments.TrustedCertificates; foreach (var certificate in certificates) { if (certificate.Equals(ca.Certificate)) { return true; } } return false; } return VerifyRoot(ca.IssuingCa); }
private static OcesEnvironment GetEnvironmentForRoot(Ca ca) { if (!ca.IsRoot) { return GetEnvironmentForRoot(ca.IssuingCa); } return RootCertificates.GetEnvironment(ca); }
/// <summary> /// Contructs a VOCES certificate with the given <code>CA</code> as parent /// </summary> /// <param name="certificate">certificate</param> /// <param name="parent">parent signing CA</param> public VocesCertificate(X509Certificate2 certificate, Ca parent) : base(certificate, parent) { }
public bool IsRevoked(Ca ca) { if (ca.IsRoot) { return false; } OcesEnvironment environment = RootCertificates.GetEnvironment(ca.IssuingCa); return DownloadCrl(ca, environment).IsRevoked(ca) || IsRevoked(ca.IssuingCa); }
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca) { DateTime nowInGmt = DateTime.Now.ToUniversalTime(); /* check condition: The certificate identified in a received response corresponds to that which was identified in the corresponding request; */ SingleResp[] responses = basicResp.Responses; if (responses.Length != 1) { throw new OcspException("unexpected number of responses received"); } if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber)) { throw new OcspException("Serial number mismatch problem"); } /* check condition The signature on the response is valid; */ try { ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca); } catch(ChainVerificationException e) { throw new OcspException("OCSP response certificate chain is invalid", e); } /* check the signature on the ocsp response */ var ocspBcCertificate = new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData); if (!basicResp.Verify(ocspBcCertificate.GetPublicKey())) { throw new OcspException("signature validation failed for ocsp response"); } if (!CanSignOcspResponses(ocspBcCertificate)) { throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing"); } /* check expiry of the signing certificate */ if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid) { throw new OcspException("OCSP certificate expired or not yet valid"); } /* check condition The time at which the status being indicated is known to be correct (thisUpdate) is sufficiently recent. */ SingleResp response = responses[0]; var diff = response.ThisUpdate - nowInGmt; if (diff > new TimeSpan(0, 1, 0)) { throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: " + response.ThisUpdate); } if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt) { throw new OcspException("OCSP response is no longer valid"); } }
public bool IsRevoked(Ca ca) { if (ca.IsRoot) { return false; } return DownloadCrl(ca).IsRevoked(ca) || IsRevoked(ca.IssuingCa); }
/// <summary> /// Contructs a POCES certificate with the given <code>CA</code> as parent /// </summary> /// <param name="certificate">certificate</param> /// <param name="parent">parent signing CA</param> public PocesCertificate(X509Certificate2 certificate, Ca parent) : base(certificate, parent) { }
private static bool IsSelfSigned(Ca ca) { return(Verify(ca.Certificate, GetPublicKey(ca.Certificate))); }