public TrustCouldNotBeVerifiedException(OcesCertificate ocesCertificate, IEnumerable<OcesEnvironment> environments) : base("Could not verify trust") { OcesCertificate = ocesCertificate; TrustedEnvironments = environments; }
/// <summary> /// Generates an <code>OcesCertificate</code>. The returned <code>OcesCertificate</code> is the end user certificate, which has a parent relation /// to the certificate of its issuing CA which again can have a parent relation to the certificate of the root CA. /// The root CA has no parent relation. /// /// The factory verifies that each certificate in the certificate chain has been signed by its issuing CA. /// </summary> /// <param name="certificates">List of certificates to create OcesCertificate chain from.</param> /// <returns><code>OcesCertificate</code> with parent relation to (chain of) issuing CAs. Depending on the Subject DN in the /// certificate a <code>PocesCertificate</code>, <code>MocesCertificate</code>, <code>VocesCertificate</code>, or <code>FocesCertificate</code> will be created.</returns> /// <exception cref="org.openoces.ooapi.exceptions.TrustCouldNotBeVerifiedException">when a OcesCertificate in the chain cannot be trusted, i.e. has not been signed by its issuing CA.</exception> public OcesCertificate Generate(List <X509Certificate2> certificates) { certificates = SortCertificatesIssuerLast(certificates); AddIssuerCertificateIfNeeded(certificates); ValidateExactlyOneChainInList(certificates); AppendRootIfMissing(certificates); X509Certificate2 endUserCertificate = certificates[0]; Ca signingCa = CreateCaChain(certificates); string subjectSerialNumber = ExtractSubjectSerialNumber(endUserCertificate); OcesCertificate certificate = SelectCertificateSubclass(subjectSerialNumber, signingCa, endUserCertificate); if (ChainVerifier.VerifyTrust(certificate)) { return(certificate); } throw new TrustCouldNotBeVerifiedException(certificate, Environments.TrustedEnvironments); }
public CertificateIsRevokedException(OcesCertificate certificate) : base("Certificate " + certificate.SubjectDistinguishedName + "is revoked") { }
/// <summary> /// This method verifies a certificate by calling the OCSP used in current Environment /// </summary> /// <param name="certificate">certificate to verify</param> /// <returns>true if certificate is revoked else false</returns> public static bool VerifyCertificateWithOcsp(OcesCertificate certificate) { var engine = new OcspCertificateRevocationChecker(); return engine.IsRevoked(certificate); }
/// <summary> /// Checks that a full CRL can be retrieved and is valid. Expects that an environment has been set up. /// </summary> /// <returns><code>true</code> if the CRL is retrieved or else false</returns> public static bool VerifyFullCrl(OcesCertificate ocesCertificate) { Crl crl = CertificateRevocationHandler.RetrieveFullCrl(ocesCertificate); return crl != null && crl.IsValid; }
/// <summary> /// Retrieves the full CRL for the given certificate /// </summary> /// <param name="certificate">to retrieve full CRL for</param> /// <returns>full CRL for the given certificate</returns> public static Crl RetrieveFullCrl(OcesCertificate certificate) { return FullCrlRevocationChecker.Instance.DownloadCrl(certificate); }
private void SetAttributesForMocesOrPoces(OcesCertificate certificate) { if (certificate is PocesCertificate) { Session.Add(KeyType, "POCES"); Session.Add(KeyPid, ((PocesCertificate)certificate).Pid); } else { Session.Add(KeyType, "MOCES"); Session.Add(KeyRid, ((MocesCertificate)certificate).Rid); Session.Add(KeyCvr, ((MocesCertificate)certificate).Cvr); } }
public CertificateAndStatus(OcesCertificate certificate, CertificateStatus certificateStatus) { Certificate = certificate; CertificateStatus = certificateStatus; }
private static void CheckBasicOcspResp(CertID id, BasicOcspResp basicResp, OcesCertificate ocspCertificate, Ca ca) { DateTime nowInGmt = DateTime.Now.ToUniversalTime(); /* check condition: The certificate identified in a received response corresponds to that which was identified in the corresponding request; */ SingleResp[] responses = basicResp.Responses; if (responses.Length != 1) { throw new OcspException("unexpected number of responses received"); } if (!id.SerialNumber.Value.Equals(responses[0].GetCertID().SerialNumber)) { throw new OcspException("Serial number mismatch problem"); } /* check condition The signature on the response is valid; */ try { ChainVerifier.VerifyTrust(ocspCertificate.ExportCertificate(), ca); } catch(ChainVerificationException e) { throw new OcspException("OCSP response certificate chain is invalid", e); } /* check the signature on the ocsp response */ var ocspBcCertificate = new X509CertificateParser().ReadCertificate(ocspCertificate.ExportCertificate().RawData); if (!basicResp.Verify(ocspBcCertificate.GetPublicKey())) { throw new OcspException("signature validation failed for ocsp response"); } if (!CanSignOcspResponses(ocspBcCertificate)) { throw new OcspException("ocsp signing certificate has not been cleared for ocsp response signing"); } /* check expiry of the signing certificate */ if (ocspCertificate.ValidityStatus() != CertificateStatus.Valid) { throw new OcspException("OCSP certificate expired or not yet valid"); } /* check condition The time at which the status being indicated is known to be correct (thisUpdate) is sufficiently recent. */ SingleResp response = responses[0]; var diff = response.ThisUpdate - nowInGmt; if (diff > new TimeSpan(0, 1, 0)) { throw new OcspException("OCSP response signature is from the future. Timestamp of thisUpdate field: " + response.ThisUpdate); } if (response.NextUpdate != null && response.NextUpdate.Value < nowInGmt) { throw new OcspException("OCSP response is no longer valid"); } }
public static bool VerifyTrust(OcesCertificate certificate) { return VerifyTrust(certificate.ExportCertificate(), certificate.IssuingCa); }
public static bool VerifyTrust(OcesCertificate certificate) { return(VerifyTrust(certificate.ExportCertificate(), certificate.IssuingCa)); }