private void doTestECDsa()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeECKeyPair();
X509Certificate testCert = OcspTestUtil.MakeECDsaCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !certs[0].Equals(testCert))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Encodable extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
if (!AreEqual(((Asn1OctetString)extObj).GetOctets(), sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response generation
//
BasicOcspRespGenerator respGen = new BasicOcspRespGenerator(signKP.Public);
respGen.AddResponse(id, CertificateStatus.Good);
respGen.Generate("SHA1withECDSA", signKP.Private, chain, DateTime.UtcNow);
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
public virtual CertificateStatus Check(X509Certificate childCertificate, X509Certificate
certificate, DateTime validationDate)
{
CertificateStatus status = new CertificateStatus();
status.Certificate = childCertificate;
status.ValidationDate = validationDate;
status.IssuerCertificate = certificate;
if (ocspSource == null)
{
LOG.Warn("OCSPSource null");
return(null);
}
try
{
BasicOcspResp ocspResp = ocspSource.GetOcspResponse(childCertificate, certificate
);
if (null == ocspResp)
{
LOG.Info("OCSP response not found");
return(null);
}
BasicOcspResp basicOCSPResp = (BasicOcspResp)ocspResp;
CertificateID certificateId = new CertificateID(CertificateID.HashSha1, certificate
, childCertificate.SerialNumber);
SingleResp[] singleResps = basicOCSPResp.Responses;
foreach (SingleResp singleResp in singleResps)
{
CertificateID responseCertificateId = singleResp.GetCertID();
if (false == certificateId.Equals(responseCertificateId))
{
continue;
}
DateTime thisUpdate = singleResp.ThisUpdate;
LOG.Info("OCSP thisUpdate: " + thisUpdate);
LOG.Info("OCSP nextUpdate: " + singleResp.NextUpdate);
status.StatusSourceType = ValidatorSourceType.OCSP;
status.StatusSource = ocspResp;
status.RevocationObjectIssuingTime = ocspResp.ProducedAt;
if (null == singleResp.GetCertStatus())
{
LOG.Info("OCSP OK for: " + childCertificate.SubjectDN);
status.Validity = CertificateValidity.VALID;
}
else
{
LOG.Info("OCSP certificate status: " + singleResp.GetCertStatus().GetType().FullName
);
if (singleResp.GetCertStatus() is RevokedStatus)
{
LOG.Info("OCSP status revoked");
if (validationDate.CompareTo(((RevokedStatus)singleResp.GetCertStatus()).RevocationTime) < 0) //jbonilla - Before
{
LOG.Info("OCSP revocation time after the validation date, the certificate was valid at "
+ validationDate);
status.Validity = CertificateValidity.VALID;
}
else
{
status.RevocationDate = ((RevokedStatus)singleResp.GetCertStatus()).RevocationTime;
status.Validity = CertificateValidity.REVOKED;
}
}
else
{
if (singleResp.GetCertStatus() is UnknownStatus)
{
LOG.Info("OCSP status unknown");
status.Validity = CertificateValidity.UNKNOWN;
}
}
}
return(status);
}
LOG.Info("no matching OCSP response entry");
return(null);
}
catch (IOException ex)
{
LOG.Error("OCSP exception: " + ex.Message);
return(null);
}
catch (OcspException ex)
{
LOG.Error("OCSP exception: " + ex.Message);
throw new RuntimeException(ex);
}
}
/// <summary>
/// Verifies the certificate chain via OCSP
/// </summary>
/// <returns>
/// <c>true</c>, if certificate is revoked, <c>false</c> otherwise.
/// </returns>
/// <param name='chain'>
/// The certificate chain.
/// </param>
private static bool VerifyCertificateOCSP(System.Security.Cryptography.X509Certificates.X509Chain chain)
{
List <X509Certificate> certsList = new List <X509Certificate> ();
List <Uri> certsUrls = new List <Uri> ();
bool bCertificateIsRevoked = false;
try {
//Get the OCSP URLS to be validated for each certificate.
foreach (System.Security.Cryptography.X509Certificates.X509ChainElement cert in chain.ChainElements)
{
X509Certificate BCCert = Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(cert.Certificate);
if (BCCert.CertificateStructure.TbsCertificate.Extensions != null)
{
X509Extension ext = BCCert.CertificateStructure.TbsCertificate.Extensions.GetExtension(X509Extensions.AuthorityInfoAccess);
if (ext != null)
{
AccessDescription[] certUrls = AuthorityInformationAccess.GetInstance(ext).GetAccessDescriptions();
Uri url = (certUrls != null && certUrls.Length > 0 && certUrls [0].AccessLocation.Name.ToString().StartsWith("http://")) ? new Uri(certUrls [0].AccessLocation.Name.ToString()) : null;
certsList.Add(BCCert);
if (!certsUrls.Contains(url))
{
certsUrls.Add(url);
}
}
}
}
if (certsUrls.Count > 0)
{
//create requests for each cert
List <OcspReq> RequestList = new List <OcspReq>();
OcspReqGenerator OCSPRequestGenerator;
for (int i = 0; i < (certsList.Count - 1); i++)
{
OCSPRequestGenerator = new OcspReqGenerator();
BigInteger nonce = BigInteger.ValueOf(DateTime.Now.Ticks);
List <DerObjectIdentifier> oids = new List <DerObjectIdentifier> ();
oids.Add(Org.BouncyCastle.Asn1.Ocsp.OcspObjectIdentifiers.PkixOcspNonce);
List <X509Extension> values = new List <X509Extension> ();
values.Add(new X509Extension(false, new DerOctetString(nonce.ToByteArray())));
OCSPRequestGenerator.SetRequestExtensions(new X509Extensions(oids, values));
CertificateID ID = new CertificateID(CertificateID.HashSha1, certsList [i + 1], certsList [i].SerialNumber);
OCSPRequestGenerator.AddRequest(ID);
RequestList.Add(OCSPRequestGenerator.Generate());
}
//send requests to the OCSP server and read the response
for (int i = 0; i < certsUrls.Count && !bCertificateIsRevoked; i++)
{
for (int j = 0; j < RequestList.Count && !bCertificateIsRevoked; j++)
{
HttpWebRequest requestToOCSPServer = (HttpWebRequest)WebRequest.Create(certsUrls [i]);
requestToOCSPServer.Method = "POST";
requestToOCSPServer.ContentType = "application/ocsp-request";
requestToOCSPServer.Accept = "application/ocsp-response";
requestToOCSPServer.ReadWriteTimeout = 15000; // 15 seconds waiting to stablish connection
requestToOCSPServer.Timeout = 100000; // 100 seconds timeout reading response
byte[] bRequestBytes = RequestList[j].GetEncoded();
using (Stream requestStream = requestToOCSPServer.GetRequestStream()) {
requestStream.Write(bRequestBytes, 0, bRequestBytes.Length);
requestStream.Flush();
}
HttpWebResponse serverResponse = (HttpWebResponse)requestToOCSPServer.GetResponse();
OcspResp OCSPResponse = new OcspResp(serverResponse.GetResponseStream());
BasicOcspResp basicOCSPResponse = (BasicOcspResp)OCSPResponse.GetResponseObject();
//get the status from the response
if (basicOCSPResponse != null)
{
foreach (SingleResp singleResponse in basicOCSPResponse.Responses)
{
object certStatus = singleResponse.GetCertStatus();
if (certStatus is RevokedStatus)
{
bCertificateIsRevoked = true;
}
}
}
}
}
}
else
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. No OCSP url service found. Cannot verify revocation.");
}
} catch (Exception e) {
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Unhandled exception during revocation checking: " + e.Message);
bCertificateIsRevoked = true;
}
if (bCertificateIsRevoked)
{
SystemLogger.Log(SystemLogger.Module.PLATFORM, "*************** Certificate Validation. Certificate is revoked");
}
return(bCertificateIsRevoked);
}
private void doTestECDsa()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeECKeyPair();
X509Certificate testCert = OcspTestUtil.MakeECDsaCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(id);
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !certs[0].Equals(testCert))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withECDSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Encodable extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
if (!AreEqual(((Asn1OctetString)extObj).GetOctets(), sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response generation
//
BasicOcspRespGenerator respGen = new BasicOcspRespGenerator(signKP.Public);
respGen.AddResponse(id, CertificateStatus.Good);
respGen.Generate("SHA1withECDSA", signKP.Private, chain, DateTime.UtcNow);
}
public void AddRequest(CertificateID certId)
{
list.Add(new RequestObject(certId, null));
}
internal static bool CheckIfIssuersMatch(CertificateID certID, X509Certificate issuerCert)
{
return(certID.MatchesIssuer(issuerCert));
}
public void AddCaCompromisedResponse(CertificateID cert_id)
{
var status = new RevokedStatus(DateTime.UtcNow, (int)CrlReason.caCompromise);
_builder.AddResponse(cert_id, status);
}
private OcspReq GenerarRequestOCSP(X509Certificate in_CertificadoEmisor, BigInteger in_NumeroSerie)
{
CertificateID id = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_NumeroSerie);
return(GenerarRequestOCSP(id));
}
//1. The certificate identified in a received response corresponds to
//that which was identified in the corresponding request;
private void ValidateCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId)
{
CertificateID expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber);
if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber))
{
throw new OCSPExpection("Invalid certificate ID in response");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash()))
{
throw new OCSPExpection("Invalid certificate Issuer in response");
}
}
private void ValidarCertificateId(X509Certificate in_CertificadoEmisor, X509Certificate in_Certificado, CertificateID in_IDCertificado)
{
CertificateID idEsperado = new CertificateID(CertificateID.HashSha1, in_CertificadoEmisor, in_Certificado.SerialNumber);
if (!idEsperado.SerialNumber.Equals(in_IDCertificado.SerialNumber))
{
throw new Exception("ID de Certificado invalido");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(idEsperado.GetIssuerNameHash(), in_IDCertificado.GetIssuerNameHash()))
{
throw new Exception("Certificado Emisor invalido");
}
}
/// <summary>
/// The certificate response matches the request
/// </summary>
/// <param name="issuerCert"></param>
/// <param name="eeCert"></param>
/// <param name="certificateId"></param>
private static bool IsValidCertificateId(X509Certificate issuerCert, X509Certificate eeCert, CertificateID certificateId)
{
var expectedId = new CertificateID(CertificateID.HashSha1, issuerCert, eeCert.SerialNumber);
if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber))
{
// Invalid certificate ID in response
return(false);
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash()))
{
// Invalid certificate Issuer in response
return(false);
}
return(true);
}
public void AddRequest(CertificateID certId, X509Extensions singleRequestExtensions)
{
list.Add(new RequestObject(certId, singleRequestExtensions));
}
public void AddGoodResponse(CertificateID cert_id)
{
_builder.AddResponse(cert_id, CertificateStatus.Good, DateTime.UtcNow.AddMinutes(_nextupdate), null);
}
private OcspReq GenerateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber)
{
CertificateID id = new CertificateID("1.3.14.3.2.26", issuerCert, serialNumber);
return(GenerateOcspRequest(id));
}
public void AddUnknownResponse(CertificateID cert_id)
{
_builder.AddResponse(cert_id, new UnknownStatus(), DateTime.UtcNow.AddMinutes(_nextupdate), null);
}
/* private OcspReq GenerateOcspRequest(X509Certificate2 rootX509Certificate2, BigInteger serialNumber)
* {
* X509Certificate rootX509Certificate = rootX509Certificate2.Export(X509ContentType.Cert);
* return this.GenerateOcspRequest(rootX509Certificate, serialNumber);
* }*/
/* private OcspReq GenerateOcspRequest(X509Certificate rootX509Certificate, byte serialNumber)
* {
* BigInteger serialNumberBigInteger = new BigInteger(serialNumber);
* return this.GenerateOcspRequest(rootX509Certificate, serialNumberBigInteger);
* }*/
private OcspReq GenerateOcspRequest(Org.BouncyCastle.X509.X509Certificate rootX509Certificate, BigInteger serialNumber)
{
CertificateID certificateID = new CertificateID(CertificateID.HashSha1, rootX509Certificate, serialNumber);
return(this.GenerateOcspRequest(certificateID));
}
private OcspReq GenerateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber)
{
CertificateID id = new CertificateID(CertificateID.HashSha1, issuerCert, serialNumber);
return(GenerateOcspRequest(id));
}
//1. The certificate identified in a received response corresponds to
//that which was identified in the corresponding request;
private void ValidateCertificateId(Org.BouncyCastle.X509.X509Certificate serverX509Certificate, Org.BouncyCastle.X509.X509Certificate rootX509Certificate, CertificateID certificateId)
{
CertificateID expectedId = new CertificateID(CertificateID.HashSha1, rootX509Certificate, serverX509Certificate.SerialNumber);
if (!expectedId.SerialNumber.Equals(certificateId.SerialNumber))
{
throw new CheckCertificateOcspUnexpectedException("Invalid certificate ID in response");
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), certificateId.GetIssuerNameHash()))
{
throw new CheckCertificateOcspUnexpectedException("Invalid certificate Issuer in response");
}
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
public RequestObject(CertificateID certId, X509Extensions extensions)
{
this.certId = certId;
this.extensions = extensions;
}
