private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer)
{
bool byKey = false;
List <string> ocspServers = new List <string>();
Org.BouncyCastle.X509.X509Certificate clientCert = CertUtil.ConvertToX509Certificate(client);
Org.BouncyCastle.X509.X509Certificate issuerCert = CertUtil.ConvertToX509Certificate(issuer);
OcspClient ocsp = new OcspClient();
string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert);
if (!string.IsNullOrEmpty(certOcspUrl))
{
ocspServers.Add(certOcspUrl);
}
foreach (var ocspUrl in _firma.OCSPServers)
{
ocspServers.Add(ocspUrl);
}
foreach (var ocspUrl in ocspServers)
{
byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspUrl);
FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(clientCert, issuerCert, resp);
if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked)
{
throw new Exception("Certificado revocado");
}
else if (status == FirmaXadesNet.Clients.CertificateStatus.Good)
{
Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp);
byte[] rEncoded = r.GetEncoded();
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
string guidOcsp = Guid.NewGuid().ToString();
OCSPRef ocspRef = new OCSPRef();
ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp;
DigestUtil.SetCertDigest(rEncoded, _firma.RefsDigestMethod, ocspRef.CertDigest);
Org.BouncyCastle.Asn1.Ocsp.ResponderID rpId = or.ResponderId.ToAsn1Object();
string name = GetResponderName(rpId, ref byKey);
if (!byKey)
{
ocspRef.OCSPIdentifier.ResponderID = RevertIssuerName(name);
}
else
{
ocspRef.OCSPIdentifier.ResponderID = name;
ocspRef.OCSPIdentifier.ByKey = true;
}
ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef);
OCSPValue ocspValue = new OCSPValue();
ocspValue.PkiData = rEncoded;
ocspValue.Id = "OcspValue" + guidOcsp;
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue);
return((from cert in or.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
throw new Exception("El certificado no ha podido ser validado");
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
AsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString) extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp) response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
public static bool CertificateIsValid(CertID id, OcspResp ocspResp, IOcesCertificate certificate)
{
return(CertificateIsValid(id, ocspResp, SerialNumberConverter.FromCertificate(certificate), certificate.IssuingCa));
}
private RevocationResponse ProcessOcspResponse(Org.BouncyCastle.X509.X509Certificate serverX509Certificate, Org.BouncyCastle.X509.X509Certificate rootX509Certificate, byte[] binaryResp)
{
OcspResp r = new OcspResp(binaryResp);
//CertificateStatus cStatus = CertificateStatus.Unknown;
RevocationResponse revocationResponse = new RevocationResponse();
//X509CertificateParser parser = null;
//OcspRespStatus.Unauthorized
switch (r.Status)
{
case OcspRespStatus.Successful:
{
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
// ValidateResponse(or, issuerCert);
string certificateSerial = Convert.ToUInt32(serverX509Certificate.SerialNumber.IntValue).ToString();
bool found = false;
foreach (SingleResp singleResp in or.Responses)
{
if (singleResp.GetCertID().SerialNumber.ToString().Equals(certificateSerial))
{
found = true;
this.ValidateCertificateId(serverX509Certificate, rootX509Certificate, singleResp.GetCertID());
// ValidateThisUpdate(resp);
// ValidateNextUpdate(resp);
Object certificateStatus = singleResp.GetCertStatus();
if (certificateStatus == null)
{
// acording to org.openoces.ooapi.utils.ocsp.ResponseParser.cs (DanID test code)
// in the TU11, method SerialNumberInResponseIsNotRevoked(..),
// when the certificateStatus is empty, all is okay - not revoked
// no revocation data exist - the certificate must be valid
revocationResponse.IsValid = true;
revocationResponse.NextUpdate = singleResp.NextUpdate.Value;
revocationResponse.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed;
}
else if (certificateStatus == Org.BouncyCastle.Ocsp.CertificateStatus.Good)
{
// this is the expected certificateStatus for valid certificates
// however if the status is good the certificateStatus is null
revocationResponse.IsValid = true;
revocationResponse.NextUpdate = singleResp.NextUpdate.Value;
revocationResponse.RevocationCheckStatus = RevocationCheckStatus.AllChecksPassed;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
revocationResponse.IsValid = false;
revocationResponse.NextUpdate = singleResp.NextUpdate.Value;
revocationResponse.RevocationCheckStatus = RevocationCheckStatus.CertificateRevoked;
}
else if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
throw new CheckCertificateOcspUnexpectedException("CertificateStatus is Unknown");
}
else
{
throw new CheckCertificateOcspUnexpectedException("CertificateStatus is unknown '" + certificateStatus.ToString() + "'.");
}
// break foreach loop
break;
}
}
if (!found)
{
// the returned result did not contain the desired certificate
throw new CheckCertificateOcspUnexpectedException("Revokation result did not contain the desired certificate serial number.");
}
break;
}
default:
{
throw new CheckCertificateOcspUnexpectedException("Unknow status '" + r.Status + "'.");
}
}
return(revocationResponse);
}
private X509Certificate2[] ValidateCertificateByOCSP(UnsignedProperties unsignedProperties, X509Certificate2 client, X509Certificate2 issuer, IEnumerable <OcspServer> ocspServers, FirmaXadesNet.Crypto.DigestMethod digestMethod, bool addCertificateOcspUrl, bool useNonce)
{
bool byKey = false;
List <OcspServer> finalOcspServers = new List <OcspServer>();
Org.BouncyCastle.X509.X509Certificate clientCert = client.ToBouncyX509Certificate();
Org.BouncyCastle.X509.X509Certificate issuerCert = issuer.ToBouncyX509Certificate();
OcspClient ocsp = new OcspClient();
if (addCertificateOcspUrl)
{
string certOcspUrl = ocsp.GetAuthorityInformationAccessOcspUrl(issuerCert);
if (!string.IsNullOrEmpty(certOcspUrl))
{
finalOcspServers.Add(new OcspServer(certOcspUrl));
}
}
foreach (var ocspServer in ocspServers)
{
finalOcspServers.Add(ocspServer);
}
foreach (var ocspServer in finalOcspServers)
{
byte[] resp = ocsp.QueryBinary(clientCert, issuerCert, ocspServer.Url, useNonce, ocspServer.RequestorName,
ocspServer.SignCertificate);
FirmaXadesNet.Clients.CertificateStatus status = ocsp.ProcessOcspResponse(resp, useNonce);
if (status == FirmaXadesNet.Clients.CertificateStatus.Revoked)
{
throw new Exception("Certificate revoked");
}
else if (status == FirmaXadesNet.Clients.CertificateStatus.Good)
{
Org.BouncyCastle.Ocsp.OcspResp r = new OcspResp(resp);
byte[] rEncoded = r.GetEncoded();
BasicOcspResp or = (BasicOcspResp)r.GetResponseObject();
string guidOcsp = Guid.NewGuid().ToString();
OCSPRef ocspRef = new OCSPRef();
ocspRef.OCSPIdentifier.UriAttribute = "#OcspValue" + guidOcsp;
DigestUtil.SetCertDigest(rEncoded, digestMethod, ocspRef.CertDigest);
ResponderID rpId = or.ResponderId.ToAsn1Object();
ocspRef.OCSPIdentifier.ResponderID = GetResponderName(rpId, ref byKey);
ocspRef.OCSPIdentifier.ByKey = byKey;
ocspRef.OCSPIdentifier.ProducedAt = or.ProducedAt.ToLocalTime();
unsignedProperties.UnsignedSignatureProperties.CompleteRevocationRefs.OCSPRefs.OCSPRefCollection.Add(ocspRef);
OCSPValue ocspValue = new OCSPValue
{
PkiData = rEncoded,
Id = "OcspValue" + guidOcsp
};
unsignedProperties.UnsignedSignatureProperties.RevocationValues.OCSPValues.OCSPValueCollection.Add(ocspValue);
return((from cert in or.GetCerts()
select new X509Certificate2(cert.GetEncoded())).ToArray());
}
}
throw new Exception("The certificate could not be validated");
}
/**
* Gets an encoded byte array with OCSP validation. The method should not throw an exception.
* @param checkCert to certificate to check
* @param rootCert the parent certificate
* @param the url to get the verification. It it's null it will be taken
* from the check cert or from other implementation specific source
* @return a byte array with the validation or null if the validation could not be obtained
*/
public virtual byte[] GetEncoded(X509Certificate checkCert, X509Certificate rootCert, String url)
{
try {
if (checkCert == null || rootCert == null)
{
return(null);
}
if (url == null)
{
url = PdfPKCS7.GetOCSPURL(checkCert);
}
if (url == null)
{
return(null);
}
OcspReq request = GenerateOCSPRequest(rootCert, checkCert.SerialNumber);
byte[] array = request.GetEncoded();
HttpWebRequest con = (HttpWebRequest)WebRequest.Create(url);
con.ContentLength = array.Length;
con.ContentType = "application/ocsp-request";
con.Accept = "application/ocsp-response";
con.Method = "POST";
Stream outp = con.GetRequestStream();
outp.Write(array, 0, array.Length);
outp.Close();
HttpWebResponse response = (HttpWebResponse)con.GetResponse();
if (response.StatusCode != HttpStatusCode.OK)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.http.response.1", (int)response.StatusCode));
}
Stream inp = response.GetResponseStream();
OcspResp ocspResponse = new OcspResp(inp);
inp.Close();
response.Close();
if (ocspResponse.Status != 0)
{
throw new IOException(MessageLocalization.GetComposedMessage("invalid.status.1", ocspResponse.Status));
}
BasicOcspResp basicResponse = (BasicOcspResp)ocspResponse.GetResponseObject();
if (basicResponse != null)
{
SingleResp[] responses = basicResponse.Responses;
if (responses.Length == 1)
{
SingleResp resp = responses[0];
Object status = resp.GetCertStatus();
if (status == CertificateStatus.Good)
{
return(basicResponse.GetEncoded());
}
else if (status is Org.BouncyCastle.Ocsp.RevokedStatus)
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.revoked"));
}
else
{
throw new IOException(MessageLocalization.GetComposedMessage("ocsp.status.is.unknown"));
}
}
}
}
catch (Exception ex) {
if (LOGGER.IsLogging(Level.ERROR))
{
LOGGER.Error("OcspClientBouncyCastle", ex);
}
}
return(null);
}
/// <summary>
/// Validate a certificate against its AIA OCSP.
/// </summary>
/// <param name="cert"></param>
/// <param name="aia"></param>
/// <returns></returns>
CertStatus Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 cert,
AIA aia)
{
string hash = ComputeSHA1(System.Text.ASCIIEncoding.ASCII.GetBytes(aia.Issuer));
string filePath = IssuerCachedFolder + hash;
//Check if aki is cached
if (!IsIssuerCached(aia.Issuer))
{
Download(aia.Issuer, filePath);
if (!IsIssuerCached(aia.Issuer))
{
return(CertStatus.Unknown(CertStatus.BadIssuer));
}
}
var issuerTemp = new System.Security.Cryptography.X509Certificates.X509Certificate2(filePath);
var certParser = new Org.BouncyCastle.X509.X509CertificateParser();
var issuer = certParser.ReadCertificate(issuerTemp.RawData);
var cert2Validate = certParser.ReadCertificate(cert.RawData);
var id = new Org.BouncyCastle.Ocsp.CertificateID(
Org.BouncyCastle.Ocsp.CertificateID.HashSha1,
issuer,
cert2Validate.SerialNumber);
byte[] reqEnc = GenerateOCSPRequest(id, cert2Validate);
byte[] resp = GetOCSPResponse(aia.Ocsp, reqEnc);
//Extract the response
OcspResp ocspResponse = new OcspResp(resp);
BasicOcspResp basicOCSPResponse =
(BasicOcspResp)ocspResponse.GetResponseObject();
SingleResp singResp = basicOCSPResponse.Responses[0];
//Validate ID
var expectedId = singResp.GetCertID();
if (!expectedId.SerialNumber.Equals(id.SerialNumber))
{
return(CertStatus.Unknown(CertStatus.BadSerial));
}
if (!Org.BouncyCastle.Utilities.Arrays.AreEqual(expectedId.GetIssuerNameHash(), id.GetIssuerNameHash()))
{
return(CertStatus.Unknown(CertStatus.IssuerNotMatch));
}
//Extract Status
var certificateStatus = singResp.GetCertStatus();
if (certificateStatus == null)
{
return(CertStatus.Good);
}
if (certificateStatus is Org.BouncyCastle.Ocsp.RevokedStatus)
{
int revocationReason = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationReason;
var revocationDate = ((Org.BouncyCastle.Ocsp.RevokedStatus)certificateStatus).RevocationTime;
return(CertStatus.Revoked(revocationDate.ToString("o"), revocationReason));
}
if (certificateStatus is Org.BouncyCastle.Ocsp.UnknownStatus)
{
return(CertStatus.Unknown());
}
return(CertStatus.Unknown());
}
private async Task <RevocationResult> GetOcspResponse(string url, string host, BcX509Certificate peerCertificate, BcX509Certificate issuerCertificate)
{
int maxAttemptCount = 2;
int attemptCount = 0;
string error = null;
while (maxAttemptCount > attemptCount)
{
try
{
OcspReq request = GenerateOcspRequest(issuerCertificate, peerCertificate.SerialNumber);
_log.LogInformation("Attempt {Attempt}: Getting OCSP repsonse for host {Host} certificate {Certificate} from url {Url}",
attemptCount, host, peerCertificate.SubjectDN, url);
HttpResponseMessage httpResponseMessage = await url
.WithTimeout(TimeSpan.FromSeconds(20))
.WithHeaders(new { Content_Type = "application/ocsp-request", Accept = "application/ocsp-response" })
.PostAsync(new ByteArrayContent(request.GetEncoded()));
if (httpResponseMessage.IsSuccessStatusCode)
{
OcspResp ocspResp = new OcspResp(await httpResponseMessage.Content.ReadAsStreamAsync());
if (ocspResp.Status == 0)
{
BasicOcspResp basicOcspResp = (BasicOcspResp)ocspResp.GetResponseObject();
List <RevocationInfo> revocationInfos = GetRevocationInfos(basicOcspResp);
bool revoked = basicOcspResp.Responses[0].GetCertStatus() != null;
if (revocationInfos.Any())
{
_log.LogInformation("Certificate {Certificate} for host {Host} is {RevocationStatus} with reasons {RevocationReasons}.",
peerCertificate.SubjectDN, host, revoked ? "revoked" : "not revoked", string.Join(", ", revocationInfos));
}
else
{
_log.LogInformation("Certificate {Certificate} for host {Host} is {RevocationStatus}.",
peerCertificate.SubjectDN, host, revoked ? "revoked" : "not revoked");
}
return(new RevocationResult(revoked, revocationInfos));
}
error = $"OCSP response had status: {GetOcspErrorCode(ocspResp.Status)}.";
_log.LogWarning("Got failed OCSP revocation response for host {Host} certificate {Certificate} with ocsp error {OCSPError}",
host, peerCertificate.SubjectDN.ToString(), ocspResp.Status);
}
else
{
_log.LogWarning("Failed to get OCSP revocation response for host {Host} certificate {Certificate} from url {Url} with http status code {StatusCode}",
host, peerCertificate.SubjectDN.ToString(), url, httpResponseMessage.StatusCode);
error = $"OCSP validator failed call to {url} with http status code: {httpResponseMessage.StatusCode}.";
}
}
catch (Exception e)
{
_log.LogError("Failed to get OCSP revocation response for host {Host} certificate {Certificate} from url {Url} with exception {ExceptionMessage}{StackTrace}",
host, peerCertificate.SubjectDN.ToString(), url, e.Message, e.StackTrace);
error = e.Message;
}
attemptCount++;
}
return(new RevocationResult(error));
}
public override void PerformTest()
{
string signDN = "O=Bouncy Castle, C=AU";
IAsymmetricCipherKeyPair signKP = OcspTestUtil.MakeKeyPair();
X509Certificate testCert = OcspTestUtil.MakeCertificate(signKP, signDN, signKP, signDN);
string origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id = new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One);
//
// basic request generation
//
OcspReqGenerator gen = new OcspReqGenerator();
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
OcspReq req = gen.Generate();
if (req.IsSigned)
{
Fail("signed but shouldn't be");
}
X509Certificate[] certs = req.GetCerts();
if (certs != null)
{
Fail("null certs expected, but not found");
}
Req[] requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// request generation with signing
//
X509Certificate[] chain = new X509Certificate[1];
gen = new OcspReqGenerator();
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
certs = req.GetCerts();
if (certs == null)
{
Fail("null certs found");
}
if (certs.Length != 1 || !testCert.Equals(certs[0]))
{
Fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.GetEncoded();
OcspReq newReq = new OcspReq(reqEnc);
if (!newReq.Verify(signKP.Public))
{
Fail("newReq signature failed to Verify");
}
//
// request generation with signing and nonce
//
chain = new X509Certificate[1];
gen = new OcspReqGenerator();
IList oids = new ArrayList();
IList values = new ArrayList();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.NextBytes(sampleNonce);
gen.SetRequestorName(new GeneralName(GeneralName.DirectoryName, new X509Name("CN=fred")));
oids.Add(OcspObjectIdentifiers.PkixOcspNonce);
values.Add(new X509Extension(false, new DerOctetString(new DerOctetString(sampleNonce))));
gen.SetRequestExtensions(new X509Extensions(oids, values));
gen.AddRequest(
new CertificateID(CertificateID.HashSha1, testCert, BigInteger.One));
chain[0] = testCert;
req = gen.Generate("SHA1withRSA", signKP.Private, chain);
if (!req.IsSigned)
{
Fail("not signed but should be");
}
if (!req.Verify(signKP.Public))
{
Fail("signature failed to Verify");
}
//
// extension check.
//
ISet extOids = req.GetCriticalExtensionOids();
if (extOids.Count != 0)
{
Fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.GetNonCriticalExtensionOids();
if (extOids.Count != 1)
{
Fail("wrong number of non-critical extensions in OCSP request.");
}
Asn1OctetString extValue = req.GetExtensionValue(OcspObjectIdentifiers.PkixOcspNonce);
Asn1Object extObj = X509ExtensionUtilities.FromExtensionValue(extValue);
if (!(extObj is Asn1OctetString))
{
Fail("wrong extension type found.");
}
byte[] compareNonce = ((Asn1OctetString)extObj).GetOctets();
if (!AreEqual(compareNonce, sampleNonce))
{
Fail("wrong extension value found.");
}
//
// request list check
//
requests = req.GetRequestList();
if (!requests[0].GetCertID().Equals(id))
{
Fail("Failed isFor test");
}
//
// response parsing - test 1
//
OcspResp response = new OcspResp(testResp1);
if (response.Status != 0)
{
Fail("response status not zero.");
}
BasicOcspResp brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 1 failed to Verify.");
}
//
// test 2
//
SingleResp[] singleResp = brep.Responses;
response = new OcspResp(testResp2);
if (response.Status != 0)
{
Fail("response status not zero.");
}
brep = (BasicOcspResp)response.GetResponseObject();
chain = brep.GetCerts();
if (!brep.Verify(chain[0].GetPublicKey()))
{
Fail("response 2 failed to Verify.");
}
singleResp = brep.Responses;
//
// simple response generation
//
OCSPRespGenerator respGen = new OCSPRespGenerator();
OcspResp resp = respGen.Generate(OCSPRespGenerator.Successful, response.GetResponseObject());
if (!resp.GetResponseObject().Equals(response.GetResponseObject()))
{
Fail("response fails to match");
}
doTestECDsa();
doTestRsa();
doTestIrregularVersionReq();
}
